python - 在 scapy 中发送 ICMP 数据包并选择正确的接口(interface)

Question

我们可以对第 3 层 ICMP 数据包使用 srp() 函数吗？我看到当我们制作一个 ICMP 回显请求数据包并使用 sr() 发送/接收时，我们没有看到它被发送出接口(interface)，因此没有来自目的地的响应。但是如果我们使用 srp() 函数，我们会看到相同的数据包响应。我们什么时候应该使用 sr() 什么时候使用 srp()？在文档中它声明 sr() 用于 L3 数据包和 srp() 用于 L2？但就我而言，我不确定为什么 sr() 不适用于 ICMP 数据包？有高手能帮我理解一下吗？

也有人可以让我知道是否始终需要“iface”参数。否则 scapy 将如何知道它应该通过哪个接口(interface)发送数据包？

案例 1:以 iface 作为参数的 sr() 函数:

sr(icmp,iface="eth0")

开始发射:

WARNING: Mac address to reach destination not found. Using broadcast.
Finished to send 1 packets.
^C
Received 0 packets, got 0 answers, remaining 1 packets
(<Results: TCP:0 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:1 Other:0>)

在上面我没有看到来自 IP 192.168.25.1 的任何 ICMP 响应

案例 2:没有 iface 的 sr() 函数:

sr(icmp)   
.Begin emission:
......WARNING: Mac address to reach destination not found. Using broadcast.
.Finished to send 1 packets.
...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^C
Received 887 packets, got 0 answers, remaining 1 packets
(<Results: TCP:0 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:1 Other:0>)

如果你看到上面收到的数据包更多但我没有看到任何 ICMP 响应。

案例 3:使用 srp() 而不是 sr() 发送 ICMP 数据包:

srp(icmp,iface="eth0")
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)

这里我使用了 srp() 函数而不是 sr() 函数，现在我看到 ICMP 回显请求已正确发送并且我也收到了响应。

>>> icmp.show2()
###[ Ethernet ]###
  dst: 02:00:00:11:01:03
  src: 02:00:20:ee:64:01
  type: 0x800
###[ IP ]###
     version: 4L
     ihl: 5L
     tos: 0x0
     len: 28
     id: 1
     flags:
     frag: 0L
     ttl: 64
     proto: icmp
     chksum: 0xc78c
     src: 192.168.25.2
     dst: 192.168.25.1
     \options\
###[ ICMP ]###
        type: echo-request
        code: 0
        chksum: 0xf7ff
        id: 0x0
        seq: 0x0
>>>                  

Answer 1

sr 函数根据 official API documentation :

sr(pkts, filter=None, iface=None, timeout=2, inter=0, verbose=None, chainCC=0, retry=0, multi=0)

Send and receive packets at layer 3 using the conf.L3socket supersocket.

srp 函数:

srp(pkts, filter=None, iface=None, timeout=2, inter=0, verbose=None, chainCC=0, retry=0, multi=0, iface hint=None)

Same as srp but for working at layer 2 with conf.L2socket supersocket.

由于您的 ICMP 数据包的第 2 层字段也已填充，如 ICMP.show2() 的输出所示，您应该使用 srp 功能。你是否像在 this tutorial 中所做的那样让它们保持原样？ ，您可以使用 sr 函数。

---

现在，关于您关于 ICMP 分类为第 2 层协议(protocol)或第 3 层协议(protocol)的问题。许多人认为这是第 3 层协议(protocol)，例如 here ，因为它使用 IP header 并“位于”其之上。然而，其他人认为它是第 2 层协议(protocol)，例如 here。 . This is a question在这个问题上有一些很好的答案，但请注意它们指的是 OSI 模型，因此分层方案编号有点不同。这是我设法找到的最好的，来自 here :

IP itself has no mechanism for establishing and maintaining a connection, or even containing data as a direct payload. Internet Control Messaging Protocol is merely an addition to IP to carry error, routing and control messages and data, and is often considered as a protocol of the network layer.

编辑 - 我刚遇到 this link ，并认为值得一提:

ICMP is a protocol within the TCP/IP stack that exist basically to provide control, troubleshooting, and error messages. It runs over IP, like TCP and UDP do, but is a network-layer protocol, like IP, rather than a transport layer protocol like TCP and UDP are. (Yes, this is kind of weird, that ICMP is encapsulated within IP while being on the same layer as IP. But then again, you can encapsulate IP within IP as well.)

RFC 792也很明确:

ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP.

RFC 1122也是如此:

ICMP is a control protocol that is considered to be an integral part of IP, although it is architecturally layered upon IP, i.e., it uses IP to carry its data end-to-end just as a transport protocol like TCP or UDP does.
...
Although ICMP messages are encapsulated within IP datagrams, ICMP processing is considered to be (and is typically implemented as) part of the IP layer.

---

关于您关于显式指定接口(interface)的最后一个问题，请参阅 scapy's tutorial :

The send() function will send packets at layer 3. That is to say it will handle routing and layer 2 for you. The sendp() function will work at layer 2. It’s up to you to choose the right interface and the right link layer protocol.

官方API文档更详细一点:

When Scapy is launched, its routing tables are synchronized with the host’s routing table. For a packet sent at layer 3, the destination IP determines the output interface, source address and gateway to be used. For a layer 2 packet, the output interface can be precised, or an hint can be given in the form of an IP to determine the output interface. If no output interface nor hint are given, conf.iface is used.

具体来说，iface 参数用于设置输入接口(interface)(但如果未使用 iface_hint，也设置输出接口(interface)):

iface: listen answers only on the provided interface

对于 output 接口(interface)的提示，对第 2 层功能使用 iface_hint:

There is also an additional parameter, iface_hint, which give an hint that can help choosing the right output interface. By default, if not specified by iface, conf.iface is chosen. The hint takes the form of an IP to which the layer 2 packet might be destinated. The Scapy routing table (conf.route) is used to determine which interface to use to reach this IP.