CODEWITHSUNDEEP
pythonscapy
user943523
user943523

Reputation: 154

Remove tzsp headers to normalize pacquet

im trying to create a little sniffer on `python, to remove the tzsp encapulation that my router uses to send me a copy all all the packet that flows through it. The problem is that i want to use ossim, and snort to analyze the traffic, and woul like to de-encapsulate the packet and send it to a virtual interface where snort is listening.

I allready have the sniffer, but didnt find the way to strip the tzsp headers to get the original packet and send it after. I see that other people have done this on perl, but dont know how to do the same on scapy.

Its basically remove the firts 5 bytes.

# --- Cut TZSP bytes my $tzspheader = substr $udp->{data}, 0, 5; my $tzspdata = substr $udp->{data}, 5;

Full perl script -> http://wiki.mikrotik.com/wiki/Calea_perl_trafr

Can i use the pkt scapy format as an array ? If i remove the headers the packet will be as received by the router, can i use scapy to sned it directly or do i have to create a emtpy packet according to the original packet protocol and copy each field to the new one ?

Thank you All

Upvotes: 2

Views: 1420

Answers (1)

nedeadinside
nedeadinside

Reputation: 1

Recently I had the same problem. If someone needs to remove TZSP from an existing PCAP file or during online sniffing and removing TZSP, you can check out the Scapy TZSP contrib: https://scapy.readthedocs.io/en/stable/api/scapy.contrib.tzsp.html

Here you can find a reference: https://github.com/nedeadinside/TZSP-Cleaner. If you want to use the Scapy implementation, you should change

from tzsp import TZSP

to

from scapy.contrib.tzsp import TZSP

Upvotes: 0

Related Questions