Netzob DocumentationRelease 0.4.1
Frédéric Guihéry, Georges Bossert
January 04, 2014
Contents
1 Contact information 3
2 Netzob Overview 52.1 Overview of Netzob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Tutorials 93.1 Getting started with Netzob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 Auto generation of Peach pit files/fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.3 Export Wireshark dissectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 Installation Guides 214.1 Installation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 Installation documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.3 Installation documentation on Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.4 Installation documentation on Gentoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.5 Installation documentation on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5 User Guide 275.1 Importing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.2 Protocol inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.3 Generating traffic and simulating actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.4 Exporting protocol model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6 Developer Guide 356.1 netzob Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7 Indices and tables 77
Python Module Index 79
i
ii
Netzob Documentation, Release 0.4.1
Netzob is an open source tool for reverse engineering, traffic generation and fuzzing of communication protocols. Itallows to infer the message format and the state machine of a protocol through passive and active processes. Themodel can afterward be used to simulate realistic and controllable trafic.
The main features of Netzob are:
Vocabulary Inference Netzob includes a complete model to represents the message format of a protocol (aka itsvocabulary). Using specific algorithms, it allows to learn it from provided traces.
Grammar Inference The state machine of a protocol (aka its grammar) defines the valid sequences of exchangedmessages. Netzob allows to learn it semi-automaticaly using specific algorithms.
Protocol simulation To support the inferring process, a dynamic analysis is perfomed based on simulated actors.These can initiate and take part in a complex communication following the infered protocol.
Contents 1
Netzob Documentation, Release 0.4.1
2 Contents
CHAPTER 1
Contact information
Website http://www.netzob.org
Email [email protected]
Mailing list Two lists are available, use the SYMPA web interface to register.
IRC You can hang-out with us on Freenode’s IRC channel #netzob @ freenode.org.
Wiki Discuss strategy on Netzob’s wiki
Twitter Follow Netzob’s official accounts (@Netzob)
3
Netzob Documentation, Release 0.4.1
4 Chapter 1. Contact information
CHAPTER 2
Netzob Overview
2.1 Overview of Netzob
Netzob has been initiated by security auditors of AMOSSYS and the CIDre research team of Supélec to address thereverse engineering of communication protocols.
Originaly, the development of Netzob has been initiated to support security auditors and evaluators in their activitiesof modeling and simulating undocumented protocols. The tool has then been extended to allow smart fuzzing ofunknown protocol.
The following picture depicts the main modules of Netzob:
Figure 2.1: Architecture of Netzob
• Import module: Data import is available in two ways: either by leveraging the channel-specific captors (cur-rently network and IPC – Inter-Process Communication), or by using specific importers (such as PCAP files,structured files and OSpy files).
• Protocol inference modules: The vocabulary and grammar inference methods constitute the core of Netzob.It allows both passive and active reverse engineering of communication flows through automated and manualsmechanisms.
• Simulation module: Given vocabulary and grammar models previously inferred, Netzob can understand andgenerate communication traffic between multiple actors. It can act as either a client, a server or both.
• Export module: This module permits to export an inferred model of a protocol in formats that are understand-able by third party software or by a human. Current work focuses on export format compatible with main trafficdissectors (Wireshark and Scapy) and fuzzers (Peach and Sulley).
And here is a screenshot of the main graphical interface:
The following sections will describe in more details the available mechanisms.
2.1.1 Import and capture data
The first step in the inferring process of a protocol in Netzob is to capture and to import messages as samples. Thereare different methods to retrieve messages depending of the communication channel used (files, network, IPC, USB,
5
Netzob Documentation, Release 0.4.1
etc.) and the format (PCAP, hex, raw binary flows, etc.).
The figure below describes the multiple communication channels and therefore possible sniffing point’s Netzob aimsat addressing.
Figure 2.2: Multiple communication flows arround an application
The current version (version 0.4) of Netzob deals with the following data sources :
• Live network communications
• Captured network communications (PCAPs)
• Inter-Process Communications (IPCs)
• Text and binary files
• API flows through oSpy file format support
Otherwise, if you plan to reverse a protocol implemented over an supported communication channel, Netzob’s can ma-nipulates any communications flow through an XML representation. Therefore, this situation only requires a specificdevelopment to capture the targeted flow and to save it using a compatible XML.
Figure 2.3: Importing data from an unknown communication channel using the XML definition
2.1.2 Inferring message format and state machine with Netzob
The vocabulary of a communication protocol defines all the words which are integrated in it. For example, the vo-cabulary of a malware’s communication protocol looks like a set of possible commands : {“attack www.google.fr”,“dnspoison this.dns.server.com”, “execute ‘uname -a”’, ...}. Another example of a vocabulary is the set of valids wordsin the HTTP protocol : { “GET /images/logo.png HTTP/1.1 ...”, “HTTP/1.1 200 OK ...”, ...}.
Netzob’s vocabulary inferring process has been designed in order to retrieve the set of all possible words used in atargeted protocol and to identify their structures. Indeed words are made of different fields which are defined by theirvalue and types. Hence a word can be described using the structure of its fields.
We describe the learning process implemented in Netzob to semi-automatically infer the vocabulary and the grammarof a protocol. This process, illustrated in the following picture, is performed in three main steps:
1. Clustering messages and partitioning these messages in fields.
2. Characterizing message fields and abstracting similar messages in symbols.
3. Inferring the transition graph of the protocol.
Figure 2.4: The main functionalities
Step 1: clustering Messages and Partitioning in Fields
To discover the format of a symbol, Netzob supports different partitioning approaches. In this article we describe themost accurate one, that leverages sequence alignment processes. This technique permits to align invariants in a set ofmessages. The Needleman-Wunsh algorithm performs this task optimally. Needleman-Wunsh is particularly effectiveon protocols where dynamic fields have variable lengths (as shown on the following picture).
When partitioning and clustering processes are done, we obtain a relevant first approximation of the overall messageformats. The next step consists in determining the characteristics of the fields.
6 Chapter 2. Netzob Overview
Netzob Documentation, Release 0.4.1
Figure 2.5: Sequence alignment with Needleman-Wunsh algorithm
If the size of those fields is fixed, as in TCP and IP headers, it is preferable to apply a basic partitioning, also providedby Netzob. Such partitioning works by aligning each message by the left, and then separating successive fixed columnsfrom successive dynamic columns.
To regroup aligned messages by similarity, the Needleman-Wunsh algorithm is used in conjunction with a clusteringalgorithm. The applied algorithm is UPGMA.
Step 2 : characterization of Fields
The field type identification partially derives from the partitioning inference step. For fields containing only invariants,the type merely corresponds to the invariant value. For other fields, the type is automatically materialized, in firstapproximation, with a regular expression, as shown on next figure. This form allows to easily validate the dataconformity with a specific type. Moreover, Netzob offers the possibility to visualize the definition domain of a field.This helps to manually refine the type associated with a field.
Figure 2.6: Characterization of field type
Some intra-symbol dependencies are automatically identified. The size field, present in many protocol formats, is anexample of intra-symbol dependency. A search algorithm has been designed to look for potential size fields and theirassociated payloads. By extension, this technique permits to discover encapsulated protocol payloads.
Environmental dependencies are also identified by looking for specific values retrieved during message capture. Suchspecific values consist of characteristics of the underlying hardware, operating system and network configuration.During the dependency analysis, these characteristics are searched in various encoding.
Step 3: inferring the Transition Graph of the Protocol
The third step of the learning process discovers and extracts the transition graph from a targeted protocol (also calledthe grammar). More formally, the grammar of a communication protocol defines the set of valid sentences which canbe produced by a communication. A sentence is a sorted set of words which may be received or emmited by a protocolhandler. An exemple of a simple sentence is :
["attack www.google.fr", "attack has failed", "attack www.kernel.org", "root access granted."]
which can be described using the following simple automata with S0 the initial state :
Figure 2.7: Schema of a simple grammar
The learning process step is achieved by a set of active experiments that stimulate a real client or server implementationusing successive sequences of input symbols and analyze its responses.
In Netzob, the automata used to represent or model a communication protocol is an extended version of a Mealyautomata which includes semi-stochastic transitions, contextualized and parametrized inputs and outputs. The firstacademic presention of this model is included in a dedicated scientific paper provided in the documentation section.
The model is inferred through a dedicated active process which consists in stimulating an implementation and toanalyze its responses. In this process, we use the previously infered vocabulary to discover and to learn the grammarof the communication protocol. Each stimulation is computed following an extension of the Angluin L algorithm*.
2.1. Overview of Netzob 7
Netzob Documentation, Release 0.4.1
2.1.3 Protocol simulation
One of our main goal is to generate realistic network traffic from undocummented protocols. Therefore, we have im-plemented a dedicated module that, given vocabulary and grammar models previously infered, can simulate a commu-nication protocol between multiple bots and masters. Besides their use of the same model, each actors is independentfrom the others and is organized around three main stages.
The first stage is a dedicated library that reads and writes from the network channel. It also parses the flow in messagesaccording to previous protocols layers. The second stage uses the vocabulary to abstract received messages intosymbols and vice-versa to specialize emitted symbols into messages. A memory buffer is also available to managedependency relations. The last stage implements the grammar model and computes which symbols must be emittedor received according to the current state and time.
2.1.4 Smart fuzzing with Netzob
A typical example of dynamic vulnerability analysis is the robustness tests. It can be used to reveal software program-ming errors which can leads to software security vulnerabilities. These tests provide an efficient and almost automatedsolution to easily identify and study exposed surfaces of systems. Nevertheless, to be fully efficient, the fuzzing ap-proaches must cover the complete definition domain and combination of all the variables which exist in a protocol (IPadresses, serial numbers, size fields, payloads, message identifer, etc.). But fuzzing typical communication interfacerequires too many test cases due to the complex variation domains introduced by the semantic layer of a protocol. Inaddition to this, an efficient fuzzing should also cover the state machine of a protocol which also brings another hugeset of variations. The necessary time is nearly always too high and therefore limits the efficiency of this approach.
With all these contraints, achieving robustness tests on a target is feasible only if the expert has access to a speciallydesigned tool for the targeted protocol. Hence the emergence of a large number of tools to verify the behavior of anapplication on one or more communication protocols. However in the context of proprietary communications protocolsfor which no specifications are published, fuzzers do not provide optimal results.
Netzob helps the security evaluator by simplifying the creation of a dedicated fuzzer for a proprietary or undocumentedprotocol. It allows the expert to execute a semi-automated inferring process to create a model of the targeted protocol.This model can afterward be refined by the evaluator. Finally, the created model is included in the fuzzing module ofNetzob which considers the vocabulary and the grammar of the protocol to generate optimized and specific test cases.Both mutation and generation are available for fuzzing.
2.1.5 Export protocol model
The following export formats are currently provided by Netzob:
• XML format
• human readable (Wireshark like)
• Peach fuzzer export: this allows to combine efficiency of Peach Fuzzer on previously undocummented protocols.
Besides, you can write your own exporter to manipulate the inferred protocol model in your favorite tool.
Netzob has been initiated by security auditors of AMOSSYS and the CIDre research team of Supélec to address thereverse engineering of communication protocols. A detailed overview of the project is available here.
8 Chapter 2. Netzob Overview
CHAPTER 3
Tutorials
3.1 Getting started with Netzob
The goal of this tutorial is to present the usage of each main component of Netzob (inference of message format,construction of the state machine and generation of traffic) through an undocumented protocol.
You can download the protocol material here :
• Protocol PCAP : contains messages of the targeted protocol ;
• Protocol implementation : provide the server and client implementation of the protocol.
You can follow the tutorial with only the PCAP file. But, you will need the implementation if you want to generatetraffic and allow Netzob to discuss with a real implementation.
3.1.1 Setting the Workspace
Just after installing Netzob, when you start it, you have to set the workspace directory (as in Eclipe).
3.1.2 Your first project
To create a project, navigate to the menu File > New project. Here, you can choose a project name which shouldbe unique in the workspace.
Side note: by default, Netzob chooses a location inside a dedicated directory located in the “projects”directory of your current workspace. The newly created project is automatically selected which allow youto start working on it.
You can switch to another project at anytime through the use of the menu File > Open project fromworkspace. Do not forget to save your project before!
9
Netzob Documentation, Release 0.4.1
3.1.3 Capture traces
The first step in the inferring process of a protocol in Netzob is to capture and to import messages as samples. Thereare different methods to retrieve messages depending of the communication channel used (files, network, IPC, USB,etc.) and the format (PCAP, hex, raw binary flows, etc.).
For this tutorial, you can import network messages with the provided PCAP file. But we recommand to use theprovided implementation to generate samples of traffic and capture them with Netzob. You can to this with theNetwok Capturer plugin, which is accessible is the menu File > Capture messages > Capture networktraffic.
As shown on the picture, you have to launch the capture at the Layer 4 on the localhost lo interface. As the targetedprotocol works over UDP, you’ll be able to capture only the UDP payloads. Then launch the server of the targetedprotocol and then the client. This one will send different commands to the server and wait for the response.
Once you have captured one session, you have to select the messages you want to import (you should import every-thing) and click the Import messages button. A popup will ask you if you want to allow duplicate messages. It’s betterto not do so, to avoid unnecessary messages. We recommend to repeat this import process 4 times, in order to haveenough variation between messages.
3.1.4 Infer vocabulary
Let’s now start the inference of the message format (vocabulary).
The next picture shows the whole vocabulary inference interface and the intended meaning of each component.
The main window shows each message in raw hexadecimal format. You can play with visualization attributes : rightclick on the symbol, then select Visualization and the attribute you want to change (hex, decimal or even string format,the unit size and potentially the sign and endianess).
The following picture shows the rendering of the messages in hex format (on the left) and string format (onthe right). You can then see that messages contain some interesting strings (api_identify, api_encrypt,api_decrypt, etc.).
You can use the filter functionality to display messages that contain a specific pattern. Here, we filter with theapi_identify pattern.
This filter permits to easily retrieve the messages associated with a potential identification command.
You can see that a ‘#‘ character is present in each messages. You can try to split the messages by forcing theirpartitioning with a specific delimiter. To do so, use the Force partitioning functionality available in the symbol list(either with a right click on a symbol, or by selecting a symbol with its checkbox and then clicking on the Forcepartitioning button right above).
Using the ‘#‘ string delimiter, you’ll have the following result:
You may also want to play with Sequence alignment. This partitionment allows to align messages according to theircommon patterns.
After playing with the different partitionment available, you are able to retrieve the different commands associatedwith the targeted protocol, as shown on the following picture.
According to the name of the commands, you can see that a api_encrypt command is available. Let’s have a lookat its message format, which looks like:
10 Chapter 3. Tutorials
Netzob Documentation, Release 0.4.1
[command]#[dataToEncrypt][padding]
Netzob allows you to indicate that a specific field has a mutable content, which means its data is not fixed (such as the‘#’ delimiter) nor part of a set of fixed elements (such as the command string).To specify the structure of a field and itsattributes, right click on a field and select Edit Variable. A popup dialog displays a rooted tree that corresponds to theinferred structure of the field. For example, you should have all the observed values of the field (materialized throughDataVariable leafs) under an AlternateVariable node variable.
Regarding the targeted protocol, as we want to allow any data for the current field, we first have to delete theAlternateVariableNode and modify the root node to a DataVariable that has a mutable behavior, as shownon the following picture.
You can visualize the associated message format on bottom-left corner. Its should display something like this:
Now that we have refined the api_encrypt command message, we have to do the same for other commands thatalso take as parameter a user data: api_identify, api_authentify and api_decrypt, but also for someresponse messages such as resp_decrypt and resp_encrypt.
At this time, you have a satisfactory approximation the vocabulary. You can now start to construct the state machineof the protocol.
3.1.5 Infer Grammar
In this tutorial, we won’t explain the automatic inference (learning) of the state machine. As the targeted protocol hasa basic state machine, we will simply show how to model it in Netzob.
A basic state machine contains states and transitions. In Netzob, we use a complex structure to model the grammar ofa protocol. This model allows to specify information such as the response time between an input symbol and an outputsymbol, or even the probability of the different output messages given an uniq input message. This model is called anSMMDT (Stochastic Mealy Machine with Deterministic Transitions).
The grammar perspective interface of Netzob allows you to create:
• states (initial or not);
• semi-stochastic transitions (i.e. “normal” transitions);
• open channel transitions;
• close channel transitions.
Regarding our targeted protocol, we construct the associated model with the following information:
• 1 open channel transition and an initial state;
• 1 close channel transition and a final state;
• 4 main states: init, identified, authenticated, closed;
• depending on the current state, we are able or not to launch certain commands;
• some commands will trigger transitions (api_identify, api_authentify and api_bye).
Once modeled, this looks like:
Now that Netzob knows both the vocabulary and the grammar of the targeted protocol, we are able to generate trafficthat respect the protocol model.
3.1. Getting started with Netzob 11
Netzob Documentation, Release 0.4.1
3.1.6 Generate traffic
Let’s go to the Simulator perspective of Netzob.
The simulator allows you to create either a client, a server or both. You can tell Netzob to talk with a real client orserver implementation, or you can just launch a client and a server inside Netzob and let them talk together.
Let’s now create a client. We have to specify the following information:
• client name;
• initiator or not (i.e. who opens the communication channel ?): it will usally be yes for a client;
• client or server side: client;
• protocol: UDP for te targeted protocol;
• bind IP: nothing here, as the client finds its own interface;
• bind port: nothing here, as the client finds its own port;
• target IP: 127.0.0.1;
• target port: 4242.
Now start the real server implementation, select the client in Netzob and click the Start button on the top-right corner.This will generate and send commands to the real server, and you’ll be able to see the exchanged messages in theinterface, as shown on the following picture.
After this introductive tutorial, we’ll be glade to have feedbacks and to help you (see our mailing [email protected] or ou IRC channel #netzob on Freenode).
If you want to go further and start contributing to Netzob, that’s perfect. There are many simple or complex taskseveryone can do: translation, documentation, bug fix, feature proposal or implementation.
3.2 Auto generation of Peach pit files/fuzzers
3.2.1 Principle
Peach is an open-source framework of fuzzing. It allows testers to create smart fuzzers adapted to their needs throughXML configuration files called *Peach pit files*. Making such files needs knowledge of the format message and statemachine of the targeted protocol as well as the actor Peach has to fuzz.
Fortunately, Netzob allows the user to reverse engineer undocumented and proprietary protocols from provided tracesin a semi-automatic way. Netzob provides an exporter plugin for Peach that allows to transform the inferred datamodel and state machine of a targeted protocol into a Peach pit file automatically.
This tutorial shows how to take advantage of the Peach exporter plugin provided in Netzob to automatically constructPeach pit configuration files.
3.2.2 Prerequisite
You need Netzob in version 0.4.1 or above.
12 Chapter 3. Tutorials
Netzob Documentation, Release 0.4.1
This tutorial assumes that the user have previously followed the Getting started with Netzob tutorial and have a com-plete Netzob project (or at least some format messages). The protocol implementation contains several vulnerabilitiesthat should be detected during fuzzing.
Moreover it assumes that the user has Peach 2.3.8 installed.
3.2.3 Export
To export the project go in File > Export the project > Peach pit file. The window below shouldappears :
The window is composed of three panels. The left one lists all fuzzer available. They differ on the state representation.There are three kinds of fuzzer available:
• “Randomized state order fuzzer”: one state is created for each symbols of Netzob and at each step, the fuzzerchanges of state for a randomly chosen one.
• “Randomized transitions stateful fuzzer”: one state is created for each symbols of Netzob and the transitionsbewteen these states are based on those Netzob allows, weight by their probability.
• “One-state fuzzer”: one state is created corresponding to the chosen symbol.
When the fuzzer is on a particular state, it sends fuzzed data that corresponds to the associated symbol to the target.Choose one of them.
The right panel shows the fuzzer. It gives the user a small idea of what he is doing and what changes between twoconfigurations.
The bottom panel has two options:
• The first options Fuzzing based on tells on which Netzob data model the fuzzing is based:
– “Variable”: use the Netzob variables to make Peach data models. It makes more fuzzy but less smartfuzzer.
– “Regex”: use the Netzob Regex (which are displayed on the top of the symbol visualization), it is thesimplest solution.
• The second options Mutate static fields tells if the static fields in the Netzob data model are fuzzedor not.
The Export button exports the fuzzer into a user defined file.
Use this fuzzer into Peach¶
Export this fuzzer directly through the Export button to a file named “test.xml” into the directory of Peach. It shouldcreate a PeachzobAddons.py file, which is essential for Peach to leverage Netzob capabilities as “fixup”.
The “test.xml” file should look like this. Look closely to the few XML comments.
<?xml version="1.0" encoding="utf-8"?><Peach xmlns="http://phed.org/2008/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">
<Include ns="default" src="file:defaults.xml"/><Import import="PeachzobAddons"/>
<DataModel name="dataModel 1"><Blob name="Field 0_0" valueType="hex" value="6170695f"/>
3.2. Auto generation of Peach pit files/fuzzers 13
Netzob Documentation, Release 0.4.1
<Blob name="Field 1_0" valueType="hex"><Fixup class="PeachzobAddons.Or">
<Param name="values" value="Blob,696e666f; Blob,7374617473"/></Fixup>
</Blob><Blob name="Field 2_0" valueType="hex" value="2300000000000000000000000000000000000000000000"/><Blob name="Field 3_0" valueType="hex" value="00"/>
</DataModel><DataModel name="dataModel 2"><Blob name="Field 0_0" valueType="hex" value="6170695f62796523000000000000000000000000000000000000000000000000"/>
</DataModel><DataModel name="dataModel 3"><Blob name="Field 0_0" valueType="hex" value="6170695f6964656e746966792366726564000000000000000000000000000000"/>
</DataModel><DataModel name="dataModel 4"><Blob name="Field 0_0" valueType="hex" value="6170695f61757468656e74696679236d79506173737764210000000000000000"/>
</DataModel><DataModel name="dataModel 5"><Blob name="Field 0_0" valueType="hex" value="6170695f656e6372797074233132333435367465737400000000000000000000"/>
</DataModel><DataModel name="dataModel 6"><Blob name="Field 0_0" valueType="hex" value="6170695f64656372797074237370717677743627313600000000000000000000"/>
</DataModel><DataModel name="dataModel 7"><Blob name="Default-1_0" valueType="hex" value="00000000"/><Blob name="Default-2-1_0" valueType="hex" value="23"/><Blob name="Default-2-2-1-1_0" valueType="hex">
<Fixup class="PeachzobAddons.Or">
<Param name="values" value="Blob,00000000000000; Blob,00000004000000; Blob,00000005000000; Blob,0000000a000000; Blob,64000000000000; Blob,8b04080a000000"/></Fixup>
</Blob><Blob name="Default-2-2-1-2_0" valueType="hex">
<Fixup class="PeachzobAddons.Or"><Param name="values" value="Blob,00000000000000000000; Blob,31323334353674657374; Blob,696e666f000000000000; Blob,73707176777436273136; Blob,73746174730000000000"/>
</Fixup></Blob><Blob name="Default-2-2-2_0" valueType="hex" value="00000000000000000000"/>
</DataModel><DataModel name="dataModel 9"><Blob name="Field 0">
<Fixup class="PeachzobAddons.RandomField"><Param name="minlen" value="0"/><Param name="maxlen" value="1024"/><Param name="type" value="Blob"/>
</Fixup></Blob>
</DataModel>
14 Chapter 3. Tutorials
Netzob Documentation, Release 0.4.1
<StateModel initialState="state 0" name="stateModel"><State name="state 0">
<Action ref="state 1" type="changeState" when="random.randint(1,8)==1"/><Action ref="state 2" type="changeState" when="random.randint(1,7)==1"/><Action ref="state 3" type="changeState" when="random.randint(1,6)==1"/>
<Action ref="state 4" type="changeState" when="random.randint(1,5)==1"/><Action ref="state 5" type="changeState" when="random.randint(1,4)==1"/><Action ref="state 6" type="changeState" when="random.randint(1,3)==1"/><Action ref="state 7" type="changeState" when="random.randint(1,2)==1"/><Action ref="state 9" type="changeState"/>
</State>
<State name="state 1"><Action type="output">
<DataModel ref="dataModel 1"/><Data name="data"/>
</Action></State>
<State name="state 2"><Action type="output">
<DataModel ref="dataModel 2"/><Data name="data"/>
</Action></State>
<State name="state 3"><Action type="output">
<DataModel ref="dataModel 3"/><Data name="data"/>
</Action></State>
<State name="state 4"><Action type="output">
<DataModel ref="dataModel 4"/><Data name="data"/>
</Action></State>
<State name="state 5"><Action type="output">
<DataModel ref="dataModel 5"/><Data name="data"/>
</Action></State>
<State name="state 6"><Action type="output">
<DataModel ref="dataModel 6"/><Data name="data"/>
</Action></State>
<State name="state 7"><Action type="output">
<DataModel ref="dataModel 7"/>
3.2. Auto generation of Peach pit files/fuzzers 15
Netzob Documentation, Release 0.4.1
<Data name="data"/></Action>
</State>
<State name="state 9"><Action type="output">
<DataModel ref="dataModel 9"/><Data name="data"/>
</Action></State>
</StateModel><Agent name="DefaultAgent"><!--Todo: Configure the Agents.-->
</Agent><Test name="DefaultTest"><!--Todo: Enable Agent <Agent ref="TheAgent"/> -->
<StateModel ref="stateModel"/><Publisher class="udp.Udp">
<Param name="host" value="127.0.0.1"/><Param name="port" value="4242"/>
</Publisher><Publisher class="udp.Udp">
<Param name="host" value="127.0.0.1"/><Param name="port" value="10000"/>
</Publisher><!--The Netzob project has several simulator actors, so this file have several publishers. Choose one of them and remove the others.-->
</Test><Run name="DefaultRun">
<!--Todo: Configure the run.--><Logger class="logger.Filesystem">
<Param name="path" value="logs"/></Logger><Test ref="DefaultTest"/>
</Run>
</Peach>
This tutorial will not talk about Peach agents but configuring one of them could be useful. In the Test block, thereis as many publishers as the Netzob simulator has actors. One publisher is needed, remove the others. If there is nopublishers, create one according to the model above. On this example, the tester remove the second publisher.
3.2.4 Launch the fuzzing
You first have to start the targeted server:
./server
Assuming that the user exports the “test.xml” file into the Peach directory, you can now start the fuzzer:
python peach.py test.xml
After few seconds, you should trigger a segfault or a stack smashing detection.
16 Chapter 3. Tutorials
Netzob Documentation, Release 0.4.1
-> Read: api_identify#fredCommand: api_identifyArg: fred
<- Send:Return value: 0Size of data buffer: 13Data buffer:DATA: 72 65 73 70 5f 69 64 65 6e 74 69 66 79 "resp_identify"
-> Read: api_identify#f
Command: api_identifyArg: f
*** stack smashing detected ***: ./server terminated======= Backtrace: =========/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xcec045]/lib/i386-linux-gnu/libc.so.6(+0x103ffa)[0xcebffa]./server[0x8048a3c]./server[0x8048eb4]./server[0x8048985]/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xc014d3]./server[0x8048831]======= Memory map: ========00289000-0028a000 r-xp 00000000 00:00 0 [vdso]002fb000-00317000 r-xp 00000000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.100317000-00318000 r--p 0001b000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.100318000-00319000 rw-p 0001c000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.100bb4000-00bd4000 r-xp 00000000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so00bd4000-00bd5000 r--p 0001f000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so00bd5000-00bd6000 rw-p 00020000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so00be8000-00d8b000 r-xp 00000000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8b000-00d8c000 ---p 001a3000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8c000-00d8e000 r--p 001a3000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8e000-00d8f000 rw-p 001a5000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8f000-00d92000 rw-p 00000000 00:00 008048000-0804a000 r-xp 00000000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server0804a000-0804b000 r--p 00001000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server0804b000-0804c000 rw-p 00002000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server09e0d000-09e2e000 rw-p 00000000 00:00 0 [heap]b778b000-b778c000 rw-p 00000000 00:00 0b77a8000-b77ac000 rw-p 00000000 00:00 0bf90f000-bf930000 rw-p 00000000 00:00 0 [stack]Abandon (core dumped)
3.3 Export Wireshark dissectors
3.3.1 Principle
Wireshark is an open-source packet analyzer able to identify protocols and to highlight fields from the data stream.Its main drawback is that it is only usefull on documented/standard protocols. Within Netzob, which achieves semi-automatic reverse engineering of protocols, we have developed an exporter plugin that allows automatic generationof Wireshark dissectors from proprietary or undocumented protocols. Dissectors are built in LUA programminglanguage.
3.3. Export Wireshark dissectors 17
Netzob Documentation, Release 0.4.1
Netzob provides a powerful datamodel in which fields are described with the following information:
• Regular expression (fixed or dynamic size)
• Name (textual representation)
• Format
• Size
• Endianess
• Signing
All this information is gathered to generate a script including a dissector used by Wireshark.
3.3.2 Language
Wireshark can be statically extended with C modules similar to core dissectors. Optionally, Wireshark can be config-ured to embed a Lua interpretor. For modularity purposes, the Lua engine has been choosed to extend Wireshark withNetzob generated dissectors.
3.3.3 Prerequisite
You need Netzob in version 0.4.1 or above. The wireshark exporter functionality is provided as a netzob core plugin(which is included in the 0.4.1 version).
This tutorial assumes that the user have previously inferred the specification of the targeted protocol. An example ofprotocol inference is avaibale in the Getting started with Netzob tutorial.
3.3.4 Usage
1. Check that Wireshark supports Lua
2. Select a project
Given a partitioned symbol in a project you can generate a wireshark dissector using the Export project menuitem, then by selecting Wireshark.
You should get a popup with the LUA script automatically generated:
3. Import into wireshark
Two methods are available:
• Evaluate the Lua script in a Wireshark instance.
In wireshark, select Tools > Lua > Evaluate and paste the generated code.
• Start wireshark with a specific Lua script.
Start wireshark with the following parameters: wireshark -X lua_script:PATH_OF_LUA_SCRIPT
This will automatically import the Lua script on start.
18 Chapter 3. Tutorials
Netzob Documentation, Release 0.4.1
4. Dissect data packets Within the lower panel of Wireshark, you should get the dissected
packets:
3.3.5 Limitations
Variable size fields cannot be easily exported to the datamodel used by Wireshark when we don’t know the expectedsize. In this case, an error message will popup preventing Netzob from generating the dissector. If this happen, youhave to complete the protocol model in order to find the expected size of the dynamic field.
3.3.6 Improvements
These ideas could be use to enhance dissection:
• Use relations (field / size, repeat ...)
• Look at future bitfield core implementation
3.3.7 What next ?
After this tutorial, we’ll be glade to have feedbacks and to help you (see our mailing list [email protected] or ourIRC channel #netzob on Freenode).
If you want to go further and start contributing to Netzob, that’s perfect. There are many simple or complex taskseveryone can do: translation, documentation, bug fix, feature proposal or implementation.
Get started with Netzob The goal of this tutorial is to present the usage of each main component of Netzob (infer-ence of message format, construction of the state machine and generation of traffic) through an undocumentedprotocol.
Auto-generation of Peach pit files/fuzzers This tutorial shows how to take advantage of the Peach exporter pluginprovided in Netzob to automatically generate Peach pit configuration files, thus allowing to do smart fuzzing onundocumented protocols.
Auto-generation of Wireshark dissectors This tutorial shows how to leverage Netzob’ format message inference inorder to automatically generate Wireshark dissectors for proprietary or undocumented protocols.
3.3. Export Wireshark dissectors 19
Netzob Documentation, Release 0.4.1
20 Chapter 3. Tutorials
CHAPTER 4
Installation Guides
4.1 Installation Guide
• Python package installation
• Python package installation
• Python package installation
• Python package installation
4.2 Installation documentation
This page presents how to install Netzob as a Python package.
4.2.1 Dependency requirements
As a ‘classic’ python project, Netzob is provided with its setup.py. This file defines what and how to install the projecton a Python hosting OS.
This file depends on setuptools which like few other modules cannot be automatically installed. This is the reason whyyou have to manually install the following bunch of prerequisites before initiating Netzob’s install process:
• python
• python-dev
• python-impacket
• libxml2-dev
• libxslt-dev
• python-setuptools
• gtk3
• graphviz
We also highly recommend to install the following additional dependencies:
21
Netzob Documentation, Release 0.4.1
• python-babel (for the translations)
• python-sphinx (for the documentation)
4.2.2 Install Netzob with easy_install
$ easy_install netzob
4.2.3 Install Netzob from .tar.gz package
First retrieve the Netzob package:
$ wget http://www.netzob.org/repository/XXX/Netzob-XXX.tar.gz
where XXX corresponds to the version you want to install (see http://www.netzob.org/download for available ver-sions).
Then, you can either install a package locally (developer mode) or on the system.
Install Netzob locally (developer mode)¶
Once the required dependencies are installed, you can install Netzob on its current directory:
$ python setup.py build$ python setup.py develop --user
Install Netzob on the system¶
You can also install Netzob as a Python system package:
$ python setup.py build$ python setup.py develop$ python setup.py install
4.2.4 Start Netzob
Once installed, running Netzob is as simple as executing:
$ ./netzob
Or if you’ve installed Netzob as a Python system package, just type:
$ netzob
4.2.5 Netzob help options
Netzob handles some command line options:
Options:--version show program’s version number and exit-h, --help show this help message and exit-w WORKSPACE, --workspace=WORKSPACE
Path to the workspace-b, --bug-reporter Activate the bug reporter-d DEBUGLEVEL, --debugLevel=DEBUGLEVEL
22 Chapter 4. Installation Guides
Netzob Documentation, Release 0.4.1
Activate debug information (’DEBUG’, ’INFO’, ’WARNING’, ’ERROR’, ’CRITICAL’)
Manage Netzob’s plugins:--plugin-list List the available plugins
4.2.6 Miscellaneous
Configuration requirements for Network and PCAP input:
$ sudo setcap cap_net_raw=ep /usr/bin/python2.XX
Configuration requirements for IPC input on Ubuntu:
::
$ sudo bash -c “echo 0 > /proc/sys/kernel/yama/ptrace_scope”
4.2.7 Building the documentation
The folder doc/documentation contains all the documentation of Netzob.
The user manual can be generated based on RST sources located in folder doc/documentation/source with the follow-ing command:
$ sphinx-build -b html doc/documentation/source/ doc/documentation/build/
4.3 Installation documentation on Debian
4.3.1 Using Netzob’s APT Repository
A dedicated APT repository (apt.netzob.org) is available for downloading and installing Netzob.
Steps:
1. edit you /etc/apt/sources.list to add the netzob’s repository URL,
2. import the GPG key used to sign the repository,
3. install netzob threw apt-get.
Edit /etc/apt/sources.list
You need to register the repository in your APT client by adding the following entry (stable or unstable) in your/etc/apt/sources.list or through a dedicated file in /etc/apt/sources.list.d/. Then you need toimport the gpg public key used to sign the repository.
Unstable & testing (“Wheezy”)
deb http://apt.netzob.org/debian/ unstable maindeb-src http://apt.netzob.org/debian/ unstable main
Stable (“Squeeze”)
deb http://apt.netzob.org/debian/ squeeze-backports maindeb-src http://apt.netzob.org/debian/ squeeze-backports main
4.3. Installation documentation on Debian 23
Netzob Documentation, Release 0.4.1
Import GPG key¶
The repository is signed, so APT may complain until you register the archive key 0xE57AEA26 to your APT keyring.The fingerprint of the key is D865 DCF0 9B9A 195C 49F0 E3F3 F750 1A13 E57A EA26 and has beensigned by the followings:
• 0xA255A6A3 : Georges Bossert <[email protected]>
• 0x561F7A47 : Frederic Guihery <[email protected]>
• 0x04B1A89C : Olivier Tetard <[email protected]>
To import the key of the APT repository you can execute the following commands :
# wget https://dev.netzob.org/misc/debian_archive.asc -O -| gpg --import# gpg --export -a 0xF7501A13E57AEA26 | sudo apt-key add -
Install netzob¶
You can install it with the following commands :
# apt-get update# apt-get install netzob
4.3.2 Using the provided Debian package
Installing Netzob directly from the debian package (deb file) implies you manually install the necessary packages inorder to handle the required dependencies. Therefore, the following commands can be executed to install them :
# apt-get install python python-ptrace python-hachoir-subfile python-matplotlib python-dpkt strace lsof python-pcapy python-bitarray python-dev python-lxml libjs-sphinxdoc python-sphinx
Once the requirements are fullfilled you can download the debian file (i386 or amd64) and install it using the followingcommand for an i386 architecture (32 bits) :
# dpkg -i netzob_0.3.0-1_i386.deb
or for an AMD64 (64 bits) :
# dpkg -i netzob_0.3.0-1_amd64.deb
4.4 Installation documentation on Gentoo
4.4.1 From official portage (not yet available)
Some build scripts have been published for future integration in Portage. While the scripts have not yet been acceptedplease refer to the alternative procedure.
# emerge -av netzob
4.4.2 From Gentoo overlay (recommended, automatic)
Alternative non official repositories are available on Gentoo which are called “overlays”. The tool used to synchronizewith these repositories is called “layman”
1. Installing layman
24 Chapter 4. Installation Guides
Netzob Documentation, Release 0.4.1
# emerge app-portage/layman
2. Adding “lootr” repository containing Netzob ebuild scripts
# layman -a lootr
3. Installing Netzob from this repository
# emerge -av dev-python/netzob
4.4.3 From netzob repository (expert users only, manual installation)
First step is to clone the netzob repository:
# (~) git clone https://dev.netzob.org/git/netzob-gentoo.git
Then, declare this repository in the portage configuration file /etc/make.conf by adding this line:
PORTDIR_OVERLAY="/home/USER/netzob-gentoo/"
Synchronize portage
# emerge --sync
Finally emerge Netzob package:
• tildarched (testing-like) systems:
# emerge -av netzob
• stable systems:
# ACCEPT_KEYWORDS="~x86" emerge -av netzob
4.5 Installation documentation on Windows
This documentation only applies for Netzob 0.3.3.
4.5.1 Installation of dependencies
Steps:
1. Install Python 2.7 (download the installer from python.org)
2. Install SetupTools (download the installer from pypi.python.org)
3. Install PyGTK (download the installer from gnome.org)
4. Install WinPCap 4.1.2 (download the installer from winpcap.org)
5. Install Pcapy 0.10.5 (provided on Netzob’s website ; original source: oss.coresecurity.com)
6. Install following dependencies with SetupTools (be sure to have C:\Python27\Scripts\easy_install.exe in yourPATH):
(a) easy_install numpy
4.5. Installation documentation on Windows 25
Netzob Documentation, Release 0.4.1
(b) easy_install impacket
(c) easy_install lxml==2.3
(d) easy_install -f "http://downloads.sourceforge.net/project/matplotlib/matplotlib/matplotlib-1.1.0/matplotlib-1.1.0.win32-py2.7.exe?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmatplotlib%2Ffiles%2Fmatplotlib%2Fmatplotlib-1.1.0%2F&ts=1339591175&use_mirror=netcologne" matplotlib
(e) easy_install bitarray==0.3.5
4.5.2 Installation of Netzob
1. Install Netzob !
Remark: If you have disabled Windows UAC, a error can be raised by Windows when executing Netzob’s installer:Failed to start elevated process (ShellExecute returned 3). So you have to run the installer with administrator privilege: right-click on the executable and choose “run as administrator”.
• Python package installation
• Debian package installation
• Gentoo package installation
• Windows package installation
26 Chapter 4. Installation Guides
CHAPTER 5
User Guide
Read the Netzob User Guide.
5.1 Importing Data
Communication protocols can be found is every parts of a system, as shown on the following picture:
Netzob can handle multiple kinds of input data. Hence, you can analyze network traffic, IPC communications, filesstructures, etc.
Import can either be done by using a dedicated captor or by providing already captured messages in a specific format.
Current accepted formats are:
• PCAP files
• Structured files
• Netzob XML files (used by Netzob for its internal representation of messages)
Current supported captors are:
27
Netzob Documentation, Release 0.4.1
• Network captor, based on the XXX library
• Intra Process communication captor (API calls), based on API hooking
• Inter Process Communication captor (pipes, shared memory and local sockets), based on system call hooking
Imported messages are manipulated by Netzob through specific Python objects which contains metadata that describescontextual parameters (timestamp or even IP source/destination for example). All the Python object that describemessages derived from an abstract object : AbstractMessage.
The next part of this section details the composition of each message object.
5.1.1 AbstractMessage
All the messages inherits from this definition and therefore has the following parameters :
• a unique ID
• a data field represented with an array of hex
5.1.2 NetworkMessage
A network message is defined with the following parameters :
• a timestamp
• the ip source
• the ip target
• the protocol (TCP/UDP/ICMP...)
• the layer 4 source port
• the layer 4 target port
Definition of a NetworkMessage :
5.1.3 FileMessage
A file message is defined with the following parameters :
• a filename
• the line number in the file
• the creation date of the file
• the last modification date of the file
• the owner of the file
• the size of the file
Definition of a NetworkMessage :
Definition of the factory for XML processing of a FileMessage :
28 Chapter 5. User Guide
Netzob Documentation, Release 0.4.1
5.2 Protocol inference
5.2.1 Definition of a communication protocol
A communication protocol is as language. A language is defined through~:
• its vocabulary (the set of valid words or, in our context, the set of valid messages) ;
• its grammar (the set of valid sentences which, in our context, can be represented as a protocol state machine,like the TCP state machine).
A word of the vocabular is called a symbol. A symbol represents an abstract view of a set of similar messages. Similarmessages refer to messages having the same semantic (for example, a TCP SYN message, a SMTP HELLO message,an ICMP ECHO REQUEST message, etc.).
A symbol is structured following a format, which specifies a sequence of fields (like the IP format). A field can besplitted into sub-fields. For example, a payload is a field of a TCP message. Therefore, by defining a layer as a kind ofpayload (which is a specific field), we can retrieve the so-called Ethernet, IP, TCP and HTTP layers from a raw packet; each layer having its own vocabular and grammar.
Field’s size can be fixed or variable. Field’s content can be static of dynamic. Field’s content can be basic (a 32 bitsinteger) or complex (an array). A field has four attributes~:
• the type defines its definition domain or set of valid values (16 bits integer, string, etc.) ;
• the data description defines the structuration of the field (ASN.1, TSN.1, EBML, etc.) ;
• the data encoding defines ... (ASCII, little endian, big endian, XML, EBML, DER, XER, PER, etc.) ;
• the semantic defines ... (IP address, port number, URL, email, checksum, etc.).
Field’s content can be~:
• static ;
• dependant of another field (or a set of fields) of the same message (intra-message dependency) ;
• dependant of a field (or a set of fields) of a previous message in the grammar (inter-message dependency) ;
• dependant of the environment ;
• dependant of the application behaviour (which could depend on the user behaviour) ;
• random (the initial value of the TCP sequence number for example).
5.2.2 Modelization in Netzob
Netzob provides a framework for the semi-automated modelization (inference) of communication protocols, i.e. in-ferring its vocabular and grammar.
[INCLURE GRAPH]
• Vocabular inference
– Message structure inference (based on sequence alignment)
– Regoupment of similar message structures
– Field type inference
– Field dependencies from the same message and from the environment
– Field semantic inference
5.2. Protocol inference 29
Netzob Documentation, Release 0.4.1
• Grammar inference
– Identification of the automata of the protocol
– Fields dependencies with messages of previous states
All the functionalities of the framework are detailled in this chapter.
Vocabular inference
Structure inference
Regoupment of similar structures
Options during alignment process
• “read-only” process (do not require a participation in the communication).
• Identify the fixed and dynamic fields of all the messages.
• Regroups equivalent messages depending of their fields structures.
• Clustering (Regroups equivalent messages using) :
– an UPGMA Algorithm to regroup similar messages
– an openMP and MPI implementation
• Sequencing, Alignment (Identification of fields in messages) :
– Needleman & Wunsch Implementation
Needleman and Wunsch algorithm
• Originaly a bio-informatic algorithm (sequencing DNA)
• Align two messages and identify common patterns and field structure
• Computes an alignment score representing the efficiency of the alignment
The following picture shows the sequence alignment of two messages.
UPGMA algorithm
• Identify equivalent messages based on their alignment score.
• Build a hierarchical organization of the messages with the UPGMA algorithm (Unweighted Pair Group Methodwith Arithmetic Mean)
The following picture shows a regroupment of similar messages based on the result of the clustering process.
30 Chapter 5. User Guide
Netzob Documentation, Release 0.4.1
Abstraction of a set of message The abstraction is the process of substituting the dynamic fields with their repre-sentation as a regex. An example of abstraction is shown on the follinw picture.
Analyses after alignment process aaa
Message contextual menu aaa
Group contextual menu aaa
Refine regexes aaa
Slick regexes aaa
Concatenate aaa
Split column aaa
5.2. Protocol inference 31
Netzob Documentation, Release 0.4.1
Merge columns aaa
Delete message aaa
Field type inference
Visualization options aaa
Type structure contextual menu aaa
Messages distribution This function shows a graphical representation of the distribution of bytes per offset foreach message of the current group. This function helps to identify entropy variation of each fields. Entropy variationcombined with byte distribution help the user to infer the field type.
[INCLUDE GRAPH]
Data typing
• Primary types [binary, ascii, num, base64...]
– Definition domain, unique elements and intervals
– Data carving (tar gz, png, jpg, ...)
– Semantic data identification (emails, IP ...)
Domain of definition aaa
Change type representation aaa
Field dependencies from the same message and from the environment
Fields dependancies identification
• Length fields and associated payloads
• Encapsulated messages identifications
And from the environment...
Payload extraction The function “Find Size Fields”, as its name suggests, is dedicated to find fields that containany length value as well as the associated payload. It does this on each group. Netzob supports different encoding ofthe size field : big and little endian binary values are supported through size of 1, 2 and 4 bytes. The algorithm used tofind the size fields and their associated payloads is desribed in the table XXX.
[INCLUDE ALGORITHM]
The following picture represents the application of the function on a trace example. It shows the automated extractionof the IP and UDP payloads from an Ethernet frame.
32 Chapter 5. User Guide
Netzob Documentation, Release 0.4.1
Field semantic inference
Data carving Data carving is the process of extracting semantic information from fields or messages. Netzob allowsthe extraction of the following semantic information :
• URL
• IP address
[INCLUDE FIGURE]
Search aaa
Properties aaa
Grammar inference
Identification of the automata of the protocol
Fields dependencies with messages of previous states
5.3 Generating traffic and simulating actors
Todo
5.3. Generating traffic and simulating actors 33
Netzob Documentation, Release 0.4.1
5.4 Exporting protocol model
Netzob supports the export of the modelization of the protocol in the following formats: * XML meta representation* Dedicated Scapy Dissector * Dedicated Wireshark Dissector
Each export format in described in this chapter.
5.4.1 XML Export
5.4.2 Scapy Dissector
The Scapy documentation about building new dissectors is available at the following address:
http://www.secdev.org/projects/scapy/doc/build_dissect.html
5.4.3 Wireshark Dissector
The Wireshark documentation about building new dissectors is available at the following address:
http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
34 Chapter 5. User Guide
CHAPTER 6
Developer Guide
Read the Developer Guide.
See how you can contribute to Netzob
API explanation:
6.1 netzob Package
6.1.1 NetzobMainController Module
6.1.2 NetzobMainView Module
6.1.3 NetzobPluginManagement Module
class netzob.NetzobPluginManagement.NetzobPluginManagement(commandLineParser)Bases: object
Netzob entry point in order to manage netzob plugins
listAvailablePlugins()
start()
6.1.4 NetzobResources Module
6.1.5 all Module
6.1.6 release Module
netzob.release.keywords = [’Protocol’, ‘Inference’, ‘Networking’, ‘Reverse Engineering’, ‘Fuzzing’, ‘Security’]@deprecated: the official long description is now the full README.rst file
35
Netzob Documentation, Release 0.4.1
6.1.7 Subpackages
Common Package
ApplicativeData Module
Automata Module
class netzob.Common.Automata.Automata(type)Bases: object
MMSTD_TYPE = ‘mmstd’
getType()
static loadFromXML(xmlRoot, vocabulary, namespace, version)
save(root, namespace)
BugReporter Module
CommandLine Module
class netzob.Common.CommandLine.CommandLineBases: object
Reads, validates and parses the command line arguments provided by users
configure()Configure the parser based on Netzob’s usage and the definition of its options and arguments
getConfiguredParser()Return (if available) the parser configured to manage provided arguments and options by user. @return:the parser
getOptions()
isManagePluginsRequested()Compute and return is the user has requested to manage the plugins
isStartGUIRequested()Compute and return if the user requested (through the command line arguments and options) to start theGTK GUI
parse()Read and parse the provided arguments and options
DepCheck Module
class netzob.Common.DepCheck.DepCheckBases: object
Dependency checker. Provides multiple static method to check is required and optionnal dependency are avail-able.
static checkCExtensions()
static checkRequiredDependency()
36 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
static check_lxml()Test the lxml requirement is fulfilled
EnvironmentalDependencies Module
class netzob.Common.EnvironmentalDependencies.EnvironmentalDependenciesBases: object
captureEnvData()
getEnvData()
EnvironmentalDependency Module
class netzob.Common.EnvironmentalDependency.EnvironmentalDependency(name,aType,value)
Bases: object
getName()
getType()
getValue()
save(root, namespace)
setName(name)
setType(type)
setValue(value)
ExecutionContext Module
class netzob.Common.ExecutionContext.ExecutionContextBases: object
static getCurrentProcesses()
Field Module
Grammar Module
class netzob.Common.Grammar.GrammarBases: object
addsequence(sequence)
getAutomata()
getSequences()
static loadGrammar(xmlRoot, vocabulary, namespace, version)
save(root, namespace)
setAutomata(automata)
6.1. netzob Package 37
Netzob Documentation, Release 0.4.1
setSequences(sequences)
update(vocabulary)update: verifies the grammar and its automata is still valid and that none of its symbols has been deprecated
ImportedTrace Module
LoggingConfiguration Module
netzob.Common.LoggingConfiguration.LoggingConfiguration(*args, **kwargs)
netzob.Common.LoggingConfiguration.singleton(cls, *args, **kwargs)This decorator allows to implement some kind of Singleton design pattern. In our case, we only allow oneinstanciation.
NetzobException Module
exception netzob.Common.NetzobException.NetzobException(value)Bases: exceptions.Exception
Class of handling Netzob specific exceptions
exception netzob.Common.NetzobException.NetzobImportException(source, message, sta-tusCode=None, sub-Code=None)
Bases: netzob.Common.NetzobException.NetzobException
Raised if an error was encountered while importing data
Order Module
class netzob.Common.Order.Order(value)Bases: object
addMessage(message)
getMessages()
getValue()
static loadFromXML(xmlRoot, vocabulary, namespace, version)
removeMessage(message)
save(root, namespace)
setMesages(messages)
setValue(value)
Process Module
class netzob.Common.Process.Process(name, pid, user)Bases: object
getName()
getPid()
38 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
getSharedLibs()
getUser()
setName(name)
setPid(pid)
setUser(user)
Project Module
ProjectConfiguration Module
Property Module
class netzob.Common.Property.Property(name, format, currentValue)Bases: object
getCurrentValue()
getFormat()
getName()
getPossibleValues()
hasEntry()
isEditable()
setCurrentValue(currentValue)
setFormat(format)
setHasEntry(hasEntry)
setIsEditable(isEditable)
setName(name)
setPossibleValues(possibleValues)
PropertyList Module
class netzob.Common.PropertyList.PropertyListBases: object
This class allow to store Property items that are internally stored in a dict(). Items are accessible like any otherlist or dict.
append(prop)
clear()
keys()→ list of keys in PropertyList
values()→ list of values in PropertyList
6.1. netzob Package 39
Netzob Documentation, Release 0.4.1
ResourcesConfiguration Module
Sequence Module
class netzob.Common.Sequence.Sequence(id, name, description)Bases: object
addMessage(message, orderNumber)
addOrder(order)
getDescription()
getID()
getName()
getOrderByValue(value)
getSortedOrders()
static loadFromXML(xmlRoot, vocabulary, namespace, version)
save(root, namespace)
setDescription(description)
setID(id)
setName(name)
Session Module
SharedLib Module
class netzob.Common.SharedLib.SharedLib(name, version, path)Bases: object
static findNameAndVersion(path)
getFunctions()
getName()
getPath()
getVersion()
static loadFromXML(rootElement)
setFunctions(functions)
setName(name)
setPath(path)
setVersion(version)
40 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
SignalsManager Module
class netzob.Common.SignalsManager.SignalsManagerBases: object
Manage the signals for feature availability
SIG_FIELDS_MULTIPLE_SELECTION = ‘field.multiple_selection’
SIG_FIELDS_NO_SELECTION = ‘fields.no_selection’
SIG_FIELDS_SINGLE_SELECTION = ‘field.single_selection’
SIG_MESSAGES_MULTIPLE_SELECTION = ‘messages.multiple_selection’
SIG_MESSAGES_NO_SELECTION = ‘messages.no_selection’
SIG_MESSAGES_SINGLE_SELECTION = ‘messages.single_selection’
SIG_PROJECT_CLOSE = ‘project.close’
SIG_PROJECT_OPEN = ‘project.open’
SIG_SYMBOLS_MULTIPLE_CHECKED = ‘symbols.multiple_checked’
SIG_SYMBOLS_MULTIPLE_SELECTION = ‘symbols.multiple_selection’
SIG_SYMBOLS_NONE_CHECKED = ‘symbols.none_checked’
SIG_SYMBOLS_NO_SELECTION = ‘symbols.no_selection’
SIG_SYMBOLS_SINGLE_CHECKED = ‘symbols.single_checked’
SIG_SYMBOLS_SINGLE_SELECTION = ‘symbols.single_selection’
attach(methodToExecute, signals)
emitSignal(signal, *cb_args, **cb_kwargs)
emitSignals(signals)
getListenersMethodsForSignal(signal)
6.1. netzob Package 41
Netzob Documentation, Release 0.4.1
Simulator Module
SplashScreen Module
Symbol Module
Token Module
TrashSymbol Module
Vocabulary Module
Workspace Module
XSDResolver Module
class netzob.Common.XSDResolver.XSDResolverBases: lxml.etree.Resolver
addMapping(declaredFilename, realFilename)
resolve(url, id, context)
Subpackages
C_Extensions Package
WrapperArgsFactory Module
WrapperMessage Module
Functions Package
EncodingFunction Moduleclass netzob.Common.Functions.EncodingFunction.EncodingFunction(type, name)
Bases: netzob.Common.Functions.RenderingFunction.RenderingFunction
TYPE = ‘EncodingFunction’
apply(message)
getConversionAddressingTable(message)
getName()
getType()
setName(name)
setType(type)
42 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
FunctionApplicationTable Moduleclass netzob.Common.Functions.FunctionApplicationTable.FunctionApplicationTable(splittedData)
Bases: object
applyFunction(function, i_start, i_end)
getInitialConversionAddressingTable()
getResult()
getSegments(i_start, i_end)
getTags(col, i_local)
insertTagInEncoded(col, i_local, i_global, tag, currentValue)
registerTag(i_col, idTag, i, tag)
updateConversionAddressingTable(old_start, old_end, new_start, new_end)
updateConversionAddressingTableWithTable(table)
RenderingFunction Moduleclass netzob.Common.Functions.RenderingFunction.RenderingFunction(superType)
Bases: object
getID()
getPriority()
getSuperType()
static loadFromXML(rootElement, namespace, version)loadFromXML: Function which parses an XML and extract from it the definition of a rendering function@param rootElement: XML root of the function @return an instance of a function @throw NameError ifXML invalid
static save(function, root, namespace_workspace)
setPriority(priority)
TransformationFunction Moduleclass netzob.Common.Functions.TransformationFunction.TransformationFunction(type,
name)Bases: netzob.Common.Functions.RenderingFunction.RenderingFunction
TYPE = ‘TransformationFunction’
apply(message)apply: Apply the function on the provided message
getConversionAddressingTable(message)
getName()
getType()
reverse(message)reverse: Apply the reverse function on the provided message
save(root, namespace_common)Save under the provided XML root the current transformation function
setName(name)
6.1. netzob Package 43
Netzob Documentation, Release 0.4.1
setType(type)
VisualizationFunction Moduleclass netzob.Common.Functions.VisualizationFunction.VisualizationFunction(type,
name)Bases: netzob.Common.Functions.RenderingFunction.RenderingFunction
TYPE = ‘VisualizationFunction’
getName()
getTags()
getType()
setName(name)
setType(type)
Subpackages
Encoding Package
FormatFunction Module
Transformation Package
BZ2Function Module
Base64Function Module
CustomFunction Module
GZipFunction Module
Visualization Package
BackgroundColorFunction Moduleclass netzob.Common.Functions.Visualization.BackgroundColorFunction.BackgroundColorFunction(name,
color)Bases: netzob.Common.Functions.VisualizationFunction.VisualizationFunction
TYPE = ‘BackgroundColorFunction’
getTags()
44 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
TextColorFunction Moduleclass netzob.Common.Functions.Visualization.TextColorFunction.TextColorFunction(name,
color)Bases: netzob.Common.Functions.VisualizationFunction.VisualizationFunction
TYPE = ‘TextColorFunction’
getTags()
MMSTD Package
MMSTD Module
Subpackages
Actors Package
AbstractChannel Module
MMSTDVisitor Module
SimpleCommunicationChannel Module
Subpackages
NetworkChannels Package
InstanciatedNetworkServer Module
NetworkClient Module
NetworkServer Module
Dictionary Package
AbstractionLayer Module
6.1. netzob Package 45
Netzob Documentation, Release 0.4.1
DictionaryEntry Moduleclass netzob.Common.MMSTD.Dictionary.DictionaryEntry.DictionaryEntry(id, name,
value)
compare(val, indice, negative, dictionary)
forget(temporary)
generate()
getID()
getName()
getValue()
isActive()
learn(val, indice)
restore()
send(negative, dictionary)
setID(id)
setName(name)
undoForget()
MMSTDDictionary Moduleclass netzob.Common.MMSTD.Dictionary.MMSTDDictionary.MMSTDDictionary(variables,
entries)
getEntries()
getEntry(id)
getVariableByID(id)
getVariables()
Memory Module
_Variable Moduleclass netzob.Common.MMSTD.Dictionary._Variable.Variable(typeVariable, idVar, name)
Variable: Definition of a variable defined in a dictionary
compare(value, indice, negative, vocabulary, memory)compare: Compare the current variable to the end (starting at the “indice”-th character) of value.
@type value: bitarray.bitarray @param value: a bit array a subarray of which we compare to the currentvariable binray value. @type indice: integer @param indice: the starting point of comparison in value.@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: integer @return: the number of letters that matches,-1 if it does not match.
46 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
getDescription(negative, vocabulary, memory)getDescription: Get the full description of the variable.
@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: string @return: the full description of the variable.
getID()
getName()
getTypeVariable()
getUncontextualizedDescription()getUncontextualizedDescription: Get the uncontextualized description of the variable (no use of memoryor vocabulary).
@rtype: string @return: the uncontextualized description of the variable.
getValue(negative, vocabulary, memory)getValue: Get the current value of the variable it can be the original value if its set and not forget or thevalue in memory if it has one else its NONE.
@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: (bitarray.bitarray, string) @return: the current ormemorized value of the variable in both bitarray and string format.
getValueToSend(negative, vocabulary, memory)getValueToSend: Get the current value of the variable it can be the original value if its set and not forgetor the value in memory if it has one or it generates one and save its value in memory.
@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @type vocab-ulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the current project.@type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory which cancontain a former value of the variable. @rtype: (bitarray.bitarray, string) @return: the current, memorizedvalue or a generated value of the variable in both bitarray and string format.
isMutable()
learn(value, indice, negative, vocabulary, memory)learn: Compare the current variable to the end (starting at the “indice”-th character) of value. Moreover itstores learns from the provided message.
@type value: bitarray.bitarray @param value: a bit array a subarray of which we compare to the currentvariable binray value. @type indice: integer @param indice: the starting point of comparison in value.@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: integer @return: the number of letters that matches,-1 if it does not match.
static loadFromXML(xmlRoot, namespace, version)loadFromXML: Load a variable from an XML definition. Calls its proper heir function for it to create thevariable.
@type xmlRoot: lxml.etree.Element @param xmlRoot: the root of the XML definition. @type names-pace: string @param namespace: the namespace (precision) associated to the variable in the XML
6.1. netzob Package 47
Netzob Documentation, Release 0.4.1
definition. @type version: string @param version: the version of the load needed. @rtype: net-zob.Common.MMSTD.Dictionary.Variable.Variable @return: a variable constructed from this XML defi-nition.
restore(vocabulary, memory)restore: Restore learned value from the last execution of the variable.
@type vocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of thecurrent project. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a mem-ory which can contain a former value of the variable.
setID(idVar)
setName(name)
setTypeVariable(typeVariable)
toXML(root, namespace)toXML: Create the xml tree associated to this variable.
@type root: lxml.etree.Element @param root: the root of the tree being built. @type namespace: string@param namespace: a namespace used as a precision in the variable tree.
Subpackages
DataTypes Package
AbstractType Module
AbstractWordType Module
BinaryType Module
DecimalWordType Module
HexWordType Module
IPv4WordType Module
IntegerType Module
MACWordType Module
WordType Module
RelationTypes Package
48 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
AbstractRelationType Moduleclass netzob.Common.MMSTD.Dictionary.RelationTypes.AbstractRelationType.AbstractRelationType(sized,
min-Chars=0,max-Chars=0,de-lim-iter=None,fac-tor=1,off-set=0)
AbstractRelationType: It defines the type of a relation variable.
computeValue(writingToken)computeValue: Compute the value of the variable according to its type.
@type writingToken: netzob.Common.MMSTD.Dictionary.VariableProcessingToken.VariableWritingToken.VariableWritingToken@param writingToken: a token which contains all critical information on this access. @rtype: bitarray@return: the computed value.
getAssociatedDataType()
getFactor()
getNbBits()
getNbChars()
getOffset()
getType()getType: Return a string describing the current Type.
@rtype: string @return: the current type in string format.
makeAssociatedDataType(sized, minChars, maxChars, delimiter)Make the associated data type.
@type minChars: integer @type sized: boolean @param sized: tell if the variable can be delimited by asize or by a delimiter. @param minChars: the minimum number of elementary character the value of thisvariable can have. @type maxChars: integer @param maxChars: the maximum number of elementarycharacter the value of this variable can have. @type delimiter: bitarray @param delimiter: a set of bitsthat tells where the associated variable ends.
static makeType(typeString, sized, minChars, maxChars, delimiter, factor, offset)
setAssociatedDataType(dataType)
toString()
BinarySizeRelationType Module
WordSizeRelationType Module
Values Package
AbstractValue Module
6.1. netzob Package 49
Netzob Documentation, Release 0.4.1
Aggregate Module
EndValue Module
TextValue Module
VarValue Module
VariableProcessingToken Package
AbstractVariableProcessingToken Moduleclass netzob.Common.MMSTD.Dictionary.VariableProcessingToken.AbstractVariableProcessingToken.AbstractVariableProcessingToken(negative,
vo-cab-u-lary,mem-ory,value)
AbstractVariableProcessingToken: A communication token used by variable when they are processed.
appendLinkedValue(value)
getIndex()
getLinkedValue()
getMemory()
getNegative()
getValue()
getVocabulary()
isOk()
setOk(ok)
setValue(value)
VariableReadingToken Module
VariableWritingToken Module
Variables Package
AbstractLeafVariable Module
AbstractNodeVariable Module
AbstractVariable Module
50 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
AggregateVariable Module
AlternateVariable Module
ComputedRelationVariable Module
DataVariable Module
RepeatVariable Module
_AbstractRelationVariable Module
_AggregateVariable Module
_AlternateVariable Moduleclass netzob.Common.MMSTD.Dictionary.Variables._AlternateVariable.AlternateVariable(idVar,
name,chil-dren)
Bases: netzob.Common.MMSTD.Dictionary._Variable.Variable
AlternateVariable: A node variable that makes an alternative of all its children.
addChild(child)
compare(value, indice, negative, vocabulary, memory)compare: Compare the current variable to the end (starting at the “indice”-th character) of value. Returnthe number of letters that matches, -1 if it does not match.
getChildren()
getDescription(negative, vocabulary, memory)getDescription: Get the full description of the variable.
getUncontextualizedDescription()getUncontextualizedDescription: Get the uncontextualized description of the variable (no use of memoryor vocabulary).
getValue(negative, vocabulary, memory)getValue: Get the current value of the variable it can be the original value if its set and not forget or thevalue in memory if it has one else its NONE.
getValueToSend(negative, vocabulary, memory)getValueToSend: Get the current value of the variable it can be the original value if its set and not forgetor the value in memory if it has one or it generates one and save its value in memory.
learn(value, indice, negative, vocabulary, memory)learn: Compare the current variable to the end (starting at the “indice”-th character) of value. Moreover itstores learns from the provided message. Return the number of letters that matches, -1 if it does not match.
static loadFromXML(xmlRoot, namespace, version)loadFromXML: Load an alternate variable from an XML definition.
restore(vocabulary, memory)restore: Restore learned value from the last execution of the variable.
6.1. netzob Package 51
Netzob Documentation, Release 0.4.1
toXML(root, namespace)toXML: Create the xml tree associated to this variable.
_BinaryVariable Module
_ComputedRelationVariable Module
_DecimalWordVariable Module
_DirectRelationVariable Module
_DynLenStringVariable Module
_HexVariable Module
_IPVariable Moduleclass netzob.Common.MMSTD.Dictionary.Variables._IPVariable.IPVariable(id, name,
default-Var)
Bases: netzob.Common.MMSTD.Dictionary._Variable.Variable
generateValue(negative, dictionary)
getValue(negative, dictionary)
learn(val, indice, isForced, dictionary)
string2bin(aStr)
_IPv4Variable Module
_IntVariable Module
_MD5Variable Module
_ReferencedVariable Module
_WordVariable Module
MemOpexs Package
52 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
MemOpex Moduleclass netzob.Common.MMSTD.MemOpexs.MemOpex.MemOpex(type, id, transitionId)
getID()
getTransitionID()
getType()
static loadFromXML(xmlRoot, namespace, version)
save(root, namespace)
setID(id)
setTransitionID(transitionID)
Subpackages
impl Package
ForgetMemOpex Moduleclass netzob.Common.MMSTD.MemOpexs.impl.ForgetMemOpex.ForgetMemOpex(id, tran-
sitionId,variableId)
Bases: netzob.Common.MMSTD.MemOpexs.MemOpex.MemOpex
getVariableID()
static loadFromXML(xmlRoot, namespace, version)
save(root, namespace)
setVariableID(variableID)
States Package
AbstractState Moduleclass netzob.Common.MMSTD.States.AbstractState.AbstractState(type, id, name)
activate()
addMemOpex(memOpex)
deactivate()
executeAsClient(abstractionLayer)
executeAsMaster(abstractionLayer)
getID()
getMemOpexs()
getName()
getTransitions()
getType()
6.1. netzob Package 53
Netzob Documentation, Release 0.4.1
isActive()
static loadFromXML(xmlRoot, namespace, version)
registerTransition(transition)
removeMemOpex(memOpex)
save(root, namespace)
setID(id)
setName(name)
Subpackages
impl Package
NormalState Moduleclass netzob.Common.MMSTD.States.impl.NormalState.NormalState(id, name)
Bases: netzob.Common.MMSTD.States.AbstractState.AbstractState
executeAsClient(abstractionLayer)
executeAsMaster(abstractionLayer)
getID()
getName()
getTransitions()
static loadFromXML(xmlRoot, namespace, version)
registerTransition(transition)
save(root, namespace)
setID(id)
setName(name)
unregisterTransition(transition)
StartState Moduleclass netzob.Common.MMSTD.States.impl.StartState.StartState(id, name)
Bases: netzob.Common.MMSTD.States.AbstractState.AbstractState
executeAsClient(abstractionLayer)
executeAsMaster(abstractionLayer)
getID()
getName()
getTransitions()
static loadFromXML(xmlRoot, namespace, version)
registerTransition(transition)
save(root, namespace)
54 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
setID(id)
setName(name)
Symbols Package
AbstractSymbol Moduleclass netzob.Common.MMSTD.Symbols.AbstractSymbol.AbstractSymbol(type)
getType()
Subpackages
impl Package
DictionarySymbol Moduleclass netzob.Common.MMSTD.Symbols.impl.DictionarySymbol.DictionarySymbol(dictionaryEntry)
Bases: netzob.Common.MMSTD.Symbols.AbstractSymbol.AbstractSymbol
TYPE = ‘DictionarySymbol’
getEntry()
getID()
getName()
isEquivalent(symbol)
setEntry(entry)
setID(id)
write(writingToken)write: Grant a writing access to the entry. Retrieve and return the value issued from this access.
@type writingToken: netzob.Common.MMSTD.Dictionary.VariableProcessingToken.VariableWritingToken.VariableWritingToken@param writingToken: a token which contains all critical information on this writing access. @rtype:bitarray @return: the value this acces writes.
EmptySymbol Module
UnknownSymbol Module
Transitions Package
6.1. netzob Package 55
Netzob Documentation, Release 0.4.1
AbstractTransition Moduleclass netzob.Common.MMSTD.Transitions.AbstractTransition.AbstractTransition(type,
id,name,in-put-State,out-put-State)
activate()
deactivate()
executeAsClient(abstractionLayer)
executeAsMaster(abstractLayer)
getDescription()
getID()
getInputState()
getName()
getOutputState()
getType()
isActive()
isValid(inputSymbol)
static loadFromXML(states, vocabulary, xmlRoot, namespace, version)
setID(id)
setInputState(inputState)
setName(name)
setOutputState(outputState)
toXMLString(idStartState)
Subpackages
impl Package
CloseChannelTransition Module
56 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
class netzob.Common.MMSTD.Transitions.impl.CloseChannelTransition.CloseChannelTransition(id,name,in-put-State,out-put-State,dis-con-nec-tion-Time)
Bases: netzob.Common.MMSTD.Transitions.AbstractTransition.AbstractTransition
TYPE = ‘CloseChannel’
closeConnection(abstractionLayer)
executeAsClient(abstractionLayer)
executeAsMaster(abstractionLayer)
getDescription()
getDisconnectionTime()
isValid(receivedSymbol)
static loadFromXML(states, xmlTransition, namespace, version)
save(root, namespace)
OpenChannelTransition Moduleclass netzob.Common.MMSTD.Transitions.impl.OpenChannelTransition.OpenChannelTransition(id,
name,in-put-State,out-put-State,con-nec-tion-Time,maxNum-berO-fAt-tempt)
Bases: netzob.Common.MMSTD.Transitions.AbstractTransition.AbstractTransition
TYPE = ‘OpenChannel’
executeAsClient(abstractionLayer)
executeAsMaster(abstractionLayer)
6.1. netzob Package 57
Netzob Documentation, Release 0.4.1
getConnectionTime()
getDescription()
getMaxNumberOfAttempt()
isValid(receivedSymbol)
static loadFromXML(states, xmlTransition, namespace, version)
openConnection(abstractionLayer)
save(root, namespace)
SemiStochasticTransition Module
SimpleTransition Moduleclass netzob.Common.MMSTD.Transitions.impl.SimpleTransition.SimpleTransition(id,
name,in-put-State,out-put-State,time-Be-fore-Act-ing,out-put-Sym-bol)
Bases: netzob.Common.MMSTD.Transitions.AbstractTransition.AbstractTransition
executeAsClient(abstractionLayer)
executeAsMaster(abstractionLayer)
getDescription()
getOutputSymbol()
getTimeBeforeActing()
isValid(receivedSymbol)
static parse(xmlTransition, dictionary, states)
toXMLString(idStartState)
Models Package
AbstractMessage Module
FileMessage Module
58 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
IPCMessage Module
IRPDeviceIoControlMessage Module
IRPMessage Module
L2NetworkMessage Module
L3NetworkMessage Module
L4NetworkMessage Module
RawMessage Module
Subpackages
Factories Package
AbstractMessageFactory Module
FileMessageFactory Module
IPCMessageFactory Moduleclass netzob.Common.Models.Factories.IPCMessageFactory.IPCMessageFactory
Bases: object
XML_SCHEMA_TYPE = ‘netzob-common:IPCMessage’
static addPropertiesToElement(xmlMessage, message, namespace)
static loadFromXML(rootElement, namespace, version)
static save(message, xmlMessage, namespace_project, namespace)
IRPDeviceIoControlMessageFactory Module
IRPMessageFactory Module
L2NetworkMessageFactory Module
L3NetworkMessageFactory Module
L4NetworkMessageFactory Module
OldFormatNetworkMessageFactory Module
6.1. netzob Package 59
Netzob Documentation, Release 0.4.1
RawMessageFactory Module
Plugins Package
AbstractPluginController Module
AbstractPluginView Moduleclass netzob.Common.Plugins.AbstractPluginView.AbstractPluginView(plugin, con-
troller)Bases: object
Regroup methods any plugins’ view must be able to access
getController()Returns the controller attached to the current plugin @return: the controller
getPlugin()Returns the current plugin definition class @return: the plugin definition
CapturerPlugin Module
ExporterPlugin Module
FileImporterPlugin Module
NetzobPlugin Module
PluginChecker Module
Subpackages
Capturers Package
AbstractCapturer Module
AbstractCapturerController Module
AbstractCapturerView Module
Exporters Package
AbstractExporterController Module
AbstractExporterView Module
60 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
Extensions Package
CapturerMenuExtension Moduleclass netzob.Common.Plugins.Extensions.CapturerMenuExtension.CapturerMenuExtension(netzob,
con-troller,ac-tion-Name,menu-Text,menu-S-tock=None,men-u-Ac-cel=None,menu-Tooltip=None)
Bases: netzob.Common.Plugins.Extensions.GlobalMenuExtension.GlobalMenuExtension
executeAction(widget, vocabularyView, data=None)
getActions()
getUIDefinition()
ExportMenuExtension Moduleclass netzob.Common.Plugins.Extensions.ExportMenuExtension.ExportMenuExtension(netzob,
con-troller,ac-tion-Name,menu-Text,menu-S-tock=None,men-u-Ac-cel=None,menu-Tooltip=None)
Bases: netzob.Common.Plugins.Extensions.GlobalMenuExtension.GlobalMenuExtension
ExportMenuExtension: A generic export menu extension.
executeAction(widget, data=None)executeAction: Start the controller. Called when the menu entry is selected.
getActions()getActions:
6.1. netzob Package 61
Netzob Documentation, Release 0.4.1
@rtype: List @return: the list of all information on the action associated to the menu extension.
getUIDefinition()getUIDefinition: Return the User Interface definition of this menu extension.
@rtype: string @return: an xml string representing the menu extension.
GlobalMenuExtension Moduleclass netzob.Common.Plugins.Extensions.GlobalMenuExtension.GlobalMenuExtension
Bases: netzob.Common.Plugins.Extensions.NetzobExtension.NetzobExtension
NetzobExtension Moduleclass netzob.Common.Plugins.Extensions.NetzobExtension.NetzobExtension
Bases: object
Importers Package
AbstractFileImporterController Module
AbstractFileImporterView Module
AbstractImporterController Module
AbstractImporterView Module
Threads Package
Job Moduleclass netzob.Common.Threads.Job.Job(generator)
Bases: object
Wrap a co-routines that yields asynchronous tasks (see Task class).
Task Moduleclass netzob.Common.Threads.Task.Task
Bases: object
Base class for asynchronous tasks.
cancel()
config(return_cb, exception_cb)Set return and exception callbacks.
run()
Subpackages
Tasks Package
62 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
SleepTask Module
ThreadedTask Module
Type Package
Endianess Moduleclass netzob.Common.Type.Endianess.Endianess
BIG = ‘big-endian’
LITTLE = ‘little-endian’
Format Moduleclass netzob.Common.Type.Format.Format
ALPHA = ‘alpha’
ALPHA_NUM = ‘alphanum’
ASCII = ‘ascii’
BASE64_DEC = ‘base64dec’
BASE64_ENC = ‘base64enc’
BINARY = ‘binary’
DECIMAL = ‘decimal’
FLOAT = ‘float’
HEX = ‘hex’
IP = ‘ip’
IPv4 = ‘ipv4’
NUM = ‘num’
OCTAL = ‘octal’
STRING = ‘string’
formatVisualizationUnitSizes = {‘binary’: 1, ‘hex’: 4, ‘string’: 8}
static getExtendedSupportedFormats()
static getPossibleFormats(values)getPossibleFormats: Given the provided values, it computes the possible formats the values can be. returnsa list of format
static getSupportedFormats()
static getUnitSize(format)
6.1. netzob Package 63
Netzob Documentation, Release 0.4.1
Sign Moduleclass netzob.Common.Type.Sign.Sign
SIGNED = ‘signed’
UNSIGNED = ‘unsigned’
TypeConvertor Module
TypeIdentifier Moduleclass netzob.Common.Type.TypeIdentifier.TypeIdentifier
getTypes(val)
isAscii(val)
isBase64(val)
isHexString(val)
UnitSize Moduleclass netzob.Common.Type.UnitSize.UnitSize
BIT = ‘bit’
BITS16 = ‘16-bits’
BITS32 = ‘32-bits’
BITS4 = ‘4-bits’
BITS64 = ‘64-bits’
BITS8 = ‘8-bits’
NONE = ‘none’
static getMaxDigitForTypeAndUnitSize(aType, unitSize)
static getPackDefiniton(unitSize)
static getSizeInBits(unitSize)
unitSizeInBits = {‘32-bits’: 32, ‘16-bits’: 16, ‘8-bits’: 8, ‘bit’: 1, ‘4-bits’: 4, ‘64-bits’: 64}
Export Package
RawExport Module
class netzob.Export.RawExport.RawExport(netzob)Bases: object
getXMLDefinition(symbolID)
64 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
ScapyExport Module
class netzob.Export.ScapyExport.ScapyExport(netzob)Bases: object
getScapyDefinition(symbolID)
TextExport Module
class netzob.Export.TextExport.TextExport(netzob)Bases: object
getTextDefinition(symbolID)
ExternalLibs Package
xdot Module
Import Package
AbstractImporter Module
ApiImport Module
ThirdPartyImport Module
XMLImport Module
Subpackages
GOTPoisoning Package
GOTPoisoner Moduleclass netzob.Import.GOTPoisoning.GOTPoisoner.GOTPoisoner(parasite, injector)
injectProcess(pid)
HijackedFunction Moduleclass netzob.Import.GOTPoisoning.HijackedFunction.HijackedFunction(name, return-
Type, param-eters, source)
getEndOfFunction()
getName()
getParameters()
getParasiteFunctionDeclaration()
getParasitePrototype()
6.1. netzob Package 65
Netzob Documentation, Release 0.4.1
getPrototype()
getReturnType()
getSource()
static loadFromXML(rootElement)
setName(name)
setParameters(parameters)
setReturnType(returnType)
setSource(source)
InjectorGenerator Moduleclass netzob.Import.GOTPoisoning.InjectorGenerator.InjectorGenerator(tmp_folder,
parasite)
compileInjector()
getFolder()
getLibName()
getLibPath()
getParasiteSignature()
getShellCode()
getSourceCode()
produceShellCode()
writeInjectorToFile()
ParasiteGenerator Moduleclass netzob.Import.GOTPoisoning.ParasiteGenerator.ParasiteGenerator(tmp_folder)
addAnHijackedFunctions(function)
compileParasite()
getFifoFile()
getFunctions()
getParasitesSignature()
getSourceCode()
getSourceCodeHeader()
getSourceCodeOfWriteFunction()
getSourceCodeParasiteCoreFunctions()
linkParasite()
writeParasiteToFile()
66 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
PrototypesRepositoryParser Moduleclass netzob.Import.GOTPoisoning.PrototypesRepositoryParser.PrototypesRepositoryParser
static loadFromXML(file)
ThirdParties Package
AbstractThirdPartyImporter Moduleclass netzob.Import.ThirdParties.AbstractThirdPartyImporter.AbstractThirdPartyImporter(id,
name)Bases: object
getId()
getName()
parse(paths)
OSpy Module
TreeViews Package
TreeProcessesGenerator Module
Inference Package
Subpackages
Grammar Package
Angluin Module
AutomaticGrammarAbstractionView Module
AutomaticGrammarInferenceView Module
GrammarInferer Module
LearningAlgorithm Module
MQCache Module
Subpackages
EquivalenceOracles Package
6.1. netzob Package 67
Netzob Documentation, Release 0.4.1
AbstractEquivalenceOracle Moduleclass netzob.Inference.Grammar.EquivalenceOracles.AbstractEquivalenceOracle.AbstractEquivalenceOracle(type)
Bases: object
findCounterExample(mmstd)
WMethodNetworkEquivalenceOracle Module
Oracles Package
AbstractOracle Moduleclass netzob.Inference.Grammar.Oracles.AbstractOracle.AbstractOracle(type)
Bases: object
start(mmstd)
stop()
NetworkOracle Module
Queries Package
MembershipQuery Module
Vocabulary Package
DataCarver Module
SearchResult Moduleclass netzob.Inference.Vocabulary.SearchResult.SearchResult(message, description)
Bases: object
addSegment(i_start, i_end)
getDescription()
getMessage()
getSegments()
getVariationDescription()
setDescription(description)
setVariationDescription(variationDescription)
68 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
SearchTask Moduleclass netzob.Inference.Vocabulary.SearchTask.SearchTask(description, data, type)
Bases: object
getDescription()
getResults()
getVariations()
registerResults(r, v)
registerVariation(data, description)
setDescription(description)
SearchView Module
Searcher Module
SizeFieldIdentifier Module
_VariableView Module
Subpackages
Alignment Package
AsciiAlign Module
NeedlemanAndWunsch Module
UPGMA Module
Simulator Package
XDotWidget Module
UI Package
ModelReturnCodes Module
Created on 28 juin 2012
@author: fabien
6.1. netzob Package 69
Netzob Documentation, Release 0.4.1
NetzobAbstractController Module
NetzobAbstractPerspectiveController Module
NetzobAbstractPerspectiveView Module
NetzobAbstractView Module
NetzobWidgets Module
Subpackages
Common Package
AboutDialog Module
Subpackages
Controllers Package
AvailablePluginsController Module
BugReporterController Module
CustomTransformationFunctionController Module
MoveMessageController Module
ProjectExportController Module
ProjectImportController Module
ProjectPropertiesController Module
WorkspaceConfigurationController Module
WorkspaceSelectorController Module
Views Package
AvailablePluginsView Module
BugReporterCertificateErrorView Module
70 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
BugReporterView Module
CustomTransformationFunctionView Module
MoveMessageView Module
ProjectExportView Module
ProjectImportView Module
ProjectPropertiesView Module
WorkspaceConfigurationView Module
WorkspaceSelectorView Module
Export Package
Subpackages
Controllers Package
RawExportController Module
ScapyExportController Module
TextExportController Module
Views Package
RawExportView Module
ScapyExportView Module
TextExportView Module
Fuzzing Package
Subpackages
Grammar Package
6.1. netzob Package 71
Netzob Documentation, Release 0.4.1
Subpackages
Controllers Package
CreateCloseChannelTransitionController Module
CreateOpenChannelTransitionController Module
CreateSemiStochasticTransitionController Module
CreateStateController Module
DeleteStateController Module
DeleteTransitionController Module
EditStateController Module
GrammarController Module
Subpackages
Menus Package
ContextualMenuOnStateController Module
Views Package
CreateCloseChannelTransitionView Module
CreateOpenChannelTransitionView Module
CreateSemiStochasticTransitionView Module
CreateStateView Module
DeleteStateView Module
DeleteTransitionView Module
EditStateView Module
72 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
GrammarView Module
GrammarXDotWidget Module
Subpackages
Menus Package
ContextualMenuOnStateView Module
Import Package
ImportFileChooserDialog Module
Subpackages
Controllers Package
ConfirmImportMessagesController Module
Views Package
ConfirmImportMessagesView Module
Simulator Package
Subpackages
Controllers Package
CreateNetworkActorController Module
SimulatorController Module
Views Package
CreateNetworkActorView Module
SimulatorView Module
TraceManager Package
6.1. netzob Package 73
Netzob Documentation, Release 0.4.1
Subpackages
Controllers Package
ApplicativeDataImportController Module
ApplicativeDataManagerController Module
TraceManagerController Module
Views Package
ApplicativeDataImportView Module
ApplicativeDataManagerView Module
TraceManagerView Module
Vocabulary Package
Subpackages
Controllers Package
EnvironmentDependenciesSearcherController Module
FieldAnalysisController Module
FilterMessagesController Module
FindSizeFieldsController Module
MessageTableController Module
MessagesDistributionController Module
PopupEditFieldController Module
RelationsController Module
ResearchController Module
74 Chapter 6. Developer Guide
Netzob Documentation, Release 0.4.1
SplitFieldController Module
VariableController Module
VariableDisplayerController Module
VocabularyController Module
Subpackages
Menus Package
ContextualMenuOnFieldController Module
ContextualMenuOnLayerController Module
Partitioning Package
ForcePartitioningController Module
ResetPartitioningController Module
SequenceAlignmentController Module
SimplePartitioningController Module
SmoothPartitioningController Module
Views Package
EnvironmentDependenciesSearcherView Module
FieldAnalysisView Module
FilterMessagesView Module
MessageTableView Module
MessagesDistributionView Module
PopupEditFieldView Module
6.1. netzob Package 75
Netzob Documentation, Release 0.4.1
RelationsView Module
ResearchView Module
SearchResultsView Module
SplitFieldView Module
VariableDisplayerView Module
VariableView Module
VocabularyView Module
Subpackages
Menus Package
ContextualMenuOnFieldView Module
ContextualMenuOnLayerView Module
Partitioning Package
ForcePartitioningView Module
ResetPartitioningView Module
SequenceAlignmentView Module
SimplePartitioningView Module
SmoothPartitioningView Module
76 Chapter 6. Developer Guide
CHAPTER 7
Indices and tables
• Table of content
• genindex
• modindex
• search
77
Netzob Documentation, Release 0.4.1
78 Chapter 7. Indices and tables
Python Module Index
nnetzob.Common.Automata, 36netzob.Common.CommandLine, 36netzob.Common.DepCheck, 36netzob.Common.EnvironmentalDependencies,
37netzob.Common.EnvironmentalDependency,
37netzob.Common.ExecutionContext, 37netzob.Common.Functions.EncodingFunction,
42netzob.Common.Functions.FunctionApplicationTable,
43netzob.Common.Functions.RenderingFunction,
43netzob.Common.Functions.TransformationFunction,
43netzob.Common.Functions.Visualization.BackgroundColorFunction,
44netzob.Common.Functions.Visualization.TextColorFunction,
45netzob.Common.Functions.VisualizationFunction,
44netzob.Common.Grammar, 37netzob.Common.LoggingConfiguration, 38netzob.Common.MMSTD.Dictionary._Variable,
46netzob.Common.MMSTD.Dictionary.DictionaryEntry,
46netzob.Common.MMSTD.Dictionary.MMSTDDictionary,
46netzob.Common.MMSTD.Dictionary.RelationTypes.AbstractRelationType,
49netzob.Common.MMSTD.Dictionary.VariableProcessingToken.AbstractVariableProcessingToken,
50netzob.Common.MMSTD.Dictionary.Variables._AlternateVariable,
51
netzob.Common.MMSTD.Dictionary.Variables._IPVariable,52
netzob.Common.MMSTD.MemOpexs.impl.ForgetMemOpex,53
netzob.Common.MMSTD.MemOpexs.MemOpex,53
netzob.Common.MMSTD.States.AbstractState,53
netzob.Common.MMSTD.States.impl.NormalState,54
netzob.Common.MMSTD.States.impl.StartState,54
netzob.Common.MMSTD.Symbols.AbstractSymbol,55
netzob.Common.MMSTD.Symbols.impl.DictionarySymbol,55
netzob.Common.MMSTD.Transitions.AbstractTransition,56
netzob.Common.MMSTD.Transitions.impl.CloseChannelTransition,56
netzob.Common.MMSTD.Transitions.impl.OpenChannelTransition,57
netzob.Common.MMSTD.Transitions.impl.SimpleTransition,58
netzob.Common.Models.Factories.IPCMessageFactory,59
netzob.Common.NetzobException, 38netzob.Common.Order, 38netzob.Common.Plugins.AbstractPluginView,
60netzob.Common.Plugins.Extensions.CapturerMenuExtension,
61netzob.Common.Plugins.Extensions.ExportMenuExtension,
61netzob.Common.Plugins.Extensions.GlobalMenuExtension,
62netzob.Common.Plugins.Extensions.NetzobExtension,
62
79
Netzob Documentation, Release 0.4.1
netzob.Common.Process, 38netzob.Common.Property, 39netzob.Common.PropertyList, 39netzob.Common.Sequence, 40netzob.Common.SharedLib, 40netzob.Common.SignalsManager, 41netzob.Common.Threads.Job, 62netzob.Common.Threads.Task, 62netzob.Common.Type.Endianess, 63netzob.Common.Type.Format, 63netzob.Common.Type.Sign, 64netzob.Common.Type.TypeIdentifier, 64netzob.Common.Type.UnitSize, 64netzob.Common.XSDResolver, 42netzob.Export.RawExport, 64netzob.Export.ScapyExport, 65netzob.Export.TextExport, 65netzob.Import.GOTPoisoning.GOTPoisoner,
65netzob.Import.GOTPoisoning.HijackedFunction,
65netzob.Import.GOTPoisoning.InjectorGenerator,
66netzob.Import.GOTPoisoning.ParasiteGenerator,
66netzob.Import.GOTPoisoning.PrototypesRepositoryParser,
67netzob.Import.ThirdParties.AbstractThirdPartyImporter,
67netzob.Inference.Grammar.EquivalenceOracles.AbstractEquivalenceOracle,
68netzob.Inference.Grammar.Oracles.AbstractOracle,
68netzob.Inference.Vocabulary.SearchResult,
68netzob.Inference.Vocabulary.SearchTask,
69netzob.NetzobPluginManagement, 35netzob.NetzobResources, 35netzob.release, 35netzob.UI.ModelReturnCodes, 69
80 Python Module Index
Top Related