Thank you very much for your knowledgeable input.
What we want is to spoof the IP, so, we do need to craft the IP packet. Therefore, I think the only option left is, as you say, to use AF_PACKET instead of INET

A thing that I would have liked to see in action is useful DATA sent instead of writing “Hello how are you” to a web page. I suppose http get code would have been much more interesting. Anyone can do that and see what reply we get?

The reason for everyone’s difficulty is due to the fact that the socket being used is operating at the wrong TCP/IP layer.

TCP/IP.

Application (Web/HTTP, FTP, SSH, Multiplayer games, etc…)
v
Transport (TCP, UDP, …)
v
Network (IP, IPX, …)
v
Link (Ethernet, 802.11 partially)

The hundreds of network protocols which make up our interconnected world can to all some degree be placed with in this stack, some of the most important are shown above. It is called a stack because each layer provides services to the one above and uses services provided by those below it.

The code on this page attempts to send data from network layer up (hence the need for creating an IP packet). However, the socket is configured as AF_INET which already provides the necessary functions for creating and sending IP packets. The result is that the code puts an IP packet with in another IP packet. Wireshark will not recognize the inner IP packet. The solution here is to either just send the TCP data or to change the socket’s config.

On Linux, you should use…

s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW)

Apart from this, the code is very helpful, thanks!!

I was just wondering is you can suggest or point me to an example which uses python classes to achieve the same objective.
I’ve seen a lot of sniffers take advantage of classes, but no example of sending packets.
Thank you!
Cosimo

I’m really really disgusted, and i would not trust your
code with a monkey I did not like.


! def checksum(msg):
! vals=map(ord,msg)
! if ((len(vals)>>1)<<1) != len(vals): vals.append(0) # odd length
! s=sum([vals[i]+(vals[i+1]< 0xffff: s=(s>>16)+(s & 0xffff)
! return s ^ 0xffff # ones complement



def checksum(msg):
vals=map(ord,msg)
if ((len(vals)>>1)<<1) != len(vals): vals.append(0) # odd length
s=sum([vals[i]+(vals[i+1]< 0xffff: s=(s>>16)+(s & 0xffff)
return s ^ 0xffff # ones complement


> def checksum(msg):
> vals=map(ord,msg)
> if ((len(vals)>>1)< s=sum([vals[i]+(vals[i+1]< while s > 0xffff: s=(s>>16)+(s & 0xffff)
> return s ^ 0xffff # ones complement

def checksum(msg):
vals=map(ord,msg)
if ((len(vals)>>1)<<1) != len(vals): vals.append(0) # odd length
s=sum([vals[i]+(vals[i+1]< 0xffff: s=(s>>16)+(s & 0xffff)
return s ^ 0xffff # unsigned ones complement

This assumes the proper checksum is defined as a 16 bit sum reduction
followed by a bitwise complement. The original code is buggy.

1) It fails to prevent an indexing error for odd length messages.
2) It fails to consistently compute the checksum for very long messages.
3) Its ‘ones complement’ is an integer signed ones complement, not an unsigned binary complement.

If the rest of the code is as bad, user beware. One useful thing I did learn
was the necessity of administrator privilege for creating this socket.

s = s + (s >> 16) # add the carry to the result
s = ~s & 0xffff # one complement and mask to 4 byte short

This line isn’t useful : s = (s>>16) + (s & 0xffff)

I was sending it to loopback and the kernel doesnt add a mac since it doesnt go through a nic. My mistake.

where is the mac address missing ? In the packets send out by the python program ?