beary beary - 1 year ago 75
Python Question

Strange Protocol after unpacking received data

Setting up the connection.

HOST = socket.gethostbyname(socket.gethostname())
con = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
con.bind((HOST, 0))
con.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
con.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

Receiving data.

raw_data, addr = con.recvfrom(65536)

raw_data : \x45\x00\x00\x77\x00\x00\x40\x00\x40\x11\xb4\xc0\xc0\xa8\x02...

Unpacking the raw data.

dest, src, proto = struct.unpack('! 6s 6s H', data[:14])

dest : \x45\x00\x00\x77\x00\x00

src : \x40\x00\x40\x11\xb4\xc0

proto : 49320

so my question is: is there an obvious mistake i am doing? what kind of ethertype (protocol) is 49320?

Answer Source

Where did you read your IPV4 packet definition from?
You're interpreting the data completely wrong!

It looks like you confused layer 2 (data link) and layer 3 (network layer) in the OSI model. Sockets come in at layer 3. Socket raw allows you to read the raw packets from layer 3.

Have a look at these links:

  1. IPv4 packet structure
  2. List of IP Protocol Numbers

So given this data:

\x45     = Version (IPV4) + IHL (5 32bit ints = 20 bytes)
\x00     = DCSP (0 - best effort) + ECN (0 - Non ECN-Capable Transport, Non-ECT)
\x00\x77 = Total length (119 bytes)
\x00\x00 = Identification (0)
\x40\x00 = Flags (100 - MF - more fragments) + Fragment Offset (0)
\x40     = TTL (64 seconds)
\x11     = Protocol (UDP)
\xb4\xc0 = Header Checksum (0xb4c0)

Followed by source IP then dest IP. You haven't given these 
  fully so I can't decode them.

I hope this now makes sense.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download