Introduction
Have you ever needed to write a wireshark dissector but weren't sure how to check if your dissector was working? This simple Python tool will generate a pcap file with whatever protocol you are trying to dissect embedded inside of it. You can then open the pcap file with wireshark and verify your dissector is working.
The code posted below encapsulates the specified message into a UDP packet. The specified port will also be encoded into the UDP packet. Everything else will either be calculated or given a default value.
Using the code
This code is ready to be copy/pasted and run. All you have to do is specify the message you would like to encode. The message should be in string form using hexidecimal characters. Whitespace does not matter, but I split everything into bytes just for readability.
If you have a linux terminal handy, all you have to do is run:
python [nameoffile].py output_file
port = 9600
message = ('01 01 00 08'
'01 02 00 00'
'00 00 12 30'
'00 00 12 31'
'00 00 12 32'
'00 00 12 33'
'00 00 12 34'
'D7 CD EF'
'00 00 12 35')
"""----------------------------------------------------------------"""
""" Do not edit below this line unless you know what you are doing """
"""----------------------------------------------------------------"""
import sys
import binascii
pcap_global_header = ('D4 C3 B2 A1'
'02 00'
'04 00'
'00 00 00 00'
'00 00 00 00'
'FF FF 00 00'
'01 00 00 00')
pcap_packet_header = ('AA 77 9F 47'
'90 A2 04 00'
'XX XX XX XX'
'YY YY YY YY')
eth_header = ('00 00 00 00 00 00'
'00 00 00 00 00 00'
'08 00')
ip_header = ('45'
'00'
'XX XX'
'00 00'
'40 00 40'
'11'
'YY YY'
'7F 00 00 01'
'7F 00 00 01')
udp_header = ('80 01'
'XX XX'
'YY YY'
'00 00')
def getByteLength(str1):
return len(''.join(str1.split())) / 2
def writeByteStringToFile(bytestring, filename):
bytelist = bytestring.split()
bytes = binascii.a2b_hex(''.join(bytelist))
bitout = open(filename, 'wb')
bitout.write(bytes)
def generatePCAP(message,port,pcapfile):
udp = udp_header.replace('XX XX',"%04x"%port)
udp_len = getByteLength(message) + getByteLength(udp_header)
udp = udp.replace('YY YY',"%04x"%udp_len)
ip_len = udp_len + getByteLength(ip_header)
ip = ip_header.replace('XX XX',"%04x"%ip_len)
checksum = ip_checksum(ip.replace('YY YY','00 00'))
ip = ip.replace('YY YY',"%04x"%checksum)
pcap_len = ip_len + getByteLength(eth_header)
hex_str = "%08x"%pcap_len
reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2]
pcaph = pcap_packet_header.replace('XX XX XX XX',reverse_hex_str)
pcaph = pcaph.replace('YY YY YY YY',reverse_hex_str)
bytestring = pcap_global_header + pcaph + eth_header + ip + udp + message
writeByteStringToFile(bytestring, pcapfile)
def splitN(str1,n):
return [str1[start:start+n] for start in range(0, len(str1), n)]
def ip_checksum(iph):
words = splitN(''.join(iph.split()),4)
csum = 0;
for word in words:
csum += int(word, base=16)
csum += (csum >> 16)
csum = csum & 0xFFFF ^ 0xFFFF
return csum
"""------------------------------------------"""
""" End of functions, execution starts here: """
"""------------------------------------------"""
if len(sys.argv) < 2:
print 'usage: pcapgen.py output_file'
exit(0)
generatePCAP(message,port,sys.argv[1])
Points of Interest
Perhaps you are wondering where I got the information to build the pcap headers, the ethernet headers, etc. I opened a working pcap in wireshark first of all in order to get a general idea, and then I opened the working pcap file in a hex editor and read the documentation on the various protocols and file formats in order to build the full picture in my head. Here are the articles I used to decipher pcap/ip/udp:
Pcap file format
IP Header Format
UDP Header Format