I'm running the code example below against a remote PLC with Wireshark running. Why do I only get the query (I should get the response too)? It seems that the PLC sends the response, since the output of Scapy says Received 1 packets, got 1 answers, remaining 0 packets.
Any ideas of why is this happening?
I also performed the sniffing using the sniff() function from Scapy but the result is the same (only get the query).
#! /usr/bin/env python
import logging
logging.getLogger("scapy").setLevel(1)
from scapy import *
from modLib import *
# IP for all transmissions
ip = IP(dst="192.168.10.131")
# Sets up the session with a TCP three-way handshake
# Send the syn, receive the syn/ack
tcp = TCP( flags = 'S', window = 65535, sport = RandShort(), dport = 502, options = [('MSS', 1360 ), ('NOP', 1), ('NOP', 1), ('SAckOK', '')])
synAck = sr1 ( ip / tcp )
# Send the ack
tcp.flags = 'A'
tcp.sport = synAck[TCP].dport
tcp.seq = synAck[TCP].ack
tcp.ack = synAck[TCP].seq + 1
tcp.options = ''
send( ip / tcp )
# Creates and sends the Modbus Read Holding Registers command packet
# Send the ack/push i.e. the request, receive the data i.e. the response
tcp.flags = 'AP'
adu = ModbusADU()
pdu = ModbusPDU03()
adu = adu / pdu
tcp = tcp / adu
data = sr1(( ip / tcp ), timeout = 2)
data.show()
# Acknowledges the response
# Ack the data response
# TODO: note, the 17 below should be replaced with a read packet length method...
tcp.flags = 'A'
tcp.seq = data[TCP].ack
tcp.ack = data[TCP] + 17
tcp.payload = ''
finAck = sr1( ip / tcp )
First, you have a bug in your code (which is present in the original version http://www.digitalbond.com/scadapedia/security-controls/scapy-modbus-extensions/), you need to add .seq there: tcp.ack = data[TCP].seq + 17.
As said in the comment, you could write tcp.ack = data[TCP].seq + len(data[TCP].payload).
Anyway it's generally useless to do the TCP stack's work for the kind of things you try to do.
I would do something like that:
from scapy import *
from modLib import *
import socket
sock = socket.socket()
sock.connect(("192.168.10.131", 502))
s = StreamSocket(sock, basecls=ModbusADU)
ans, unans = s.sr(ModbusADU()/ModbusPDU03())
ans.show()
Does this work better?
Related
I am using gatling and influxdb in windows 10. I am trying to send some results from gatling to influxdb. But the results are not being pushed to the influxdb. Can someone help me.
My graphite config file
data {
#writers = [console, file, graphite]
console {
#light = false
#writePeriod = 5
}
file {
bufferSize = 8192 # FileDataWriter's internal data buffer size, in bytes
}
leak {
#noActivityTimeout = 30 # Period, in seconds, for which Gatling may have no activity before considering a leak may be happening
}
graphite {
# light = false # only send the all* stats
host = "localhost" # The host where the Carbon server is located
port = 2003 # The port to which the Carbon server listens to (2003 is default for plaintext, 2004 is default for pickle)
protocol = "tcp" # The protocol used to send data to Carbon (currently supported : "tcp", "udp")
rootPathPrefix = "gatling" # The common prefix of all metrics sent to Graphite
bufferSize = 8192 # Internal data buffer size, in bytes
writePeriod = 1 # Write period, in seconds
}
}
My influxdb config file is
[[graphite]]
enabled = true
database = "gatlingdb"
retention-policy = ""
bind-address = ":2003"
protocol = "tcp"
consistency-level = "one"
batch-size = 5000
batch-pending = 10
batch-timeout = "1s"
udp-read-buffer = 0
separator = "."
templates = [
"gatling.*.*.*.count measurement.simulation.request.status.field",
"gatling.*.*.*.min measurement.simulation.request.status.field",
"gatling.*.*.*.max measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles50 measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles75 measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles95 measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles99 measurement.simulation.request.status.field"
]
Not sure why it is not working.
Uncomment #writers = [console, file, graphite]
I have an issue with initialising and running AHCI port on my devboard.
Processor has SATA host controller with 2 ports implemented (port 0 & port 1). SSD drive w/ SATA interface is connected to the port 1.
According to "Serial ATA AHCI 1.3.1 Specification", chapter "10.3.1 Start (PxCMD.ST)" a bunch of conditions should be satisfied before setting PxCMD.ST to '1'. After setting this bit, PxCMD.CR should be set to indicate that port is ready and runs.
The problem is PxCMD.CR never comes to be set.
State before enabling PxCMD.ST:
port is in idle state, PxCMD.ST and PxCMD.CR are both '0'
FIS Receive Enable, PxCMD.FRE is '1'
Drive is connected to the port, PxSSTS = 0x00000133 (SSTS.IPM =
1, SSTS.SPD = 3, SSTS.DET = 3), PxTFD = 0x00000150 (TFD.STS.BSY
= 0, TFD.STS.DRQ = 0, TFD.STS.ERR = 0)
PxCLB/PxCLBU are set with physical addresses to buffer and buffer is aligned. (1KB buffer, 1KB aligned)
PxCMD = 0x00404010 (PxCMD.FBSCP = 1 & PxCMD.FRE = 1)
After setting PxCMD.ST, PxCMD = 0x00404011 and PxCMD.CR stays '0'
PxSERR = 0 stay the same. ERR is cleaned in advance before setting PxCMD.FRE
PxSCTL = 0x00000330 (IPM = 3, SPD = 3, DET = 0)
PxTFD = 0x00000150 stay the same
PxSIG = 0x00000101. The reg has 0xFFFFFFFF when drive is not connected.
Assuming that PxSIG is set and PxSERR is '0' more likely that PLL for SATA HC is set correctly.
I have concerns about PxTFD.ERR = 1 (when drive is disconnected PxTFD has default 0x7F value and PxTFD.ERR = 0) but didn't find is it relevant or nor considering that still TFD.STS.ERR = 0
Any ideal what is missed?
PS: It has nothing to do w/ Linux.
I am able to publish a data of different sensors (like temperature value and motion detection as zero or one) one at a time on a specific topic ( topic/temp/motion) using Lua code and subscribe in on my android app however i am not able to publish it simultaneously on same topic or sub-topic. Some ideas or examples would be great.
Below are some major bits of Lua code used.
orgID = "quickstart" -- IoT Foundation organization ID
broker = "test.mosquitto.org" --orgID..".messaging.internetofthings.ibmcloud.com" -- IP or hostname of IoTF service
mqttPort = 1883 -- MQTT port (default 1883: non-secure)
userID = "" -- blank for quickstart
userPWD = "" -- blank for quickstart
macID = "18fe34e1b007" -- unique Device ID or Ethernet Mac Address <==== Modify this!
clientID = ":esp8266:18fe34e1b007" -- Client ID
count = 0 -- Test number of mqtt_do cycles
mqttState = 0 -- State control
topic = "topic/temp/motion"
led = 4
--gpio.mode(led,gpio.OUTPUT)
--dht sensor settings------------------------------
pin = 1
-- PIR initialization section
pir = 2
x= 0 -- variable for sending motion detection information in "0 or 1"
function DHT_do()
status, temp, humi, temp_dec, humi_dec = dht.read(pin)
--gpio.write(led, gpio.LOW)
end
function mqtt_do()
count = count + 1 -- tmr.alarm counter
------------------------------------------- pir conditional code
if gpio.read(pir) ~= last_state then
last_state = gpio.read(pir)
if last_state == 1 then
print("ON")
x = 1
gpio.write(led,gpio.HIGH)
else
print("OFF")
x = 0
gpio.write(led,gpio.LOW)
m:publish(topic,x, 0, 0,
function(conn)
print(x)
print("temp_data:"..temp)
I'm trying to send sms using kannel & smppsim.
I use docker as container.
I use this kannel.conf:
group = core
admin-port = 13000
smsbox-port = 13001
admin-password = bar
admin-allow-ip = "127.0.0.1;192.168.59.103"
box-allow-ip = "127.0.0.1;192.168.59.103"
group = smsc
smsc = smpp
smsc-id = SMPPSim
host = 192.168.59.103
port = 2775
transceiver-mode = 1
smsc-username = smppclient1
smsc-password = password
system-type = 'VMA'
#service-type = 'test'
interface-version = 34
#system-id = smppclient
preferred-smsc-id = SMPPSim
connect-allow-ip = 192.168.59.103
group = smsbox
bearerbox-host = bearerbox
sendsms-port = 13013
global-sender = 13013
group = sendsms-user
username = tester
password = foobar
group = sms-service
keyword = default
text = "No service specified"
when sending a request to send sms I get "0: Accepted for delivery"
I'm seeing these errors in smsbox log:
2015-03-21 20:20:52 [1] [3] DEBUG: Status: 202 Answer: <Sent.>
2015-03-21 20:20:52 [1] [3] DEBUG: Delayed reply - wait for bearerbox
2015-03-21 20:20:52 [1] [0] DEBUG: Got ACK (0) of 74f9cefe-db95-4b7d-aa99-f07395d32915
2015-03-21 20:20:52 [1] [0] DEBUG: HTTP: Resetting HTTPClient for `192.168.59.3'.
2015-03-21 20:20:52 [1] [1] ERROR: Error reading from fd 24:
2015-03-21 20:20:52 [1] [1] ERROR: System error 104: Connection reset by peer
2015-03-21 20:20:52 [1] [1] DEBUG: HTTP: Destroying HTTPClient area 0x7fe8d0000ad0.
Bearbox doesn't present any errors and seem to pass the message to smppsim, smppsim shows this in log:
21 Assessing state of 1 messages in the OutboundQueue
21 Message:2 state=DELIVERED
The sms is not sent, what could be wrong?
I think its a problem with your Kannel configuration file, specially with smsbox and later parts. I used following as smsbox
group = smsbox
bearerbox-host = 127.0.0.1
sendsms-port = 13013
global-sender = your sim number which you use in USB modem
sendsms-chars = "0123456789 +-"
log-file = "/var/log/kannel/smsbox.log"
log-level = 0
access-log = "/var/log/kannel/access.log"
and you can get my full configuration file from here. This worked fine for me.
This might be a problem of lоѕѕ оf thе соnnесtіоn оn thе rеmоtе ѕосkеt due tо а tіmеоut.
And SMPPSim is just a testing tool for kannel. It won't really send a message to your or mentioned mobile number. To send real messages you need to add either gsm modems or SMS operator details.
You can refer to userGuide from kannel.org.
To check your kannel status simply go to http://localhost:13000/status?password=password(password of your kannel)
i have python/scapy sniffer for DNS.
I am able to sniff DNS messages and get IP/UDP source and destination IP address and ports as well as DNS but I have problems parsing and getting additional answers and additional records if there is more then one.
from scapy i see DNS data i can get but do not know how to get additional records with ls(DNS),ls(DNSQR) and ls(DNSRR)
I would appreciate some help or solution to work this out.
My python/scapy script is below
#!/usr/bin/env python
from scapy.all import *
from datetime import datetime
import time
import datetime
import sys
############# MODIFY THIS PART IF NECESSARY ###############
interface = 'eth0'
filter_bpf = 'udp and port 53'
# ------ SELECT/FILTER MSGS
def select_DNS(pkt):
pkt_time = pkt.sprintf('%sent.time%')
# ------ SELECT/FILTER DNS MSGS
try:
if DNSQR in pkt and pkt.dport == 53:
# queries
print '[**] Detected DNS Message at: ' + pkt_time
p_id = pkt[DNS].id
cli_ip = pkt[IP].src
cli_port = pkt.sport
srv_ip = pkt[IP].dst
srv_port = pkt.dport
query = pkt[DNSQR].qname
q_class = pkt[DNSQR].qclass
qr_class = pkt[DNSQR].sprintf('%qclass%')
type = pkt[DNSQR].sprintf('%qtype%')
#
elif DNSRR in pkt and pkt.sport == 53:
# responses
pkt_time = pkt.sprintf('%sent.time%')
p_id = pkt[DNS].id
srv_ip = pkt[IP].src
srv_port = pkt.sport
cli_ip = pkt[IP].dst
cli_port = pkt.dport
response = pkt[DNSRR].rdata
r_class = pkt[DNSRR].rclass
rr_class = pkt[DNSRR].sprintf("%rclass%")
type = pkt[DNSRR].sprintf("%type%")
ttl = pkt[DNSRR].ttl
len = pkt[DNSRR].rdlen
#
print response
except:
pass
# ------ START SNIFFER
sniff(iface=interface, filter=filter_bpf, store=0, prn=select_DNS)