3

Background:

I'm working with scapy to parse IEEE 802.1Q triple tagged frames. I'm generating test frames using scapy and capturing them to a pcap file. The parsing is done in a separate script by reading in the pcap file. I can successfully work with the 1st 802.1q tag.

Problem:

It's not clear to me how to access at the 2nd and 3rd 802.1q tags. I'm attempting to use haslayer() and getlayer to conditionally examine the frame headers. haslayer(Dot1Q) returns the values associated with the 1st Dot1Q tag.

Question:

If the type field of the 1st tag is 0x8100, then a 2nd tag is present. Is there a way to advance to the 2nd and 3rd tags? I've looked at the l2.py source and experimented, but no luck yet.

Code:

Send triple tag frame:

    sendp(Ether(dst='78:2B:CB:33:4B:9F',src="D4:AE:52:89:BA:FA")/Dot1Q(vlan=1,id=3,prio=2)/Dot1Q(vlan=2,id=3,prio=2)/Dot1Q(vlan=3,id=3,prio=2)/IP(dst='10.25.222.222')/ICMP())

Frame display:

###[ Ethernet ]###
  dst       = 78:2b:cb:33:4b:9f
  src       = d4:ae:52:89:ba:fa
  type      = 0x8100
###[ 802.1Q ]###
     prio      = 2L
     id        = 1L
     vlan      = 1L
     type      = 0x8100
###[ 802.1Q ]###
        prio      = 2L
        id        = 1L
        vlan      = 2L
        type      = 0x8100
###[ 802.1Q ]###
           prio      = 2L
           id        = 1L
           vlan      = 3L
           type      = 0x800
###[ IP ]###
              version   = 4L
              ihl       = 5L
              tos       = 0x0
              len       = 28
              id        = 1
              flags     = 
              frag      = 0L
              ttl       = 64
              proto     = icmp
              chksum    = 0xc55
              src       = 10.25.123.123
              dst       = 10.25.222.222
              \options   \
###[ ICMP ]###
                 type      = echo-request
                 code      = 0
                 chksum    = 0xf7ff
                 id        = 0x0
                 seq       = 0x0
###[ Padding ]###
                    load      = '\x00\x00\x00\x00\x00\x00'

Frame parsing:

pkts=rdpcap(self.file_name)

for pkt in pkts:

    try:
        if pkt.haslayer(Ether):
            src     = pkt.getlayer(Ether).src
            dst     = pkt.getlayer(Ether).dst
            type    = pkt.getlayer(Ether).type
            # Do something 

        if pkt.haslayer(Dot1Q):
            prio    = pkt.getlayer(Dot1Q).prio
            id      = pkt.getlayer(Dot1Q).id
            vlan    = pkt.getlayer(Dot1Q).vlan
            type    = pkt.getlayer(Dot1Q).type
            # Do something

    except:
        raise `
bit_flip
  • 171
  • 2
  • 12

1 Answers1

4

You can access the inner 802.1Q tags of pkt with pkt[Dot1Q:2], pkt[Dot1Q:3] and so on. If the packet doesn't have the specified layer, an appropriate IndexError exception is raised:

In [3]: pkt
Out[3]: <Ether  dst=78:2B:CB:33:4B:9F src=D4:AE:52:89:BA:FA type=0x8100 |<Dot1Q  prio=2 id=3 vlan=1 type=0x8100 |<Dot1Q  prio=2 id=3 vlan=2 type=0x8100 |<Dot1Q  prio=2 id=3 vlan=3 type=0x800 |<IP  frag=0 proto=icmp dst=10.25.222.222 |<ICMP  |>>>>>>

In [4]: pkt[Dot1Q:1]
Out[4]: <Dot1Q  prio=2 id=3 vlan=1 type=0x8100 |<Dot1Q  prio=2 id=3 vlan=2 type=0x8100 |<Dot1Q  prio=2 id=3 vlan=3 type=0x800 |<IP  frag=0 proto=icmp dst=10.25.222.222 |<ICMP  |>>>>>

In [5]: pkt[Dot1Q:2]
Out[5]: <Dot1Q  prio=2 id=3 vlan=2 type=0x8100 |<Dot1Q  prio=2 id=3 vlan=3 type=0x800 |<IP  frag=0 proto=icmp dst=10.25.222.222 |<ICMP  |>>>>

In [6]: pkt[Dot1Q:3]
Out[6]: <Dot1Q  prio=2 id=3 vlan=3 type=0x800 |<IP  frag=0 proto=icmp dst=10.25.222.222 |<ICMP  |>>>

In [7]: pkt[Dot1Q:4]
---------------------------------------------------------------------------
IndexError                                Traceback (most recent call last)
<ipython-input-7-a155defcb885> in <module>()
----> 1 pkt[Dot1Q:4]

/usr/local/lib/python2.7/dist-packages/scapy_real-2.2.0_dev-py2.7.egg/scapy/packet.pyc in __getitem__(self, cls)
    770             elif type(lname) is not str:
    771                 lname = repr(lname)
--> 772             raise IndexError("Layer [%s] not found" % lname)
    773         return ret
    774 

IndexError: Layer [Dot1Q] not found

Of course, you may check the type value and only after verifying that it is 0x8100, try accessing the inner layer.

Yoel
  • 9,144
  • 7
  • 42
  • 57