So, first of all, what you may have noticed is that desk Mac and source macro being printed out. And he's really weird. Ugly strings.
So what we're going to need to do is we're gonna need to fix those. We're gonna need to make them look a little bit more readable.
So right now they're just six bites of binary data, and we need them to be
obviously something else.
Specifically, we want restrains.
So to do that, we're gonna need to do yet another import.
This import is been asking,
been ask e is a very, very handy import. All it's really therefore, is to convert binary data to askyou NATO and back and forth so that we can read it more easily.
So now instead of Ethernet header zero, what we're actually gonna do is been asking
And you need the go through and search for this one to give to you for free
And this is going to turn this binary data that we don't really know anything about
in the hex. Well, into ask you specifically. That looks like hex,
which is what we're after.
Mac addresses are always in hex,
the tax decimal. So you want to convert it so that it's hex so that you could more easily read it.
Now we're gonna print again. We're gonna run it again
Okay, so we see that the 080 sixes are sent to broadcast. Where is zero? Well, most in Syria. Hundreds are also sent a broadcast.
There we go. So, you see, when I generated traffic, they start going to specific Mac addresses
there, a lot of things being sent to broadcast. And if you want to examine them in wire, shark or whatever, then you'll be able to see what's causing those.
So one thing that I'm going to do,
just going to clean things up when we're looking at it.
That's just so that I'll show you what it looks like here.
That's just so that when we have traffic it well,
it will spend up a little bit more prettily as we go.
and actually gonna go ahead and move this office system Clear
where it won't just auto destroy the data.
We're gonna do it after we received. So each time we get a new packet.
We're going to clear the old one off the screen.
Pretty straightforward. There you go.
Now it just looks like it's manually updating. Lennox is kind of weird about clear, so you can actually just scroll up
and see the other things. But
point is that it looks a lot prettier, and it's much, much, much easier to read now.
so we have sort of, Ah, ugly but workable Ethernet header going on here. Um,
as we go through and we complete after we complete, everything will go through and, well, actually print everything out to look a little more useful.
for the time being, this will work. We've got Anita editor that's actually being printed. We got you know, we're able to look at the Mac addresses and see what's being done.
And again, we have an actual particle.
Speaking of that particle, we're actually going to use that, and we're gonna say if
is 00800 In other words,
we're just gonna create an I p bull
cattle see everything else lower case, because python
and we're going to do this up here. If you cool equals false
now we're just gonna do return. We're also going to be returning to pull in this case, much like the struck out unpack does.
The way you return it to people we've seen him before with connect or with except and actually I think it's connected. But
all you gotta do is have multiple arguments receiving,
and you're good to go.
You always. If you have more than one received location, you need to always receive the same number. As you are returning,
you have one. If you return an entire to pull into one location, that's acceptable.
If you're turned it into one location for every return object, that's acceptable. But you have, like three return values in two weeks and to return locations that won't work.
In other words, if we had
returned three overturned three
that won't work, we'll be able to return it into these simply because
it doesn't know where to break down what to do with us. Always make sure in general, you just want to make sure that you're returning and receiving the same number of things.
so now we've got a bull that tells us whether or not the next header is I p
So we're going to do if I pee Bull
data equals Obviously that's not a function. And more obviously it's about to become one death Analyze I p
is gonna take an argument of data.
moved on or nice center So we can kind of
we don't We don't actually want to close this but we can kind of throw the youth and head out the window now
and look at the always friendly RFC 7 93 RC 7 93 is one of the older or if sees if you look it
September 1981 This RFC came about so yeah, this RFC is order than most of the audience If the RFC is not order than you
Congratulations. You two are older than most of the audience. We're gonna go down here We're gonna look at header format
on page on Ah Page 15 3.1
Close that. Close that out. And Okay,
so this is TCP I'm sorry we need the i p header not the TCP header.
So this RFC is for TCP
there. See? We need is for I p So we'll go ahead and open that one up real quick
and finding our seas very easy. Google
There you are. See 7 91 That's more like it.
Now this RFC is kind of handy. It's also if you notice also September 1981 still in older FC
this one I like because it's got actual links. So here's the Internet header format, as you can see, bit heftier than our
Eastern that header waas It's gonna take a little bit more time to analyze.
So first thing, of course we're gonna do We're gonna do
equal Struck's dot unpack
and we know that's gonna get sliced
we see that there's four might feel before I feel whatever the way, this is broken down The way you read
structures like these in our seas
this right? Here is one bite
user four bite lines. Each line is four bites long.
So we see we've got options and patting down here. Options are optional.
I can tell you I have never actually seen I pee before options being used. And we can pretty safely assume that they won't be
safely assume is sort of the phrase that makes most exploits no, makes most explainable code happen. But in this particular case, it really is incredibly rare and not really worth dealing.
So we're gonna have four bites and we're gonna have 12345
five lines. So we know it's gonna be 20 bites long.
Really? Just that easy.
So Okay, we've got 20 bites that we've gotta handle now.
So we see that our 1st 2 fields, we're just gonna do this field by field, Our 1st 2 fields version and I h l,
um which is Internet header length. The length of the Internet, the length of the I P header
are both four bit fields. So we're gonna look at our structure and we're gonna say, Oh, hang on,
We don't have anything. It's half a bite long.
So how do we do this?
That's actually pretty easy. We're just going to return
into something larger and we're gonna mess, and we're gonna move the bits over to where we need them.
the smallest that we actually handle
However, that one bite is for characters.
if you use the one bite of use characters, you're gonna run into a bunch of trouble trying to move the bits around
because python works with binary only if it's either
and an array of characters or if it's just a imager.
So instead, we're gonna find the shortest number we can handle. Shortest number we can and we see to be two bites. And that's gonna be a TSH. We're gonna make sure that we always use unsigned because head airfields are never signed.
You know, i p Header Fields, Ethan ahead, Airfields, whatever. Always gonna use on signed data. So our source structure or unpack er is going to be a capital age.
exclamation mark. So that we know we're using Network Indian
Ever do. H h is two bytes long, which means H is actually gonna be
all three of these fields.
We're gonna need to do some magic to those here in a minute,
which actually didn't do right now.
So first we're gonna do is Virg
is going to be I P header
But we've got to do something with it so that we're only getting what we want.
And the thing we're going to do is we're going to
shifted to the right
in this particular case. Friendship, 12 bits.
but that means we're gonna take all 12 of these bids right here.
We're just going to get rid of them.
We're gonna move version
over to the right, 12 bits and then everything to the left. A version is just gonna be zeros.
Well, that does. Functionally is that gets rid of all the other field. It doesn't get rid of them, but in this case, it
removes the other fields from the version variable. So there were only looking into it We want to see.
Next thing we're gonna do
is we're going to move.
We're gonna make HL HL
and we're gonna shift that one right by eight bits.
there is a bit of an issue because by shifting that one, right, Yes, we're getting rid of type of service, but we're keeping version,
so we're actually gonna have to do an extra step with that one.
The extra step we're gonna have to do with that one is to end it
logically ended against zero X
and this is gonna be now it's one bite long, so it'll be zero
zero f translates to
the binary 1 to 4 zeros
and then four ones. Now logic lands. If you're unfamiliar with logic interest tables a logical and says on Lee, take the bits
that exists in both of these things. So, for example, if the I P header shifted right by eight bits is
ended against this 00001111 If we have 01010101
The output of that is gonna be
four zeros. Because those donors, because in one of these two, it's just zeros.
And that is going to be
because it only puts ones where they coincide with boats.
A good place to look, to learn a little bit more about this.
Since this isn't really a true tables or logic class
bit wise. Operators, operations,
that's tutorials point Wikipedia, whatever somewhere that'll just show you
what the actual bit wise
again. We're not really gonna focus on too heavily because not a logic class. It's okay. We've got a version. We've got our eye. HL Now we need our type of service.
What type of service, And we're gonna go into RFC. We're gonna get real familiar with our season. This, uh, this video, So I hope you're ready for that
type of service is a quality of service precedence field. It determines how important this traffic is.
The R F. C says, You know, this is really important because it says how quickly did is gonna get sense.
The truth of the matter is, that's not really the case.
type of service hasn't really mattered since I pee before
since the Internet became a thing,
you may still see the field used, but it's extremely rare, and very, very few people bother to check with it. But for a packet sniffer,
we kind of want to know someone's doing weird things in fields. That's one of the handy things about a packet sniffer is that we get to look at whatever we want to look at.
So we're gonna say type of service
We're gonna do another logical. And
this time it's gonna be against zero X.
The whole first bite is zeroed out.
Second bite is going to be all lefts. Second bite is all ones. This is logically equivalent to,
huh? There you go. Eight zeros and eight once.
So Okay, now we've dealt with our first field. Our first unsigned short. Two bites.
These three fields were done. Next thing we're gonna look at is this fourth field, which is total link.
Total length is another H another
So we can do. There are two ways you're going about this you can do to H is
where's with a string? The six determines how long the string is for any other argument.
This number determines how many fields they're going to be. So now this will expands. This will unpack this header this data field
unsigned imagers there two unsigned shorts. Rather
So that means the next thing we want to do is total length or total end. However you want to name the variable, it's going to be I p header.
It's two people. We can address it with indexes.
So that's the total length. Um, really? It's pretty easy to do
ever. Just gonna From here on, we're just gonna kind of tear through all these fields.
Then we see flags and fragment offset.
This is when we actually break into in the r f c and really look at.
So we see their three control flags. The flags field is three bits long, which is really, really ugly, and it bothers me that did that way, but that's not important.
the flags field is three bit, and then there's a 13 bit fragment offset.
Which means we're gonna have to really break down into this. No, we know that we're gonna need 1/4 h
scroll back up here.
So we're in this field or these fields right now. We're gonna have to actually kind of break him down a little bit.
shifted right. And this is a really horrible logical shift, but shifted right, 13 bits.
So we're only going to get
only going to get the 1st 3 bits
of the flags fragment offset Shared field
Then we're going to do
is equal to I p Header
Now we're going to do a little bit of hex bath,
zero is all zeros. F is all ones.
So we need to do zero X.
We only want to get the 1st 3 bits.
and then just zeroes after that.
So you have to actually see what
31 than a zero equals out, too.
You know, this field,
we'll go from the right to the left. This fields equal to one and that zero This feels equal to two, and that's a one.
this fields of four.
And that field is an eight,
which we want. Of course, translate
Uh, B is 11 sees 12. 13 is 14
but we're actually going to mask those out. So we're going to do
We could have done this a little bit more easily and said, Okay, we want everything except these three
0001 and then just a bunch of zeroes. After that, we're not gonna actually break out.
a bunch of ones after that. Rather so now we're going to ignore the 1st 3 bits in this first by it. I know that was a little confusing and a little tricky to follow. Feel free to press the I believe button,
but we're gonna ignore the 1st 3 bits and we're only going to deal with the last 13. This f it's worth four bits.
That's eight minutes. 12 minutes, 13th bit.
Another fragment offset on. Lee actually sees 13 bits. It thinks it sees
all 16 bits, but only sees 13.
Then move on to the next one, which is going to resource for us.
This is where we're gonna bust out another socket function.
You suck. It actually does deal with this one,
which is gonna be network to ask you.
I think it's that basket
we're gonna do No, no, sorry. Never. Cassie. I was correct the first time.
That's what you get for second guessing yourself, folks.
All right, so network to ask you
against And this time we're actually gonna be a different field. We know that it's gonna be
a string we know that's going to be
It's the night before. So there's gonna be four bites long,
so we're going to do for us.
And we know they're going to love them because they're sourcing the destination for s for us.
Okay, so then we're in a new network to ask you
I actually think I made on this backward.
so we can do a quick sanity check. We could make sure we've got the right number of fields. At least
each of the H is air gonna be
So therefore, ages too.
And yet sure enough that sanity checks show that I skipped a bunch of fields. Wishful thinking, folks.
Luckily, these fields are pretty quick gonna do I p t t l which is the number of hops left or the number of computers left before it gives up the search.
Teach Yellen protocol again. That's gonna be 1/5 h
DTL equals I P header
four. I'm gonna get rid of these numbers here, so don't confuse anybody
logically ships, right? By eight minutes,
you guys are gonna be old pros that bit wise, Operation by the end of this pro no equals I p header
will do ch k s u M Check some.
and that's going to make for our six stage
and then to four asses. And that'll be
Okay, let's do another sanity check.
So there's six ages. So 12
And then there, too, for us is one and two and he had options and padding. We're actually not going to notice. We're gonna pretend this one exist. Patting only happens when options happens and options doesn't happen.
Okay, Now we're working out our entire I P header field our entire high Pienaar structure rather and we need to change data.
However, there is one thing that we need to do, which is check the protocol field again.
Did that an ethernet We need to do it. And I Pius Well,
the i p protocol fields are going to be
UDP. Whatever our next protocol is going to be
is going to be determined
here in the U. T. P area.
So in order to do that, we actually have to do our get ourselves a little bit of an if statement or ah, seriously of statements actually going.
So we're only in this never gonna deal with T C P and U T P. There could be other protocols and other communications, and you probably will see a few of them once in a while. But in general, if you look for TCP and you d be traffic,
you're going to see most all I p traffic.
So we're gonna do if
Now we need to get the TCP
the value or the number of TCP.
So you look at rear protocols
where I pulled up earlier. We see that is six
I don't really want to use magic numbers. If we were being good, we would have defined that up here. But we're not being good. We're cheaters.
If I be brother equals six,
see what you d p is.
See over here that 17
If you're pro equals 17
and we're gonna return to pull data. And next
with a relatively minimal amount of wailing and gnashing of teeth
we've broken apart the I'd be header and again we're gonna go through Once we're done breaking all the headers apart we're gonna actually print everything out, Make it pretty looking.
So okay, we've got Richard. We're receiving a to pull. So it'll be data and
And we need to do another set of F statement. Now there. There are other ways that you can go about doing this. You don't want to do multiple if statements. That's totally cool. You can just return
Or you could just return the i p. Proto
and just do the a statement down here. I like to do.
If statements I like to make the decision within the function
and then do any logically dealing with the later on, I find it's a little bit easier to read. So if next Perrotto
that wonderful logical trick we found of else? If
next proto equals equals UDP
we're just going to do in else
ignore the rest of the data and not worry about it.
So we see that we have two more functions we need to do, and these two more functions are actually our last major functions. And then we go through and clean everything up,
So again, we're going to turn to our handy dandy r f sees we're gonna in this case, we're in the O. R S C 7 93 the one that I kind of jumped again and take you to look at earlier.
And this is going to be the TCP
1981 that has been around pretty familiar, pretty well established protocol, one that most of your probably relatively familiar with
we're going to obstruct, unpack. As always, we're going to TCP header
and let's see how much we need to slice.
So you see, the data field done here is actually the the data contained by the TCP
packet. So we actually aren't going to use that.
We see. Also, there's an option that padding field again, not commonly used.
So we're just gonna deal with this 1st 2nd 3rd 4th and fifth lines,
which he ain't going to be
She is gonna go up to bite 20 non inclusive,
and it's time to start working.
So I see you don't really need to go back to our struck page to see what field going to use pretty much only ever gonna be H and s
first thing is to bites. It's gonna be sore, sport. We've got a source port of destination port
and then immediately to make a liar of me from a moment ago. So you've got a sequence in acknowledgement number. Those are actually gonna be a fully full length unsigned INTs.
There's gonna be an eye
And then we've got this absolute monstrosity of flags over here.
First thing we're going to do is data offset. Well, it's not really first thing. We're gonna do all of it once we're gonna do date offset reserved. And there were new er, Jack, Push reset, Sinn fin. And we're gonna actually go through it. All those flags mean here in just a moment.
So it's gonna be an h.
You know, Window is gonna be an age.
and then the urgent pointer. So we got four ages.
do a quick sanity check
and then for ages. 123 and four.
All right. Good to go. We've broken up the TCP header into its
separate fields, and now we need to start work.