scapy: Correct method to modify TTL of sniffed traffic

2
votes

I'm playing around with Scapy and I noticed something weird.

If I create a packet in order to trigger an ICMP time-exceeded error message:

myPacket = IP(dst="www.google.com", ttl=3)/TCP()

... I do get the ICMP message once I send it with the function sr .

On the other hand, if I take any outgoing packet that I have sniffed and change its ttl value to the same used above, I get no reply whatsoever.

What's the problem here? I thought I could experience this by using dummy traffic, not real traffic! I even tried with other TTL values, but to no avail.

2
icmpscapyttl
ricky, there is a possibility that that third hop router may be dropping ttl time exceeded packets silently, try ttl 4 and 2. also Is your traceroute in scapy showing a missing link at 3 hops out?dc5553
Yeah, I tried with values from 1 to 20 but I still get no ICMP messages back. I really don't know what's going on.Ricky Robinson
Try ping with -i 3 and just sniff to see if you get anything outside of scapy?dc5553
Only the IP header checksum would prevent routing, to force it to recompute just delete it. Changing the ttl will not effect the header length just the checksumdc5553
FYI the only thing that would change the IP header len is IP options which you should almost never see.dc5553

2 Answers

1
votes

Ok, packets were getting dropped because once I changed the ttl value the checksum wasn't correct any more. I just had to force the checksum to be computed again by deleting its value:

del(mypacket.getlayer(IP).chksum)
1
votes

Another option is to use the sendp() function. Scapy automatically calculates the IP and TCP checksums.

myPacket = IP(dst="www.google.com", ttl=3)/TCP()
sendp(myPacket)

def dissect(pck):
    if pck.haslayer("ICMP"): # Filter out all but ICMP packets.  You could do additional filtering
        pck.show()           # Display response packets

sniff(iface="eth0", prn=lambda x:dissect(x), store=0)