However, Scapy actually stores them nested, as shown for the nameserver section below: ns= Each one of those fields should contain an array (or list) of records. In fact, the DNS response header has fields that tell you how many values each one of those sections contains.īased on how Scapy nests different protocols, you would expect that packet will return the entire DNS section of the packet, and you should see fields that include qd (query), an (answer), ns (nameserver), and ar (additional record). Not all of these are always populated, and each one of those section can have multiple records in it. A DNS response packet has four primary sections: queries, answers, authoritative nameservers, and additional records. The point at which this becomes very confusing is in DNS responses. For Scapy’s returned values to make any sense for packet analysis, it’s very important to refer to, and return, individual fields rather than entire headers. For example, the sequence number in a captured frame can be returned using q. Given this storage method, the best way to display a field in the packet is to refer to the section and field name. In general, Scapy uses angular brackets () to denote the beginning and end of different sections, with specific fields separated by spaces, and displayed as field_name = field_value. Because of this, the method by which Scapy stores packets, and the way it wants you to refer to different parts of each packet, is kind of strange. In fact, most of what you can find on StackOverflow or Google about Scapy revolve around using it to perform Man in the Middle attacks, ARP or DNS poisoning attacks, or other attacks revolving around packet manipulation. It’s important to note that packet dissection and analysis is not the primary goal for this library it’s primarily meant for packet crafting. To accomplish this, I chose Scapy, the “Python-based interactive packet manipulation program & library,” based on a few blog posts I found. Therefore, my script must parse DNS responses that showed up in the packet capture and connect the initial query through any chaining to the final IP address. I wanted a solution that would let me take the actual, in situ, DNS queries from the client displayed in the capture and connect those to the IP addresses that show up.
0 kommentar(er)
