Reassemble overlapping fragments into new pcaps with different OS reassembly policies.
Project description
reassembler
A Python implementation of the various OS IPv4 packet fragment reassembly engines.
One Packet in => Six Packets out
This module will reassemble fragmented packets using common used fragmentation reassembly techniques. It then generates 6 pcap files. It also prints the payloads to the screen and shows you how each of the operating systems would see the packets after they reassemble them using their defragmentation engine.
This is a rewrite of the original released in 2012 to support Python3. Associated GIAC SANS Gold Paper
Are Overlapping fragments still an issue?
10-16-2020: Don Williams and I did a survey of the major OSes to confirm the status of their reassembly engines. Here are the results:
-
Linux : The Linux OS's have begun silently ignoring overlapping IPv4 fragments. IPv6 rejects them by defalt.
-
Windows: The posted "Fix" requires that you turn off ALL fragment reassembly, not just overlaps. It is not enabled by default.
-
Macintosh: Tested on 10-16-2020 and it was still reassembling overlapping fragments without complaint.
Installing
pip install reassembler
or
pip install git+https://github.com/markbaggett/reassembler
Running
After pip install the command 'reassembler' is added to your path.
$ reassembler ./sample_packets/final_frags.pcap
or you can execute it as a python module
$ python -m reassembler
usage: reassembler [options] pcap_file
positional arguments:
pcap Read the specified packet capture
optional arguments:
-h, --help show this help message and exit
-d, --demo Generate classic fragment test pattern and reassemble it.
-n, --no-write Suppress writing 5 files to disk with the payloads.
-b, --bytes Process Payloads as bytes and never as strings.
-q, --quiet Do not print payloads to screen.
-p PREFIX, --prefix PREFIX
Specify the prefix for file names
-c, --checksum Do not recalculate transport layer protocol checksums.
As a Module
>>> import reassembler
>>> reassembler.rfc791(reassembler.genjudyfrags())
<Ether type=IPv4 |<IP flags= frag=0 proto=icmp |<ICMP type=echo-request code=0 id=0x0 seq=0x0 |<Raw load='111111114444444444444444444444444444444422222222555555555555555555555555666666666666666666666666' |>>>>
>>> reassembler.first(reassembler.genjudyfrags())
<Ether type=IPv4 |<IP flags= frag=0 proto=icmp |<ICMP type=echo-request code=0 id=0x0 seq=0x0 |<Raw load='111111111111111111111111444444442222222222222222333333333333333333333333666666666666666666666666' |>>>>
>>> reassembler.linux(reassembler.genjudyfrags())
<Ether type=IPv4 |<IP flags= frag=0 proto=icmp |<ICMP type=echo-request code=0 id=0x0 seq=0x0 |<Raw load='111111111111111111111111444444444444444422222222555555555555555555555555666666666666666666666666' |>>>>
>>>
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for reassembler-2.0.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b429cc8ccc870c9dcbb1f62e717f3ba6575f7d337c2611143365f8635e35c0b0 |
|
| MD5 | 1547f4b08d9705d3bd4f0a6fb5fbfeb6 |
|
| BLAKE2b-256 | a9fed86d55811ac61d3a39b097980cd354afaf9efa6993273413be4c7e1cc09a |
