Mohammad Amin Mohammad Amin - 10 days ago 9
Python Question

Python how to parse RADIUS server packets?

I'm trying to parse UDP packets from a RADIUS server and I've tried different tools including Scapy, Pynids and pypcap.The problem is some of the Radius-Attributes are not decoded properly and some of them are. What could be the cause of this?

Here's my code:

from scapy.all import sniff, Radius

packets = sniff(iface='eth0', filter='udp', count=5)
packet = packets[0]

print packet.show()


And here's the summary of the output I get:

###[ Ethernet ]###
dst = 94:57:a5:53:ab:70
src = d4:ca:6d:ae:a0:66
type = 0x800
###[ UDP ]###
sport = 38667
dport = radius
len = 205
chksum = 0x2bbd
###[ Radius ]###
code = Access-Request
id = 80
len = 197
authenticator= "T\xfb\x9c\t\x00 '\x14\xeb\x99\x84t\x9b\xb4\x83\x95"
\attributes\
|###[ Radius Attribute ]###
| type = Framed-Protocol
| len = 6
| value = '\x00\x00\x00\x01'
|###[ Radius Attribute ]###
| type = NAS-Port
| len = 6
| value = '\x00\xf6\xa7\xf9'
|###[ Radius Attribute ]###
| type = Called-Station-Id
| len = 8
| value = 'Dslam1'
|###[ Radius Attribute ]###
| type = 87
| len = 16
| value = 'ether1-Dslam 1'
|###[ Radius Attribute ]###
| type = Vendor-Specific
| len = 24
| value = '\x00\x00\x017\x0b\x12\x19\xfc4\xd01\xaf\x03\xd6\x0e!j\xa7H]\xdd;'
|###[ Radius Attribute ]###
| type = NAS-Identifier
| len = 15
| value = 'TEH-P'

Answer

For future visitors this is how I managed to parse the packets.

You need create a dictionary file in your current directory or use an example from here so it can parse your data types correctly.

from pyrad.packet import Packet
from pyrad.dictionary import Dictionary

from scapy.all import sniff, Radius

def parse_packet(packet):
    radius_packet = str(packet[Radius])
    pkt = Packet(packet=radius_packet, dict=Dictionary("dictionary"))

    for key, value in pkt.iteritems():
        attr =  pkt._DecodeKey(key)
        value = pkt.__getitem__(attr)
        print attr, value

sniff(iface='eth0', prn=parse_packet, filter="udp", store=0)

This is a response sample I got:

User-Name [u'12345678']
NAS-IP-Address ['192.168.*.*']
NAS-Port [15853417]
Service-Type ['Framed-User']
Framed-Protocol ['PPP']
Framed-IP-Address ['192.168.*.*']
Called-Station-Id [u'service4']
Calling-Station-Id [u'20:A7:5C:75:RA:TD']
NAS-Identifier [u'Test']
Acct-Status-Type ['Alive']
Acct-Delay-Time [0]
Acct-Input-Octets [1003335]
Acct-Output-Octets [15399190]
Acct-Session-Id [u'81c2332b']
Acct-Authentic ['RADIUS']
Acct-Session-Time [76321]
Acct-Input-Packets [15498]
Acct-Output-Packets [21247]