headers
Marek Denis | 12 Apr 2012 22:38

Suffering from performance issues while sniffing in a real-time?

Hi,

Does any of you have any experience with sniffing data with Scapy 
functions and methods, yet analyzing packets in a real time?
I would like to be able to sniff IPv6 packets and detect some anomalies 
or do some statistical counting. 
If not Scapy (or, at least sniff() function), maybe other Python 
libraries are more optimised? Any advices?
Or some embedding Python into C programm and making the C code to sniff 
and pass the packets to the Python layer is a good solution?

--

-- 

Marek Denis 
[marek <at> octogan.net]

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply |
headers
Cor Rosielle | 13 Apr 2012 10:00
Favicon

Re: Suffering from performance issues while sniffing in a real-time?

Marek,

Is it sufficient to filter packets and output specific fields? Like this example:
- only show tcp packets
- where destination port =6666
- and TCP -RST-flag is not set
- display that it's a TCP or ICMP response
- for TCP display: length of IP packet, source IP, TCP-flags
- for ICMP display: length of IP packet, source IP, ICMP type and code and original destination

sniff(filter='(tcp and dst port 6666 and tcp[tcpflags] & (tcp-rst) = 0)', prn = lambda x:
x.sprintf("{TCP:len=%IP.len% ip=%IP.src% flags=%TCP.flags%}{ICMP:len=%IP.len% ip=%IP.src%
type=%ICMP.type% code=%ICMP.code% orig.dest=%IPerror.dst%}"))	

It does print certain anomalies, but I have found no way to do the counting.

Cor

On Apr 12, 2012, at 10:38 PM, Marek Denis wrote:

> Hi,
> 
> Does any of you have any experience with sniffing data with Scapy 
> functions and methods, yet analyzing packets in a real time?
> I would like to be able to sniff IPv6 packets and detect some anomalies 
> or do some statistical counting. 
> If not Scapy (or, at least sniff() function), maybe other Python 
> libraries are more optimised? Any advices?
> Or some embedding Python into C programm and making the C code to sniff 
> and pass the packets to the Python layer is a good solution?
(Continue reading)

Permalink | Reply |
headers
Marek | 13 Apr 2012 13:05

Re: Suffering from performance issues while sniffing in a real-time?

Cor,

On 13.04.2012 10:00, Cor Rosielle wrote:
> Marek,
>
> Is it sufficient to filter packets and output specific fields? Like
> this example:

I was rather thinking about a monitor that tries to identify some IPv6 
attacks. This means some counting should be performed, matching packets 
and so on. I would like to do it online, so here comes my initial 
question - should Scapy be able to handle typical traffic in realtime?

> It does print certain anomalies, but I have found no way to do the 
> counting.

How about checking data in the callback function inspecting necessary 
data and storing Packet in the memory if necessary?

--

-- 
pozdrawiam

Marek Denis
[marek <at> octogan.net]

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply |

Gmane