hping getfield -- hping network security tool

hping wiki

hping getfield layer field ?skip? packet

hping getfield returns the value of the given field in the given layer, for packet. For example:

hping3> hping getfield ip ttl "ip(saddr=1.2.3.4,daddr=5.6.7.8,ttl=64)"
64

If the layer does not exist, an empty string is returned.

In complex packets the same layer can be present more times, for example an ICMP error message can have its own IP header and the IP header of the quoted packet. In order to specify what is the right layer the skip argument of hping getfield, hping hasfield, hping setfield is used. This argument specify how many layers of the specified type to skip before to get the field value, so to specify a skip value of 1 means to get the field from the second IP layer and so on. Example:

hping3.0.0-alpha> set p [hping recv eth0]
{ip(ihl=5,ver=4,tos=c0,totlen=58,id=62912,fragoff=0,mf=0,df=0,rf=0,ttl=64,proto=1,cksum=e500,saddr=192.168.1.7,daddr=192.168.1.6)+icmp(type=3,code=3,unused=0)+ip(ihl=5,ver=4,tos=00,totlen=30,id=60976,fragoff=0,mf=0,df=1,rf=0,ttl=64,proto=17,cksum=40c9,saddr=192.168.1.6,daddr=192.168.1.7)+udp(sport=33169,dport=10,len=10,cksum=94d6)+data(str=f\0a)}

Remember that hping recv returns a Tcl list, for default this list is composed of only one element, but anyway we need to get extract this element from the list:

hping3.0.0-alpha> set packet [lindex $p 0]
ip(ihl=5,ver=4,tos=c0,totlen=58,id=62912,fragoff=0,mf=0,df=0,rf=0,ttl=64,proto=1,cksum=e500,saddr=192.168.1.7,daddr=192.168.1.6)+icmp(type=3,code=3,unused=0)+ip(ihl=5,ver=4,tos=00,totlen=30,id=60976,fragoff=0,mf=0,df=1,rf=0,ttl=64,proto=17,cksum=40c9,saddr=192.168.1.6,daddr=192.168.1.7)+udp(sport=33169,dport=10,len=10,cksum=94d6)+data(str=f\0a)

Now packet is set to an ICMP error obtained using netcat to send an UDP packet to a non-bound port. We can ask for the checksum of the first ip layer:

hping3.0.0-alpha> hping getfield ip cksum $packet
0xe500

If we want the second, we add a skip argument of 1:

hping3.0.0-alpha> hping getfield ip cksum 1 $packet
0x40c9

A skip value of 0 is valid, and is equivalent to the form without the skip argument.

Recently accessed pages

How to add an image in a wiki page

Download

External tutorials and articles

Gif LZW encoding and Mandelbrot in pure Tcl

Edit this page Upload file Page history - Page last update: Thu Jun 30 13:47:15 GMT 2005 by 130.210.163.163 | Your address: 18.189.2.122 | Admin