I am working with pcap in an OS X application to understand packet analysis.
I am working with a app https://github.com/jpiccari/MacAlyzer
but I am getting only raw data but I want to differentiate every domain request into separate and clear way to read request and response value. Please guide me the way to how to develop an application with pcap.
I have tried some code but they translate data into hex format. How do I convert that data into meaningful request and response objects like Charles and Fiddler show?
MacAlyzer wasn't developed for your needs. I know because I'm the author. As already stated, Charles and Fiddler are web proxies and work entirely different (and serve different purposes).
Diving a bit deeper into your question, communication between client and server happens IP-to-IP and not domain-to-domain. Domain information is not contained in the packets at the either the IP or TCP level. Instead computers request domain-to-IP lookup information which is then stored and communication is carried out using the client and server IP addresses.
MacAlyzer, and really libpcap, don't have sophisticated packet dissection (like say Wireshark) and cannot display packet information as verbosely as other programs. Before I lost interest in the project I was planning a library that would allow much richer packet dissection and analysis, but free time became very limited.
As for adding domain information to MacAlyzer, I'll explain at a high-level since it seems you know what you're doing. To include domain information instead of IP address in the Source and Destination columns you could edit function ip_host_string() in ip.m. This function controls how the client and server addresses are displayed. Modifying it to lookup the hostname from IP address and returning the resulting string would cause the domains to be displayed instead of IP addresses.
If you come up with some nice updates, consider submitting a pull request.
Here is the food for thoughts:
http://www.binarytides.com/packet-sniffer-code-c-linux/
Anyway, you will need to use C. Therefore, check the codes of the includes, for example:
http://www.eg.bucknell.edu/~cs363/2014-spring/code/tcp.h
Here is the documentation of "pcap":
http://www-01.ibm.com/support/knowledgecenter/#!/ssw_aix_71/com.ibm.aix.basetrf1/pcap_close.htm
Related
Not sure the title makes a lot of sense. To add some context, we are building a WebRTC infrastructure and to so do we have a few STUN servers up and and running.
We sometimes have users complaining of call taking too long to connect therefore we would like to get some analytics on the calls. Because we provide a list of STUN IPs (including some public STUN as backup), we would like to detect the STUN server that successfully initiated the call.
We have collected a bunch of information thanks to RTCPeerConnection.getStats but there is nothing related to the STUN itself. So for my questions:
is there any JS API that allow us to retrieve the STUN used?
is there any tool that I am not aware of that could do the job?
do the SDP contains any information related to STUN?
Hope all of this is clear, thanks for your kind replies
The statistics do contain a server url:
https://w3c.github.io/webrtc-stats/#dom-rtcicecandidatestats-url
However, that is not implemented and since STUN servers are not involved in the actual call that information is unlikely to be useful.
For TURN servers you can get the active candidate pair and the IP of any relay involved from getStats. See https://webrtc.github.io/samples/src/content/peerconnection/constraints/ for a sample that shows how to determine the active candidate pair.
This probably has a very obvious answer, but what is the common way to get the router/gateway IP address of the packet I just received in pcap.net?
I know how to get the IP address source:
packet.Ethernet.IpV4.Source.ToString()
I tried looking through the object browser, but I didn't find a property that seemed to match. Any way I could find it?
It's more of networking question, than programming one. A short answer would be - You can't.
The source IP address will always (unless strangely translated by the gateway) belong to the endpoint You wanted to connect with. This way Your application will get the response to any request You send. Unless You're using NAT the router does not alter the packet in any way so it's transparent from a connectivity point of view. The source address of the packet You just got would almost always contain the IP address of the server You connected to. That's the way Ethernet works.
A poor man's solution would be to use traceroute to find out which way the packets go and therefore get the address of the router, which generally would be the first hop along the way. From a programmer's perspective this would mean sending out several packets to the destination You got the packet from, each time incrementing the packet's TTL (starting from 1) and looking at the ICMP responses. This however could mislead You if some sort of load balancing is being done.
Maybe if You clarified what You would like to achieve I could point You in a better direction.
I'm using a TK102 GPS localizer. Along with it, I got only simple end-user docs. No API, dev specs or similar for writing code that will use this localizer.
I was told that it uses UDP. So I wrote a simple PHP listener. But either localizer is not using UDP or something is wrong in communication between it and server. Listener works fine (gets UDP packets from other clients) and localizer is sending something (I'm being charge by GSM operator for GPRS transmission), but the data it sends, doesn't reach server.
I asked about server or networking issues on Unix/Linux and SuperUser. Here I would only ask, if someone knows any API/dev-specs for this localizer, so I can check, if it really uses UDP or if I haven't made any other error (in configuration for example).
The localizer and its clones
We're talking about Xexun TK102 Tracker here. The original one, because there are many clones under other companies from China, selling similar GPS localizer, with the same cover and logo, but with:
less performance electronics on-board (for example -- able to report location once per 20 or 30 seconds, not once per 5 seconds like in original one),
the ones that are sending lesser information (lack of direction/bearing, altitude, number of satelites used for location fix and many more),
units using different format of data or non-standard transmission protocol for sending it (for example, cheaper units are unable to use UDP protocol and are transmiting data through TCP protocol, using packets that not always follows standards or definictions.
Coban and Kintech are only two of many clones sold on eBay and in e-shops, claiming to be original Xexun trackers.
On the other hand, original Xexun and some clones (like Coban for example) are harder to control from own script, because they require a correct answer from the server, where data is sent over GPRS. If unit does not receive such reply, it breaks connection. The cheapes unit does not have this checking and will always sent location data to specified IP address over provided port.
Product description
Here is product description of original Xexun localizer (and here is a clone under Kintech name).
Possible buyer must be very careful (and should secure return policy, for which buying directly in China is not recommended) as there are many reports about sellers claiming to sell original Xexun device and sending a clone actually.
Though this device is five years old, it is still sold at many places (including eBay), but even at theses sources it is very hard to get anything worth for developers, except some simple, very basic user guide.
I have confirmed information (from two different sources) that there is no official API available for this device. The only option is to Google around, ask other users or use forums (see below).
If you own original Xexun localizer, you may try to contact company international departament and ask their technicians to include some changes to device source code and to send you updated firmware, with your changes - wow! That was confirmed by company itself.
Forum
I found a perfect forum for TK102 device, with a lot of questions and answers:
here is a general forum on TK102 device (kept alive for 4,5 year with 171 pages and 2000+ posts!),
here you'll find more specific topic on receiving data from this localizer,
this forum is also about TK102 unit, but it is entirely in French.
There are many other devices dissussed and in general, this is the biggest forum in the world, with topics for localizers and simillar information.
GPRS Protocol Specs
In general, any TK102 related devices is opening a socket for a direct TCP transmission (original one can be switched to use UDP protocol). Data is being transsmited over port specified by user, in configuration and using GPRS only (requires SIM card with enabled GPRS, there is no way to use WiFi).
Sending frequency, format and amount of data being send, entirely depends on kind of device is being used -- it is more extensive and more configurable in original one than in clones.
Using FileDropper I shared GPRS Protocol Specification for TK102 Geolocalizer. It contains basic information on how to setup TK102 (and possible all its clones) to send location over GPRS. And what sort of data you should except to receive from in, on server side. This could be useful for someone.
BTW: If links goes dead, contact me for a reupload or sending it over e-mail
Correct server response problem
Make sure, if you're using correct data transmission protocol! Many (really many) cheap clones uses TCP, while only original TK102 allows switching to UDP. This is convenient, because you need really basic server configuration to handle TCP connections, while you have to use specific server-side software (like node.js) or specific configuration (open to certain ports) to handle UDP. But the key thing is to determine correct protocol, as listening to TCP data, while your localizer sends UDP, will most certainly fail.
Take into consideration, that many TK102 clones requires a correct response from the server after each data, it send. It breaks connection after sending some welcome garbage UDP packet, as it does not receive response, it waits for.
It is quite hard (quite impossible?) to find any guide to many of these clones, on what kind of responses server should sent. This often leads into situation of developer being unable to estabilish two-way communication between server and localizer. Many localizers are sold to be used only via SMS communication or throughs paid services that had signed and agreement with producer and received protocol specification that contains valid responses server should generate for particular TK102 clone.
Double check, if this is not source of problem, if you can't communiacte with your localizer from your app.
You can check some models protocol specs here:
http://www.traccar.org/docs/protocol.jsp
I know there are various programs that sniff packets like WireShark, but I'm pretty sure you can only view the data. I want to know if it's possible to edit incoming packets. I'm not sure if packets are the right term. I just want to edit incoming data that is recieved through the internet and who's destination is a specific application. Let's say I am playing an online game. As it loads my computer, it is recieving information like "This person has 10 coins in their money pouch". Obviously not exactly like that but you get the point. I would like to be able to change the data so it is say 100 instead of 10. I know something like this would be possible if you were to do this: Imagine my computer is connected to the internet with an ethernet cord. There is a device attached to the ethernet cord which recieves the data and changes it and then lets it continue to my computer. I would just like to know if this is possible, and how it could be accomplished.
Thanks!
The way I do it, is one of 2 ways:
1.
If your application supports it set up a HTTP Proxy on your machine and you could software like burp / Fiddler to mess with the data
If not (the protocol is not HTTP) you could use either one of 2 options i'v tried [Both based on Hooking the API calls from the application to the OS]:
EchoMirage software that allow messing around with the packets
[Bit more advanced: ] There is a debugger named OllyDbg which has a plugin named Universal Hooker; it enables to hook any window API function and execute a python script on demend. the uHooker contains examples for how to hook WSASend and WSARecive (which are the API functions used in windows sockets).
I'm trying to find my external IP address, but I get local ones only, behind the NAT.
NSArray *addresses = [[NSHost currentHost] addresses];
Is there a way to print out the public address? Using NSHost is it a good idea?
There may not always be a reliable way to get at your public IP, but the DNSService API in OS X will use UPnP and/or the NAT port mapping protocol to get the public IP (amongst other things). The code illustrating how to use the C API would be a bit large (50-60 lines) to show here, but there's some Apple sample code which implements a nice ObjC wrapper around the functionality, and even offers a pair of functions to directly return UInt32 and NSString representations of the public IP address.
The relevant code itself is located here, but you're probably best off just downloading the zip file and including PortMapper.h and PortMapper.m in your project and using them directly. Then all you'd need to do is:
NSString * publicAddressString = [PortMapper findPublicAddress];
If you ever get to look at a network topology chart for a major organization, do so. It's enlightening. The whole point of NAT, firewalls and all that other "black magic" is to allow the network to manage addresses (including protecting you) without your knowledge.
There are only three ways in which I've been able to reliably (and reliable is a relative concept here) get the external-facing IP address of a server.
The first is to as the network gods themselves (and make sure you refer to them as gods when asking, this will assist you in getting the information). Sometimes (not always), it's a simple mapping of the top bytes of your IP address whilst retaining the low-order bytes. Sometimes it's more complex, but still follows rules that you can use. Just keep in mind these rules can change at any time.
The second is to have a box outside of your network which you can query and it, in turn, can let you know your IP address.
The third is to specifically attach to an outside DNS server (not your corporate one) to retrieve the information.
Of course, you should question the need to know your external IP address. The whole point of DNS is to avoid having to worry too much about IP addresses and just refer to machines by the domain names.
There is no reliable way to get your public IP. Depending on your network topology, you may not be able to depend on the outgoing address for a number of reasons: IP address pools, dynamic routes, multiple layers of NAT, proxy servers, etc.