Vous êtes sur la page 1sur 9

Network Packet Crafting, Sniffing, and Parsing:

A primer on crafting, sensing and formatting the output of TCP/UDP/ICMP/rawIP packets using three popular freeware security utilities for UNIX-Based systems



To find a flexible freeware packet crafting tool, learn its usage and options, verify its output using TCPdump, and parse this output into an easy-to-read format.



Hping 2 Beta ver. 5.4

packet assembler/analyzer tool

TCPdump 3.6.2

http://www.kyuzz.org/antirez/hping.html robust utility that dumps headers of packets from network traffic


http://www.tcpdump.org/ simply formats TCPdump output into a clearer scheme http://www.earth.li/projectpurple/progs/packprint.html



1.It is important that the latest version of tcpdump is used. The version that comes bundled with a standard *NIX installation is often dated, and doesn't support the -X switch for example. 2.These and other utilities are available in the software repository on the internal CSL network at



Hping2 and other packet generating utilities follow the same order of operations when creating and sending packets onto a network. These operations are as follows:

memory initialization network initialization packet construction packet injection

(specifying enough memory for the packet) (call to code library that returns RAW socket and connects link-layer interface) (the setting or filling of a specific protocol's flags, headers, and payload) (dropping the packet onto the network For example: different process for IP than for Link Layer)

Hping2's implementation makes the above steps transparent to the user, producing a network tool that easily assembles and sends custom ICMP/UDP/TCP packets, and displays target replies in the same way ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and it can be used to transfer files under the above supported protocols. Hping2 is command-line oriented, and employs a large number of extensions.

As described by its programmers, Hping2 can be used for:

Firewall testing

Advanced port scanning

Network testing, using different protocols, TOS, fragmentation

Manual path MTU discovery

Traceroute like, under all the supported protocols

Remote OS fingerprinting

TCP/IP stacks auditing

hping is also a useful tool for students that are learning TCP/IP.



Installation of all three utilities is relatively straightforward (see the README of each). In the following examples, packprint, tcpdump, and hping2 reside in the directory "/usr/local/sbin" because this directory is in the system path by default.

The following examples all take place on a linux terminal with root access, connected to a local network, running the KDE environment, and the following setup:

First rootshell window:

Second rootshell window:


for running TCPdump and Packprint. for running Hping2

1. Creating a simple TCP packet and sniffing it with TCPDUMP: rootshell 1 rootshell 2
Creating a simple TCP packet and sniffing it with TCPDUMP:
rootshell 1

In the above example, tcpdump is started first (in rootshell 2), with "host" specifying the IP address of a local machine in the lab. This parameter is necessary because we only want to see traffic to and from that specific IP. Without it, tcpdump would display ALL local network traffic, making the exercise unnecessarily confusing.

With tcpdump listening, we then proceed to create a packet and send it to "" by invoking "hping2" in rootshell 1. The switch "-c 1" specifies that the count (number of packets to send) is one. Again, this is done to keep the output simple and uncluttered. Upon hitting enter, we see a quick summary of the packet that has been created. By default, the packet has a TCP header with no flags set, and no data bytes (ie. no payload). In the next line we see the machine respond by resetting the ttl to 255 (from 64), assign an id, etc. Following this are statistics about the packets journey to and from the host computer.

In general, usage for hping2 is as follows:

hping2 (host) [options]

Looking again at rootshell 2, we see the network traffic our synthesized packet has created, complete with standard arp who-has request, arp reply, and a timestamp of each event. Before performing any more examples, it is necessary to recall the structure of this basic TCP header and the headers of a couple of other protocols. Below is a diagram of each, followed by a complete list of the switches which are used with Hping2 to craft such packets, populate their fields, and set their flags. Matching the switches in the list with the appropriate field in the diagrams is a quick way to regain familiarity with the protocols as well as the values of the default settings and how to change each.

0 15 16 IP H EADER 31 4-bit 4-bit header version length 8-bit type of service
4-bit header
8-bit type of service
(TO S)
16-bit total length (in bytes)
16-bit identification
13-bit fragm ent offset
tim e
8-bit protocol
16-bit header checksum
20 bytes
32-bit source IP address
32-bit destination IP address
O ptions
16-bit source port num ber
16-bit destination port num ber
16-bit U DP checksum
(if any)
16-bit source port num ber
16-bit destination port num ber
32-bit sequence num ber
32-bit acknow ledgm ent num ber
4-bit header
16-bit window size
16-bit TCP checksum
16-bit urgent pointer
O ptions
(if any)
(if any)
usage: hping host [options]
show this help
show version
packet count
wait (uX for X microseconds, for example -i u1000)



numeric output

-q --quiet


-I --interface interface name (otherwise default routing interface)



verbose mode



debugging info



bind ctrl+z to ttl

(default to dst port)



unbind ctrl+z


default mode




RAW IP mode



ICMP mode



UDP mode



listen mode




spoof source address



ttl (default 64)



id (default random)



use win* id byte ordering



relativize id field

(to estimate host traffic)



split packets in more frag.

(may pass weak acl)



set more fragments flag



set dont fragment flag



set the fragment offset



set virtual mtu, implies --frag if packet size > mtu



type of service (default 0x00), try --tos help



includes RECORD_ROUTE option and display the route buffer



set the IP protocol field, only in RAW IP mode




icmp type (default echo request), try --icmptype help



icmp code (default 0)

--icmp-help display help for others icmp options




base source port

(default random)

-p --destport

[+][+]<port> destination port(default 0) ctrl+z inc/dec



keep still source port



winsize (default 64)



set fake tcp data offset

(instead of tcphdrlen / 4)



shows only tcp sequence number



send packets with a bad IP checksum



set TCP sequence number



set TCP ack



set FIN flag



set SYN flag



set RST flag



set PUSH flag



set ACK flag



set URG flag



set X unused flag (0x40)



set Y unused flag (0x80)


use last tcp->th_flags as exit code




data size

(default is 0)



data from file



add 'signature'



dump packets in hex



dump printable characters



enable 'safe' protocol



tell you when --file reached EOF and prevent rewind


--traceroute traceroute mode

(implies --bind)


Creating, sniffing, and parsing the same TCP Packet

2. Creating, sniffing, and parsing the same TCP Packet This time we've piped the output of

This time we've piped the output of tcpdump to a parser called Pckprint that re-formats the information and makes it more readable, the second window displays a fragment of this information. Although this method is sometimes buggy, we can parse the tcpdump output with packprint in (almost) real-time with the command shown in the window.

The "-s 65535" defines the maximum number of bytes of data that tcpdump captures for each packet. Without this, tcpdump only captures a default of 68 bytes. The entire packet must be captured for the parser to process the data properly. The "-c 1" is used in the same way as for hping2 in Example 1. That is, to limit the number of packets (in this case captured) to 1. The "-w" switch indicates that the traffic is to be dumped to a file ( "-" in this case indicates that the file is actually the screen) and "packprint -" processes this 'file'.

If this command seems counter-intuitive, it is acceptable to first capture the traffic to a file, and then process it, as below:

>> tcpdump host -s 65535 -c 5 -w out.txt >> packprint out.txt


Creating and sniffing a raw IP packet with a spoofed source address

3. Creating and sniffing a raw IP packet with a spoofed source address To see how

To see how we can spoof the source address, tcpdump is set running in rootshell 2 and the hping2 command with the "-a" switch is executed as shown in rootshell 1. To create a raw IP packet, "-0" was specified as per the usage menu.

Note that in this case, although we did assemble and inject the packet -- successfully spoofing the source address as "microsoft.com" -- the host could not establish a connection because the synthesized packet is only the first step in the protocol's handshake (see the line "1 packets transmitted, 0 packets received, 100% packet loss"). Faking the source IP is little more than a neat trick without the trust-exploitation in place that would make it useful in compromising a system.

  • 4. Creating and sniffing a TCP packet with a fake TCP data offset, a specific starting TTL, a non- random ID, a SYN flag set, and a specific TCP sequence number.

3. Creating and sniffing a raw IP packet with a spoofed source address To see how


The above is an example of a very customized packet; made so with the appropriate switches and chosen values as shown. The "-vv" in the tcpdump command is to give more detailed (verbose) output. Note that all the values specified at the command line in rootshell 1 appear in the tcpdump stream in rootshell 2

  • 5. Generating and sniffing a specific payload in a simple TCP packet.

The above is an example of a very customized packet; made so with the appropriate switches

By adding the switch "-d 108" we specify that the data field of the packet will have a size of 108 bytes, the "-E in.txt" specifies the location from which this payload is extracted. While being written in the editor, the file looked as shown to the right. The same text is plainly visible in both hex and ascii outputs of the tcpdump stream. Literally any information can be transferred in the clear this way between trusted machines.

The above is an example of a very customized packet; made so with the appropriate switches


There is no end to the amount of network traffic and security information that can be gathered using basic utilities like Hping2 and TCPdump. Hping2 is a rather small program, but it can perform sophisticated, stealthy scans of net sites and create the illusion of probes from widely dispersed locations. Network weaknesses to certain protocols can be identified, firewalls can be tested, and entire files can be transferred within the payloads of packets that are masquerading as something much more benign. With the right series of scripts taking advantage of the flexibility of Hping and the thoroughness of TCPDump, it is possible to identify very many network vulnerabilities.

With Hping3 currently in the works, and the source code for the current version freely available, Hping2 offers an excellent starting point for new code that can demonstrate the vulnerability of higher-level protocols. A significant example is a trojan that encapsulates and transmits (with no interference from the firewall) private information inside something as innocent as an http request.