Netzob Documentation

Netzob DocumentationRelease 0.4.1

Frédéric Guihéry, Georges Bossert

January 04, 2014

Contents

1 Contact information 3

2 Netzob Overview 52.1 Overview of Netzob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Tutorials 93.1 Getting started with Netzob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 Auto generation of Peach pit files/fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.3 Export Wireshark dissectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 Installation Guides 214.1 Installation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 Installation documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.3 Installation documentation on Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.4 Installation documentation on Gentoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.5 Installation documentation on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5 User Guide 275.1 Importing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.2 Protocol inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.3 Generating traffic and simulating actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.4 Exporting protocol model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6 Developer Guide 356.1 netzob Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7 Indices and tables 77

Python Module Index 79

i

ii

Netzob Documentation, Release 0.4.1

Netzob is an open source tool for reverse engineering, traffic generation and fuzzing of communication protocols. Itallows to infer the message format and the state machine of a protocol through passive and active processes. Themodel can afterward be used to simulate realistic and controllable trafic.

The main features of Netzob are:

Vocabulary Inference Netzob includes a complete model to represents the message format of a protocol (aka itsvocabulary). Using specific algorithms, it allows to learn it from provided traces.

Grammar Inference The state machine of a protocol (aka its grammar) defines the valid sequences of exchangedmessages. Netzob allows to learn it semi-automaticaly using specific algorithms.

Protocol simulation To support the inferring process, a dynamic analysis is perfomed based on simulated actors.These can initiate and take part in a complex communication following the infered protocol.

Contents 1


2 Contents

CHAPTER 1

Contact information

Website http://www.netzob.org

Email [email protected]

Mailing list Two lists are available, use the SYMPA web interface to register.

IRC You can hang-out with us on Freenode’s IRC channel #netzob @ freenode.org.

Wiki Discuss strategy on Netzob’s wiki

Twitter Follow Netzob’s official accounts (@Netzob)

3

http://www.netzob.org

mailto:[email protected]

https://lists.netzob.org/wws

https://dev.netzob.org/projects/netzob/wiki


4 Chapter 1. Contact information

CHAPTER 2

Netzob Overview

2.1 Overview of Netzob

Netzob has been initiated by security auditors of AMOSSYS and the CIDre research team of Supélec to address thereverse engineering of communication protocols.

Originaly, the development of Netzob has been initiated to support security auditors and evaluators in their activitiesof modeling and simulating undocumented protocols. The tool has then been extended to allow smart fuzzing ofunknown protocol.

The following picture depicts the main modules of Netzob:

Figure 2.1: Architecture of Netzob

• Import module: Data import is available in two ways: either by leveraging the channel-specific captors (cur-rently network and IPC – Inter-Process Communication), or by using specific importers (such as PCAP files,structured files and OSpy files).

• Protocol inference modules: The vocabulary and grammar inference methods constitute the core of Netzob.It allows both passive and active reverse engineering of communication flows through automated and manualsmechanisms.

• Simulation module: Given vocabulary and grammar models previously inferred, Netzob can understand andgenerate communication traffic between multiple actors. It can act as either a client, a server or both.

• Export module: This module permits to export an inferred model of a protocol in formats that are understand-able by third party software or by a human. Current work focuses on export format compatible with main trafficdissectors (Wireshark and Scapy) and fuzzers (Peach and Sulley).

And here is a screenshot of the main graphical interface:

The following sections will describe in more details the available mechanisms.

2.1.1 Import and capture data

The first step in the inferring process of a protocol in Netzob is to capture and to import messages as samples. Thereare different methods to retrieve messages depending of the communication channel used (files, network, IPC, USB,

5

http://www.amossys.fr

http://www.rennes.supelec.fr/ren/rd/cidre/


etc.) and the format (PCAP, hex, raw binary flows, etc.).

The figure below describes the multiple communication channels and therefore possible sniffing point’s Netzob aimsat addressing.

Figure 2.2: Multiple communication flows arround an application

The current version (version 0.4) of Netzob deals with the following data sources :

• Live network communications

• Captured network communications (PCAPs)

• Inter-Process Communications (IPCs)

• Text and binary files

• API flows through oSpy file format support

Otherwise, if you plan to reverse a protocol implemented over an supported communication channel, Netzob’s can ma-nipulates any communications flow through an XML representation. Therefore, this situation only requires a specificdevelopment to capture the targeted flow and to save it using a compatible XML.

Figure 2.3: Importing data from an unknown communication channel using the XML definition

2.1.2 Inferring message format and state machine with Netzob

The vocabulary of a communication protocol defines all the words which are integrated in it. For example, the vo-cabulary of a malware’s communication protocol looks like a set of possible commands : {“attack www.google.fr”,“dnspoison this.dns.server.com”, “execute ‘uname -a”’, ...}. Another example of a vocabulary is the set of valids wordsin the HTTP protocol : { “GET /images/logo.png HTTP/1.1 ...”, “HTTP/1.1 200 OK ...”, ...}.

Netzob’s vocabulary inferring process has been designed in order to retrieve the set of all possible words used in atargeted protocol and to identify their structures. Indeed words are made of different fields which are defined by theirvalue and types. Hence a word can be described using the structure of its fields.

We describe the learning process implemented in Netzob to semi-automatically infer the vocabulary and the grammarof a protocol. This process, illustrated in the following picture, is performed in three main steps:

1. Clustering messages and partitioning these messages in fields.

2. Characterizing message fields and abstracting similar messages in symbols.

3. Inferring the transition graph of the protocol.

Figure 2.4: The main functionalities

Step 1: clustering Messages and Partitioning in Fields

To discover the format of a symbol, Netzob supports different partitioning approaches. In this article we describe themost accurate one, that leverages sequence alignment processes. This technique permits to align invariants in a set ofmessages. The Needleman-Wunsh algorithm performs this task optimally. Needleman-Wunsh is particularly effectiveon protocols where dynamic fields have variable lengths (as shown on the following picture).

When partitioning and clustering processes are done, we obtain a relevant first approximation of the overall messageformats. The next step consists in determining the characteristics of the fields.

6 Chapter 2. Netzob Overview

http://code.google.com/p/ospy/

http://www.google.fr

http://en.wikipedia.org/wiki/Needleman%E2%80%93Wunsch_algorithm


Figure 2.5: Sequence alignment with Needleman-Wunsh algorithm

If the size of those fields is fixed, as in TCP and IP headers, it is preferable to apply a basic partitioning, also providedby Netzob. Such partitioning works by aligning each message by the left, and then separating successive fixed columnsfrom successive dynamic columns.

To regroup aligned messages by similarity, the Needleman-Wunsh algorithm is used in conjunction with a clusteringalgorithm. The applied algorithm is UPGMA.

Step 2 : characterization of Fields

The field type identification partially derives from the partitioning inference step. For fields containing only invariants,the type merely corresponds to the invariant value. For other fields, the type is automatically materialized, in firstapproximation, with a regular expression, as shown on next figure. This form allows to easily validate the dataconformity with a specific type. Moreover, Netzob offers the possibility to visualize the definition domain of a field.This helps to manually refine the type associated with a field.

Figure 2.6: Characterization of field type

Some intra-symbol dependencies are automatically identified. The size field, present in many protocol formats, is anexample of intra-symbol dependency. A search algorithm has been designed to look for potential size fields and theirassociated payloads. By extension, this technique permits to discover encapsulated protocol payloads.

Environmental dependencies are also identified by looking for specific values retrieved during message capture. Suchspecific values consist of characteristics of the underlying hardware, operating system and network configuration.During the dependency analysis, these characteristics are searched in various encoding.

Step 3: inferring the Transition Graph of the Protocol

The third step of the learning process discovers and extracts the transition graph from a targeted protocol (also calledthe grammar). More formally, the grammar of a communication protocol defines the set of valid sentences which canbe produced by a communication. A sentence is a sorted set of words which may be received or emmited by a protocolhandler. An exemple of a simple sentence is :

["attack www.google.fr", "attack has failed", "attack www.kernel.org", "root access granted."]

which can be described using the following simple automata with S0 the initial state :

Figure 2.7: Schema of a simple grammar

The learning process step is achieved by a set of active experiments that stimulate a real client or server implementationusing successive sequences of input symbols and analyze its responses.

In Netzob, the automata used to represent or model a communication protocol is an extended version of a Mealyautomata which includes semi-stochastic transitions, contextualized and parametrized inputs and outputs. The firstacademic presention of this model is included in a dedicated scientific paper provided in the documentation section.

The model is inferred through a dedicated active process which consists in stimulating an implementation and toanalyze its responses. In this process, we use the previously infered vocabulary to discover and to learn the grammarof the communication protocol. Each stimulation is computed following an extension of the Angluin L algorithm*.

2.1. Overview of Netzob 7

http://en.wikipedia.org/wiki/UPGMA


2.1.3 Protocol simulation

One of our main goal is to generate realistic network traffic from undocummented protocols. Therefore, we have im-plemented a dedicated module that, given vocabulary and grammar models previously infered, can simulate a commu-nication protocol between multiple bots and masters. Besides their use of the same model, each actors is independentfrom the others and is organized around three main stages.

The first stage is a dedicated library that reads and writes from the network channel. It also parses the flow in messagesaccording to previous protocols layers. The second stage uses the vocabulary to abstract received messages intosymbols and vice-versa to specialize emitted symbols into messages. A memory buffer is also available to managedependency relations. The last stage implements the grammar model and computes which symbols must be emittedor received according to the current state and time.

2.1.4 Smart fuzzing with Netzob

A typical example of dynamic vulnerability analysis is the robustness tests. It can be used to reveal software program-ming errors which can leads to software security vulnerabilities. These tests provide an efficient and almost automatedsolution to easily identify and study exposed surfaces of systems. Nevertheless, to be fully efficient, the fuzzing ap-proaches must cover the complete definition domain and combination of all the variables which exist in a protocol (IPadresses, serial numbers, size fields, payloads, message identifer, etc.). But fuzzing typical communication interfacerequires too many test cases due to the complex variation domains introduced by the semantic layer of a protocol. Inaddition to this, an efficient fuzzing should also cover the state machine of a protocol which also brings another hugeset of variations. The necessary time is nearly always too high and therefore limits the efficiency of this approach.

With all these contraints, achieving robustness tests on a target is feasible only if the expert has access to a speciallydesigned tool for the targeted protocol. Hence the emergence of a large number of tools to verify the behavior of anapplication on one or more communication protocols. However in the context of proprietary communications protocolsfor which no specifications are published, fuzzers do not provide optimal results.

Netzob helps the security evaluator by simplifying the creation of a dedicated fuzzer for a proprietary or undocumentedprotocol. It allows the expert to execute a semi-automated inferring process to create a model of the targeted protocol.This model can afterward be refined by the evaluator. Finally, the created model is included in the fuzzing module ofNetzob which considers the vocabulary and the grammar of the protocol to generate optimized and specific test cases.Both mutation and generation are available for fuzzing.

2.1.5 Export protocol model

The following export formats are currently provided by Netzob:

• XML format

• human readable (Wireshark like)

• Peach fuzzer export: this allows to combine efficiency of Peach Fuzzer on previously undocummented protocols.

Besides, you can write your own exporter to manipulate the inferred protocol model in your favorite tool.

Netzob has been initiated by security auditors of AMOSSYS and the CIDre research team of Supélec to address thereverse engineering of communication protocols. A detailed overview of the project is available here.

8 Chapter 2. Netzob Overview

CHAPTER 3

Tutorials

3.1 Getting started with Netzob

The goal of this tutorial is to present the usage of each main component of Netzob (inference of message format,construction of the state machine and generation of traffic) through an undocumented protocol.

You can download the protocol material here :

• Protocol PCAP : contains messages of the targeted protocol ;

• Protocol implementation : provide the server and client implementation of the protocol.

You can follow the tutorial with only the PCAP file. But, you will need the implementation if you want to generatetraffic and allow Netzob to discuss with a real implementation.

3.1.1 Setting the Workspace

Just after installing Netzob, when you start it, you have to set the workspace directory (as in Eclipe).

3.1.2 Your first project

To create a project, navigate to the menu File > New project. Here, you can choose a project name which shouldbe unique in the workspace.

Side note: by default, Netzob chooses a location inside a dedicated directory located in the “projects”directory of your current workspace. The newly created project is automatically selected which allow youto start working on it.

You can switch to another project at anytime through the use of the menu File > Open project fromworkspace. Do not forget to save your project before!

9

https://dev.netzob.org/attachments/132/target_protocol.pcap

https://dev.netzob.org/attachments/127/target_protocol.tar.gz


3.1.3 Capture traces

The first step in the inferring process of a protocol in Netzob is to capture and to import messages as samples. Thereare different methods to retrieve messages depending of the communication channel used (files, network, IPC, USB,etc.) and the format (PCAP, hex, raw binary flows, etc.).

For this tutorial, you can import network messages with the provided PCAP file. But we recommand to use theprovided implementation to generate samples of traffic and capture them with Netzob. You can to this with theNetwok Capturer plugin, which is accessible is the menu File > Capture messages > Capture networktraffic.

As shown on the picture, you have to launch the capture at the Layer 4 on the localhost lo interface. As the targetedprotocol works over UDP, you’ll be able to capture only the UDP payloads. Then launch the server of the targetedprotocol and then the client. This one will send different commands to the server and wait for the response.

Once you have captured one session, you have to select the messages you want to import (you should import every-thing) and click the Import messages button. A popup will ask you if you want to allow duplicate messages. It’s betterto not do so, to avoid unnecessary messages. We recommend to repeat this import process 4 times, in order to haveenough variation between messages.

3.1.4 Infer vocabulary

Let’s now start the inference of the message format (vocabulary).

The next picture shows the whole vocabulary inference interface and the intended meaning of each component.

The main window shows each message in raw hexadecimal format. You can play with visualization attributes : rightclick on the symbol, then select Visualization and the attribute you want to change (hex, decimal or even string format,the unit size and potentially the sign and endianess).

The following picture shows the rendering of the messages in hex format (on the left) and string format (onthe right). You can then see that messages contain some interesting strings (api_identify, api_encrypt,api_decrypt, etc.).

You can use the filter functionality to display messages that contain a specific pattern. Here, we filter with theapi_identify pattern.

This filter permits to easily retrieve the messages associated with a potential identification command.

You can see that a ‘#‘ character is present in each messages. You can try to split the messages by forcing theirpartitioning with a specific delimiter. To do so, use the Force partitioning functionality available in the symbol list(either with a right click on a symbol, or by selecting a symbol with its checkbox and then clicking on the Forcepartitioning button right above).

Using the ‘#‘ string delimiter, you’ll have the following result:

You may also want to play with Sequence alignment. This partitionment allows to align messages according to theircommon patterns.

After playing with the different partitionment available, you are able to retrieve the different commands associatedwith the targeted protocol, as shown on the following picture.

According to the name of the commands, you can see that a api_encrypt command is available. Let’s have a lookat its message format, which looks like:

10 Chapter 3. Tutorials

https://dev.netzob.org/attachments/106/tuto_capture.png

https://dev.netzob.org/attachments/123/tuto_voca_ui.png

https://dev.netzob.org/attachments/129/tuto_messages.png


[command]#[dataToEncrypt][padding]

Netzob allows you to indicate that a specific field has a mutable content, which means its data is not fixed (such as the‘#’ delimiter) nor part of a set of fixed elements (such as the command string).To specify the structure of a field and itsattributes, right click on a field and select Edit Variable. A popup dialog displays a rooted tree that corresponds to theinferred structure of the field. For example, you should have all the observed values of the field (materialized throughDataVariable leafs) under an AlternateVariable node variable.

Regarding the targeted protocol, as we want to allow any data for the current field, we first have to delete theAlternateVariableNode and modify the root node to a DataVariable that has a mutable behavior, as shownon the following picture.

You can visualize the associated message format on bottom-left corner. Its should display something like this:

Now that we have refined the api_encrypt command message, we have to do the same for other commands thatalso take as parameter a user data: api_identify, api_authentify and api_decrypt, but also for someresponse messages such as resp_decrypt and resp_encrypt.

At this time, you have a satisfactory approximation the vocabulary. You can now start to construct the state machineof the protocol.

3.1.5 Infer Grammar

In this tutorial, we won’t explain the automatic inference (learning) of the state machine. As the targeted protocol hasa basic state machine, we will simply show how to model it in Netzob.

A basic state machine contains states and transitions. In Netzob, we use a complex structure to model the grammar ofa protocol. This model allows to specify information such as the response time between an input symbol and an outputsymbol, or even the probability of the different output messages given an uniq input message. This model is called anSMMDT (Stochastic Mealy Machine with Deterministic Transitions).

The grammar perspective interface of Netzob allows you to create:

• states (initial or not);

• semi-stochastic transitions (i.e. “normal” transitions);

• open channel transitions;

• close channel transitions.

Regarding our targeted protocol, we construct the associated model with the following information:

• 1 open channel transition and an initial state;

• 1 close channel transition and a final state;

• 4 main states: init, identified, authenticated, closed;

• depending on the current state, we are able or not to launch certain commands;

• some commands will trigger transitions (api_identify, api_authentify and api_bye).

Once modeled, this looks like:

Now that Netzob knows both the vocabulary and the grammar of the targeted protocol, we are able to generate trafficthat respect the protocol model.

3.1. Getting started with Netzob 11

https://dev.netzob.org/attachments/101/tuto_messages3.png

https://dev.netzob.org/attachments/131/tuto_force_part_result.png


3.1.6 Generate traffic

Let’s go to the Simulator perspective of Netzob.

The simulator allows you to create either a client, a server or both. You can tell Netzob to talk with a real client orserver implementation, or you can just launch a client and a server inside Netzob and let them talk together.

Let’s now create a client. We have to specify the following information:

• client name;

• initiator or not (i.e. who opens the communication channel ?): it will usally be yes for a client;

• client or server side: client;

• protocol: UDP for te targeted protocol;

• bind IP: nothing here, as the client finds its own interface;

• bind port: nothing here, as the client finds its own port;

• target IP: 127.0.0.1;

• target port: 4242.

Now start the real server implementation, select the client in Netzob and click the Start button on the top-right corner.This will generate and send commands to the real server, and you’ll be able to see the exchanged messages in theinterface, as shown on the following picture.

After this introductive tutorial, we’ll be glade to have feedbacks and to help you (see our mailing [email protected] or ou IRC channel #netzob on Freenode).

If you want to go further and start contributing to Netzob, that’s perfect. There are many simple or complex taskseveryone can do: translation, documentation, bug fix, feature proposal or implementation.

3.2 Auto generation of Peach pit files/fuzzers

3.2.1 Principle

Peach is an open-source framework of fuzzing. It allows testers to create smart fuzzers adapted to their needs throughXML configuration files called *Peach pit files*. Making such files needs knowledge of the format message and statemachine of the targeted protocol as well as the actor Peach has to fuzz.

Fortunately, Netzob allows the user to reverse engineer undocumented and proprietary protocols from provided tracesin a semi-automatic way. Netzob provides an exporter plugin for Peach that allows to transform the inferred datamodel and state machine of a targeted protocol into a Peach pit file automatically.

This tutorial shows how to take advantage of the Peach exporter plugin provided in Netzob to automatically constructPeach pit configuration files.

3.2.2 Prerequisite

You need Netzob in version 0.4.1 or above.


https://dev.netzob.org/attachments/104/tuto_symboles.png

https://dev.netzob.org/attachments/105/tuto_variable.png

http://www.netzob.org/community


http://www.netzob.org/development

http://peachfuzzer.com

http://peachfuzzer.com/PeachPit

https://dev.netzob.org/attachments/97/tuto_variable2.png


This tutorial assumes that the user have previously followed the Getting started with Netzob tutorial and have a com-plete Netzob project (or at least some format messages). The protocol implementation contains several vulnerabilitiesthat should be detected during fuzzing.

Moreover it assumes that the user has Peach 2.3.8 installed.

3.2.3 Export

To export the project go in File > Export the project > Peach pit file. The window below shouldappears :

The window is composed of three panels. The left one lists all fuzzer available. They differ on the state representation.There are three kinds of fuzzer available:

• “Randomized state order fuzzer”: one state is created for each symbols of Netzob and at each step, the fuzzerchanges of state for a randomly chosen one.

• “Randomized transitions stateful fuzzer”: one state is created for each symbols of Netzob and the transitionsbewteen these states are based on those Netzob allows, weight by their probability.

• “One-state fuzzer”: one state is created corresponding to the chosen symbol.

When the fuzzer is on a particular state, it sends fuzzed data that corresponds to the associated symbol to the target.Choose one of them.

The right panel shows the fuzzer. It gives the user a small idea of what he is doing and what changes between twoconfigurations.

The bottom panel has two options:

• The first options Fuzzing based on tells on which Netzob data model the fuzzing is based:

– “Variable”: use the Netzob variables to make Peach data models. It makes more fuzzy but less smartfuzzer.

– “Regex”: use the Netzob Regex (which are displayed on the top of the symbol visualization), it is thesimplest solution.

• The second options Mutate static fields tells if the static fields in the Netzob data model are fuzzedor not.

The Export button exports the fuzzer into a user defined file.

Use this fuzzer into Peach¶

Export this fuzzer directly through the Export button to a file named “test.xml” into the directory of Peach. It shouldcreate a PeachzobAddons.py file, which is essential for Peach to leverage Netzob capabilities as “fixup”.

The “test.xml” file should look like this. Look closely to the few XML comments.

<?xml version="1.0" encoding="utf-8"?><Peach xmlns="http://phed.org/2008/Peach" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">

<Include ns="default" src="file:defaults.xml"/><Import import="PeachzobAddons"/>

<DataModel name="dataModel 1"><Blob name="Field 0_0" valueType="hex" value="6170695f"/>

3.2. Auto generation of Peach pit files/fuzzers 13

https://dev.netzob.org/attachments/116/tuto_grammar.png

http://www.netzob.org/resources/tutorial_get_started

https://dev.netzob.org/attachments/122/tuto_simu_ui.png


<Blob name="Field 1_0" valueType="hex"><Fixup class="PeachzobAddons.Or">

<Param name="values" value="Blob,696e666f; Blob,7374617473"/></Fixup>

</Blob><Blob name="Field 2_0" valueType="hex" value="2300000000000000000000000000000000000000000000"/><Blob name="Field 3_0" valueType="hex" value="00"/>

</DataModel><DataModel name="dataModel 2"><Blob name="Field 0_0" valueType="hex" value="6170695f62796523000000000000000000000000000000000000000000000000"/>

</DataModel><DataModel name="dataModel 3"><Blob name="Field 0_0" valueType="hex" value="6170695f6964656e746966792366726564000000000000000000000000000000"/>

</DataModel><DataModel name="dataModel 4"><Blob name="Field 0_0" valueType="hex" value="6170695f61757468656e74696679236d79506173737764210000000000000000"/>

</DataModel><DataModel name="dataModel 5"><Blob name="Field 0_0" valueType="hex" value="6170695f656e6372797074233132333435367465737400000000000000000000"/>

</DataModel><DataModel name="dataModel 6"><Blob name="Field 0_0" valueType="hex" value="6170695f64656372797074237370717677743627313600000000000000000000"/>

</DataModel><DataModel name="dataModel 7"><Blob name="Default-1_0" valueType="hex" value="00000000"/><Blob name="Default-2-1_0" valueType="hex" value="23"/><Blob name="Default-2-2-1-1_0" valueType="hex">

<Fixup class="PeachzobAddons.Or">

<Param name="values" value="Blob,00000000000000; Blob,00000004000000; Blob,00000005000000; Blob,0000000a000000; Blob,64000000000000; Blob,8b04080a000000"/></Fixup>

</Blob><Blob name="Default-2-2-1-2_0" valueType="hex">

<Fixup class="PeachzobAddons.Or"><Param name="values" value="Blob,00000000000000000000; Blob,31323334353674657374; Blob,696e666f000000000000; Blob,73707176777436273136; Blob,73746174730000000000"/>

</Fixup></Blob><Blob name="Default-2-2-2_0" valueType="hex" value="00000000000000000000"/>

</DataModel><DataModel name="dataModel 9"><Blob name="Field 0">

<Fixup class="PeachzobAddons.RandomField"><Param name="minlen" value="0"/><Param name="maxlen" value="1024"/><Param name="type" value="Blob"/>

</Fixup></Blob>

</DataModel>


https://dev.netzob.org/attachments/99/tuto_simu.png


<StateModel initialState="state 0" name="stateModel"><State name="state 0">

<Action ref="state 1" type="changeState" when="random.randint(1,8)==1"/><Action ref="state 2" type="changeState" when="random.randint(1,7)==1"/><Action ref="state 3" type="changeState" when="random.randint(1,6)==1"/>

<Action ref="state 4" type="changeState" when="random.randint(1,5)==1"/><Action ref="state 5" type="changeState" when="random.randint(1,4)==1"/><Action ref="state 6" type="changeState" when="random.randint(1,3)==1"/><Action ref="state 7" type="changeState" when="random.randint(1,2)==1"/><Action ref="state 9" type="changeState"/>

</State>

<State name="state 1"><Action type="output">

<DataModel ref="dataModel 1"/><Data name="data"/>

</Action></State>



</Action></State>



</Action></State>



</Action></State>



</Action></State>



</Action></State>


<DataModel ref="dataModel 7"/>

3.2. Auto generation of Peach pit files/fuzzers 15


<Data name="data"/></Action>

</State>



</Action></State>

</StateModel><Agent name="DefaultAgent">

</Agent><Test name="DefaultTest">

<StateModel ref="stateModel"/><Publisher class="udp.Udp">

<Param name="host" value="127.0.0.1"/><Param name="port" value="4242"/>

</Publisher><Publisher class="udp.Udp">

<Param name="host" value="127.0.0.1"/><Param name="port" value="10000"/>

</Publisher>

</Test><Run name="DefaultRun">

<Logger class="logger.Filesystem">

<Param name="path" value="logs"/></Logger><Test ref="DefaultTest"/>

</Run>

</Peach>

This tutorial will not talk about Peach agents but configuring one of them could be useful. In the Test block, thereis as many publishers as the Netzob simulator has actors. One publisher is needed, remove the others. If there is nopublishers, create one according to the model above. On this example, the tester remove the second publisher.

3.2.4 Launch the fuzzing

You first have to start the targeted server:

./server

Assuming that the user exports the “test.xml” file into the Peach directory, you can now start the fuzzer:

python peach.py test.xml

After few seconds, you should trigger a segfault or a stack smashing detection.



-> Read: api_identify#fredCommand: api_identifyArg: fred

<- Send:Return value: 0Size of data buffer: 13Data buffer:DATA: 72 65 73 70 5f 69 64 65 6e 74 69 66 79 "resp_identify"

-> Read: api_identify#f

Command: api_identifyArg: f

*** stack smashing detected ***: ./server terminated======= Backtrace: =========/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xcec045]/lib/i386-linux-gnu/libc.so.6(+0x103ffa)[0xcebffa]./server[0x8048a3c]./server[0x8048eb4]./server[0x8048985]/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xc014d3]./server[0x8048831]======= Memory map: ========00289000-0028a000 r-xp 00000000 00:00 0 [vdso]002fb000-00317000 r-xp 00000000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.100317000-00318000 r--p 0001b000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.100318000-00319000 rw-p 0001c000 08:03 2605207 /lib/i386-linux-gnu/libgcc_s.so.100bb4000-00bd4000 r-xp 00000000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so00bd4000-00bd5000 r--p 0001f000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so00bd5000-00bd6000 rw-p 00020000 08:03 673152 /lib/i386-linux-gnu/ld-2.15.so00be8000-00d8b000 r-xp 00000000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8b000-00d8c000 ---p 001a3000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8c000-00d8e000 r--p 001a3000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8e000-00d8f000 rw-p 001a5000 08:03 672879 /lib/i386-linux-gnu/libc-2.15.so00d8f000-00d92000 rw-p 00000000 00:00 008048000-0804a000 r-xp 00000000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server0804a000-0804b000 r--p 00001000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server0804b000-0804c000 rw-p 00002000 08:03 6488874 /home/sygus/travaux/netzob/target_protocol/server09e0d000-09e2e000 rw-p 00000000 00:00 0 [heap]b778b000-b778c000 rw-p 00000000 00:00 0b77a8000-b77ac000 rw-p 00000000 00:00 0bf90f000-bf930000 rw-p 00000000 00:00 0 [stack]Abandon (core dumped)

3.3 Export Wireshark dissectors

3.3.1 Principle

Wireshark is an open-source packet analyzer able to identify protocols and to highlight fields from the data stream.Its main drawback is that it is only usefull on documented/standard protocols. Within Netzob, which achieves semi-automatic reverse engineering of protocols, we have developed an exporter plugin that allows automatic generationof Wireshark dissectors from proprietary or undocumented protocols. Dissectors are built in LUA programminglanguage.

3.3. Export Wireshark dissectors 17

http://www.wireshark.org

http://wiki.wireshark.org/Lua


Netzob provides a powerful datamodel in which fields are described with the following information:

• Regular expression (fixed or dynamic size)

• Name (textual representation)

• Format

• Size

• Endianess

• Signing

All this information is gathered to generate a script including a dissector used by Wireshark.

3.3.2 Language

Wireshark can be statically extended with C modules similar to core dissectors. Optionally, Wireshark can be config-ured to embed a Lua interpretor. For modularity purposes, the Lua engine has been choosed to extend Wireshark withNetzob generated dissectors.

3.3.3 Prerequisite

You need Netzob in version 0.4.1 or above. The wireshark exporter functionality is provided as a netzob core plugin(which is included in the 0.4.1 version).

This tutorial assumes that the user have previously inferred the specification of the targeted protocol. An example ofprotocol inference is avaibale in the Getting started with Netzob tutorial.

3.3.4 Usage

1. Check that Wireshark supports Lua

2. Select a project

Given a partitioned symbol in a project you can generate a wireshark dissector using the Export project menuitem, then by selecting Wireshark.

You should get a popup with the LUA script automatically generated:

3. Import into wireshark

Two methods are available:

• Evaluate the Lua script in a Wireshark instance.

In wireshark, select Tools > Lua > Evaluate and paste the generated code.

• Start wireshark with a specific Lua script.

Start wireshark with the following parameters: wireshark -X lua_script:PATH_OF_LUA_SCRIPT

This will automatically import the Lua script on start.


http://www.lua.org/

http://www.netzob.org/resources/tutorial_get_started

https://dev.netzob.org/attachments/82/2012-10-25-173314_1595x647_scrot.png



4. Dissect data packets Within the lower panel of Wireshark, you should get the dissected

packets:

3.3.5 Limitations

Variable size fields cannot be easily exported to the datamodel used by Wireshark when we don’t know the expectedsize. In this case, an error message will popup preventing Netzob from generating the dissector. If this happen, youhave to complete the protocol model in order to find the expected size of the dynamic field.

3.3.6 Improvements

These ideas could be use to enhance dissection:

• Use relations (field / size, repeat ...)

• Look at future bitfield core implementation

3.3.7 What next ?

After this tutorial, we’ll be glade to have feedbacks and to help you (see our mailing list [email protected] or ourIRC channel #netzob on Freenode).

If you want to go further and start contributing to Netzob, that’s perfect. There are many simple or complex taskseveryone can do: translation, documentation, bug fix, feature proposal or implementation.

Get started with Netzob The goal of this tutorial is to present the usage of each main component of Netzob (infer-ence of message format, construction of the state machine and generation of traffic) through an undocumentedprotocol.

Auto-generation of Peach pit files/fuzzers This tutorial shows how to take advantage of the Peach exporter pluginprovided in Netzob to automatically generate Peach pit configuration files, thus allowing to do smart fuzzing onundocumented protocols.

Auto-generation of Wireshark dissectors This tutorial shows how to leverage Netzob’ format message inference inorder to automatically generate Wireshark dissectors for proprietary or undocumented protocols.

3.3. Export Wireshark dissectors 19




http://www.netzob.org/development#becomecontributor



CHAPTER 4

Installation Guides

4.1 Installation Guide

• Python package installation




4.2 Installation documentation

This page presents how to install Netzob as a Python package.

4.2.1 Dependency requirements

As a ‘classic’ python project, Netzob is provided with its setup.py. This file defines what and how to install the projecton a Python hosting OS.

This file depends on setuptools which like few other modules cannot be automatically installed. This is the reason whyyou have to manually install the following bunch of prerequisites before initiating Netzob’s install process:

• python

• python-dev

• python-impacket

• libxml2-dev

• libxslt-dev

• python-setuptools

• gtk3

• graphviz

We also highly recommend to install the following additional dependencies:

21


• python-babel (for the translations)

• python-sphinx (for the documentation)

4.2.2 Install Netzob with easy_install

$ easy_install netzob

4.2.3 Install Netzob from .tar.gz package

First retrieve the Netzob package:

$ wget http://www.netzob.org/repository/XXX/Netzob-XXX.tar.gz

where XXX corresponds to the version you want to install (see http://www.netzob.org/download for available ver-sions).

Then, you can either install a package locally (developer mode) or on the system.

Install Netzob locally (developer mode)¶

Once the required dependencies are installed, you can install Netzob on its current directory:

$ python setup.py build$ python setup.py develop --user

Install Netzob on the system¶

You can also install Netzob as a Python system package:

$ python setup.py build$ python setup.py develop$ python setup.py install

4.2.4 Start Netzob

Once installed, running Netzob is as simple as executing:

$ ./netzob

Or if you’ve installed Netzob as a Python system package, just type:

$ netzob

4.2.5 Netzob help options

Netzob handles some command line options:

Options:--version show program’s version number and exit-h, --help show this help message and exit-w WORKSPACE, --workspace=WORKSPACE

Path to the workspace-b, --bug-reporter Activate the bug reporter-d DEBUGLEVEL, --debugLevel=DEBUGLEVEL

22 Chapter 4. Installation Guides

http://www.netzob.org/download


Activate debug information (’DEBUG’, ’INFO’, ’WARNING’, ’ERROR’, ’CRITICAL’)

Manage Netzob’s plugins:--plugin-list List the available plugins

4.2.6 Miscellaneous

Configuration requirements for Network and PCAP input:

$ sudo setcap cap_net_raw=ep /usr/bin/python2.XX

Configuration requirements for IPC input on Ubuntu:

::

$ sudo bash -c “echo 0 > /proc/sys/kernel/yama/ptrace_scope”

4.2.7 Building the documentation

The folder doc/documentation contains all the documentation of Netzob.

The user manual can be generated based on RST sources located in folder doc/documentation/source with the follow-ing command:

$ sphinx-build -b html doc/documentation/source/ doc/documentation/build/

4.3 Installation documentation on Debian

4.3.1 Using Netzob’s APT Repository

A dedicated APT repository (apt.netzob.org) is available for downloading and installing Netzob.

Steps:

1. edit you /etc/apt/sources.list to add the netzob’s repository URL,

2. import the GPG key used to sign the repository,

3. install netzob threw apt-get.

Edit /etc/apt/sources.list

You need to register the repository in your APT client by adding the following entry (stable or unstable) in your/etc/apt/sources.list or through a dedicated file in /etc/apt/sources.list.d/. Then you need toimport the gpg public key used to sign the repository.

Unstable & testing (“Wheezy”)

deb http://apt.netzob.org/debian/ unstable maindeb-src http://apt.netzob.org/debian/ unstable main

Stable (“Squeeze”)

deb http://apt.netzob.org/debian/ squeeze-backports maindeb-src http://apt.netzob.org/debian/ squeeze-backports main

4.3. Installation documentation on Debian 23


Import GPG key¶

The repository is signed, so APT may complain until you register the archive key 0xE57AEA26 to your APT keyring.The fingerprint of the key is D865 DCF0 9B9A 195C 49F0 E3F3 F750 1A13 E57A EA26 and has beensigned by the followings:

• 0xA255A6A3 : Georges Bossert <[email protected]>

• 0x561F7A47 : Frederic Guihery <[email protected]>

• 0x04B1A89C : Olivier Tetard <[email protected]>

To import the key of the APT repository you can execute the following commands :

# wget https://dev.netzob.org/misc/debian_archive.asc -O -| gpg --import# gpg --export -a 0xF7501A13E57AEA26 | sudo apt-key add -

Install netzob¶

You can install it with the following commands :

# apt-get update# apt-get install netzob

4.3.2 Using the provided Debian package

Installing Netzob directly from the debian package (deb file) implies you manually install the necessary packages inorder to handle the required dependencies. Therefore, the following commands can be executed to install them :

# apt-get install python python-ptrace python-hachoir-subfile python-matplotlib python-dpkt strace lsof python-pcapy python-bitarray python-dev python-lxml libjs-sphinxdoc python-sphinx

Once the requirements are fullfilled you can download the debian file (i386 or amd64) and install it using the followingcommand for an i386 architecture (32 bits) :

# dpkg -i netzob_0.3.0-1_i386.deb

or for an AMD64 (64 bits) :

# dpkg -i netzob_0.3.0-1_amd64.deb

4.4 Installation documentation on Gentoo

4.4.1 From official portage (not yet available)

Some build scripts have been published for future integration in Portage. While the scripts have not yet been acceptedplease refer to the alternative procedure.

# emerge -av netzob

4.4.2 From Gentoo overlay (recommended, automatic)

Alternative non official repositories are available on Gentoo which are called “overlays”. The tool used to synchronizewith these repositories is called “layman”

1. Installing layman






# emerge app-portage/layman

2. Adding “lootr” repository containing Netzob ebuild scripts

# layman -a lootr

3. Installing Netzob from this repository

# emerge -av dev-python/netzob

4.4.3 From netzob repository (expert users only, manual installation)

First step is to clone the netzob repository:

# (~) git clone https://dev.netzob.org/git/netzob-gentoo.git

Then, declare this repository in the portage configuration file /etc/make.conf by adding this line:

PORTDIR_OVERLAY="/home/USER/netzob-gentoo/"

Synchronize portage

# emerge --sync

Finally emerge Netzob package:

• tildarched (testing-like) systems:

# emerge -av netzob

• stable systems:

# ACCEPT_KEYWORDS="~x86" emerge -av netzob

4.5 Installation documentation on Windows

This documentation only applies for Netzob 0.3.3.

4.5.1 Installation of dependencies

Steps:

1. Install Python 2.7 (download the installer from python.org)

2. Install SetupTools (download the installer from pypi.python.org)

3. Install PyGTK (download the installer from gnome.org)

4. Install WinPCap 4.1.2 (download the installer from winpcap.org)

5. Install Pcapy 0.10.5 (provided on Netzob’s website ; original source: oss.coresecurity.com)

6. Install following dependencies with SetupTools (be sure to have C:\Python27\Scripts\easy_install.exe in yourPATH):

(a) easy_install numpy

4.5. Installation documentation on Windows 25

http://www.python.org/ftp/python/2.7.3/python-2.7.3.msi

http://pypi.python.org/packages/2.7/s/setuptools/setuptools-0.6c11.win32-py2.7.exe#md5=57e1e64f6b7c7f1d2eddfc9746bbaf20

http://ftp.gnome.org/pub/GNOME/binaries/win32/pygtk/2.24/pygtk-all-in-one-2.24.2.win32-py2.7.msi

http://www.winpcap.org/install/bin/WinPcap_4_1_2.exe

http://www.netzob.org/repository/0.3.3/windows-dep/pcapy-0.10.5.win32-py2.7.exe

http://oss.coresecurity.com/repo/pcapy-0.10.5.tar.gz


(b) easy_install impacket

(c) easy_install lxml==2.3

(d) easy_install -f "http://downloads.sourceforge.net/project/matplotlib/matplotlib/matplotlib-1.1.0/matplotlib-1.1.0.win32-py2.7.exe?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmatplotlib%2Ffiles%2Fmatplotlib%2Fmatplotlib-1.1.0%2F&ts=1339591175&use_mirror=netcologne" matplotlib

(e) easy_install bitarray==0.3.5

4.5.2 Installation of Netzob

1. Install Netzob !

Remark: If you have disabled Windows UAC, a error can be raised by Windows when executing Netzob’s installer:Failed to start elevated process (ShellExecute returned 3). So you have to run the installer with administrator privilege: right-click on the executable and choose “run as administrator”.


• Debian package installation

• Gentoo package installation

• Windows package installation


http://www.netzob.org/repository/0.3.3/Netzob-0.3.3.win32-py2.7.exe

CHAPTER 5

User Guide

Read the Netzob User Guide.

5.1 Importing Data

Communication protocols can be found is every parts of a system, as shown on the following picture:

Netzob can handle multiple kinds of input data. Hence, you can analyze network traffic, IPC communications, filesstructures, etc.

Import can either be done by using a dedicated captor or by providing already captured messages in a specific format.

Current accepted formats are:

• PCAP files

• Structured files

• Netzob XML files (used by Netzob for its internal representation of messages)

Current supported captors are:

27


• Network captor, based on the XXX library

• Intra Process communication captor (API calls), based on API hooking

• Inter Process Communication captor (pipes, shared memory and local sockets), based on system call hooking

Imported messages are manipulated by Netzob through specific Python objects which contains metadata that describescontextual parameters (timestamp or even IP source/destination for example). All the Python object that describemessages derived from an abstract object : AbstractMessage.

The next part of this section details the composition of each message object.

5.1.1 AbstractMessage

All the messages inherits from this definition and therefore has the following parameters :

• a unique ID

• a data field represented with an array of hex

5.1.2 NetworkMessage

A network message is defined with the following parameters :

• a timestamp

• the ip source

• the ip target

• the protocol (TCP/UDP/ICMP...)

• the layer 4 source port

• the layer 4 target port

Definition of a NetworkMessage :

5.1.3 FileMessage

A file message is defined with the following parameters :

• a filename

• the line number in the file

• the creation date of the file

• the last modification date of the file

• the owner of the file

• the size of the file

Definition of a NetworkMessage :

Definition of the factory for XML processing of a FileMessage :

28 Chapter 5. User Guide


5.2 Protocol inference

5.2.1 Definition of a communication protocol

A communication protocol is as language. A language is defined through~:

• its vocabulary (the set of valid words or, in our context, the set of valid messages) ;

• its grammar (the set of valid sentences which, in our context, can be represented as a protocol state machine,like the TCP state machine).

A word of the vocabular is called a symbol. A symbol represents an abstract view of a set of similar messages. Similarmessages refer to messages having the same semantic (for example, a TCP SYN message, a SMTP HELLO message,an ICMP ECHO REQUEST message, etc.).

A symbol is structured following a format, which specifies a sequence of fields (like the IP format). A field can besplitted into sub-fields. For example, a payload is a field of a TCP message. Therefore, by defining a layer as a kind ofpayload (which is a specific field), we can retrieve the so-called Ethernet, IP, TCP and HTTP layers from a raw packet; each layer having its own vocabular and grammar.

Field’s size can be fixed or variable. Field’s content can be static of dynamic. Field’s content can be basic (a 32 bitsinteger) or complex (an array). A field has four attributes~:

• the type defines its definition domain or set of valid values (16 bits integer, string, etc.) ;

• the data description defines the structuration of the field (ASN.1, TSN.1, EBML, etc.) ;

• the data encoding defines ... (ASCII, little endian, big endian, XML, EBML, DER, XER, PER, etc.) ;

• the semantic defines ... (IP address, port number, URL, email, checksum, etc.).

Field’s content can be~:

• static ;

• dependant of another field (or a set of fields) of the same message (intra-message dependency) ;

• dependant of a field (or a set of fields) of a previous message in the grammar (inter-message dependency) ;

• dependant of the environment ;

• dependant of the application behaviour (which could depend on the user behaviour) ;

• random (the initial value of the TCP sequence number for example).

5.2.2 Modelization in Netzob

Netzob provides a framework for the semi-automated modelization (inference) of communication protocols, i.e. in-ferring its vocabular and grammar.

[INCLURE GRAPH]

• Vocabular inference

– Message structure inference (based on sequence alignment)

– Regoupment of similar message structures

– Field type inference

– Field dependencies from the same message and from the environment

– Field semantic inference

5.2. Protocol inference 29


• Grammar inference

– Identification of the automata of the protocol

– Fields dependencies with messages of previous states

All the functionalities of the framework are detailled in this chapter.

Vocabular inference

Structure inference

Regoupment of similar structures

Options during alignment process

• “read-only” process (do not require a participation in the communication).

• Identify the fixed and dynamic fields of all the messages.

• Regroups equivalent messages depending of their fields structures.

• Clustering (Regroups equivalent messages using) :

– an UPGMA Algorithm to regroup similar messages

– an openMP and MPI implementation

• Sequencing, Alignment (Identification of fields in messages) :

– Needleman & Wunsch Implementation

Needleman and Wunsch algorithm

• Originaly a bio-informatic algorithm (sequencing DNA)

• Align two messages and identify common patterns and field structure

• Computes an alignment score representing the efficiency of the alignment

The following picture shows the sequence alignment of two messages.

UPGMA algorithm

• Identify equivalent messages based on their alignment score.

• Build a hierarchical organization of the messages with the UPGMA algorithm (Unweighted Pair Group Methodwith Arithmetic Mean)

The following picture shows a regroupment of similar messages based on the result of the clustering process.



Abstraction of a set of message The abstraction is the process of substituting the dynamic fields with their repre-sentation as a regex. An example of abstraction is shown on the follinw picture.

Analyses after alignment process aaa

Message contextual menu aaa

Group contextual menu aaa

Refine regexes aaa

Slick regexes aaa

Concatenate aaa

Split column aaa

5.2. Protocol inference 31


Merge columns aaa

Delete message aaa

Field type inference

Visualization options aaa

Type structure contextual menu aaa

Messages distribution This function shows a graphical representation of the distribution of bytes per offset foreach message of the current group. This function helps to identify entropy variation of each fields. Entropy variationcombined with byte distribution help the user to infer the field type.

[INCLUDE GRAPH]

Data typing

• Primary types [binary, ascii, num, base64...]

– Definition domain, unique elements and intervals

– Data carving (tar gz, png, jpg, ...)

– Semantic data identification (emails, IP ...)

Domain of definition aaa

Change type representation aaa

Field dependencies from the same message and from the environment

Fields dependancies identification

• Length fields and associated payloads

• Encapsulated messages identifications

And from the environment...

Payload extraction The function “Find Size Fields”, as its name suggests, is dedicated to find fields that containany length value as well as the associated payload. It does this on each group. Netzob supports different encoding ofthe size field : big and little endian binary values are supported through size of 1, 2 and 4 bytes. The algorithm used tofind the size fields and their associated payloads is desribed in the table XXX.

[INCLUDE ALGORITHM]

The following picture represents the application of the function on a trace example. It shows the automated extractionof the IP and UDP payloads from an Ethernet frame.



Field semantic inference

Data carving Data carving is the process of extracting semantic information from fields or messages. Netzob allowsthe extraction of the following semantic information :

• URL

• email

• IP address

[INCLUDE FIGURE]

Search aaa

Properties aaa

Grammar inference

Identification of the automata of the protocol

Fields dependencies with messages of previous states

5.3 Generating traffic and simulating actors

Todo

5.3. Generating traffic and simulating actors 33


5.4 Exporting protocol model

Netzob supports the export of the modelization of the protocol in the following formats: * XML meta representation* Dedicated Scapy Dissector * Dedicated Wireshark Dissector

Each export format in described in this chapter.

5.4.1 XML Export

5.4.2 Scapy Dissector

The Scapy documentation about building new dissectors is available at the following address:

http://www.secdev.org/projects/scapy/doc/build_dissect.html

5.4.3 Wireshark Dissector

The Wireshark documentation about building new dissectors is available at the following address:

http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html


http://www.secdev.org/projects/scapy/doc/build_dissect.html

http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html

CHAPTER 6

Developer Guide

Read the Developer Guide.

See how you can contribute to Netzob

API explanation:

6.1 netzob Package

6.1.1 NetzobMainController Module

6.1.2 NetzobMainView Module

6.1.3 NetzobPluginManagement Module

class netzob.NetzobPluginManagement.NetzobPluginManagement(commandLineParser)Bases: object

Netzob entry point in order to manage netzob plugins

listAvailablePlugins()

start()

6.1.4 NetzobResources Module

6.1.5 all Module

6.1.6 release Module

netzob.release.keywords = [’Protocol’, ‘Inference’, ‘Networking’, ‘Reverse Engineering’, ‘Fuzzing’, ‘Security’]@deprecated: the official long description is now the full README.rst file

35


6.1.7 Subpackages

Common Package

ApplicativeData Module

Automata Module

class netzob.Common.Automata.Automata(type)Bases: object

MMSTD_TYPE = ‘mmstd’

getType()

static loadFromXML(xmlRoot, vocabulary, namespace, version)

save(root, namespace)

BugReporter Module

CommandLine Module

class netzob.Common.CommandLine.CommandLineBases: object

Reads, validates and parses the command line arguments provided by users

configure()Configure the parser based on Netzob’s usage and the definition of its options and arguments

getConfiguredParser()Return (if available) the parser configured to manage provided arguments and options by user. @return:the parser

getOptions()

isManagePluginsRequested()Compute and return is the user has requested to manage the plugins

isStartGUIRequested()Compute and return if the user requested (through the command line arguments and options) to start theGTK GUI

parse()Read and parse the provided arguments and options

DepCheck Module

class netzob.Common.DepCheck.DepCheckBases: object

Dependency checker. Provides multiple static method to check is required and optionnal dependency are avail-able.

static checkCExtensions()

static checkRequiredDependency()

36 Chapter 6. Developer Guide


static check_lxml()Test the lxml requirement is fulfilled

EnvironmentalDependencies Module

class netzob.Common.EnvironmentalDependencies.EnvironmentalDependenciesBases: object

captureEnvData()

getEnvData()

EnvironmentalDependency Module

class netzob.Common.EnvironmentalDependency.EnvironmentalDependency(name,aType,value)

Bases: object

getName()

getType()

getValue()


setName(name)

setType(type)

setValue(value)

ExecutionContext Module

class netzob.Common.ExecutionContext.ExecutionContextBases: object

static getCurrentProcesses()

Field Module

Grammar Module

class netzob.Common.Grammar.GrammarBases: object

addsequence(sequence)

getAutomata()

getSequences()

static loadGrammar(xmlRoot, vocabulary, namespace, version)


setAutomata(automata)

6.1. netzob Package 37


setSequences(sequences)

update(vocabulary)update: verifies the grammar and its automata is still valid and that none of its symbols has been deprecated

ImportedTrace Module

LoggingConfiguration Module

netzob.Common.LoggingConfiguration.LoggingConfiguration(*args, **kwargs)

netzob.Common.LoggingConfiguration.singleton(cls, *args, **kwargs)This decorator allows to implement some kind of Singleton design pattern. In our case, we only allow oneinstanciation.

NetzobException Module

exception netzob.Common.NetzobException.NetzobException(value)Bases: exceptions.Exception

Class of handling Netzob specific exceptions

exception netzob.Common.NetzobException.NetzobImportException(source, message, sta-tusCode=None, sub-Code=None)

Bases: netzob.Common.NetzobException.NetzobException

Raised if an error was encountered while importing data

Order Module

class netzob.Common.Order.Order(value)Bases: object

addMessage(message)

getMessages()

getValue()


removeMessage(message)


setMesages(messages)

setValue(value)

Process Module

class netzob.Common.Process.Process(name, pid, user)Bases: object

getName()

getPid()



getSharedLibs()

getUser()

setName(name)

setPid(pid)

setUser(user)

Project Module

ProjectConfiguration Module

Property Module

class netzob.Common.Property.Property(name, format, currentValue)Bases: object

getCurrentValue()

getFormat()

getName()

getPossibleValues()

hasEntry()

isEditable()

setCurrentValue(currentValue)

setFormat(format)

setHasEntry(hasEntry)

setIsEditable(isEditable)

setName(name)

setPossibleValues(possibleValues)

PropertyList Module

class netzob.Common.PropertyList.PropertyListBases: object

This class allow to store Property items that are internally stored in a dict(). Items are accessible like any otherlist or dict.

append(prop)

clear()

keys()→ list of keys in PropertyList

values()→ list of values in PropertyList



ResourcesConfiguration Module

Sequence Module

class netzob.Common.Sequence.Sequence(id, name, description)Bases: object

addMessage(message, orderNumber)

addOrder(order)

getDescription()

getID()

getName()

getOrderByValue(value)

getSortedOrders()



setDescription(description)

setID(id)

setName(name)

Session Module

SharedLib Module

class netzob.Common.SharedLib.SharedLib(name, version, path)Bases: object

static findNameAndVersion(path)

getFunctions()

getName()

getPath()

getVersion()

static loadFromXML(rootElement)

setFunctions(functions)

setName(name)

setPath(path)

setVersion(version)



SignalsManager Module

class netzob.Common.SignalsManager.SignalsManagerBases: object

Manage the signals for feature availability

SIG_FIELDS_MULTIPLE_SELECTION = ‘field.multiple_selection’

SIG_FIELDS_NO_SELECTION = ‘fields.no_selection’

SIG_FIELDS_SINGLE_SELECTION = ‘field.single_selection’

SIG_MESSAGES_MULTIPLE_SELECTION = ‘messages.multiple_selection’

SIG_MESSAGES_NO_SELECTION = ‘messages.no_selection’

SIG_MESSAGES_SINGLE_SELECTION = ‘messages.single_selection’

SIG_PROJECT_CLOSE = ‘project.close’

SIG_PROJECT_OPEN = ‘project.open’

SIG_SYMBOLS_MULTIPLE_CHECKED = ‘symbols.multiple_checked’

SIG_SYMBOLS_MULTIPLE_SELECTION = ‘symbols.multiple_selection’

SIG_SYMBOLS_NONE_CHECKED = ‘symbols.none_checked’

SIG_SYMBOLS_NO_SELECTION = ‘symbols.no_selection’

SIG_SYMBOLS_SINGLE_CHECKED = ‘symbols.single_checked’

SIG_SYMBOLS_SINGLE_SELECTION = ‘symbols.single_selection’

attach(methodToExecute, signals)

emitSignal(signal, *cb_args, **cb_kwargs)

emitSignals(signals)

getListenersMethodsForSignal(signal)



Simulator Module

SplashScreen Module

Symbol Module

Token Module

TrashSymbol Module

Vocabulary Module

Workspace Module

XSDResolver Module

class netzob.Common.XSDResolver.XSDResolverBases: lxml.etree.Resolver

addMapping(declaredFilename, realFilename)

resolve(url, id, context)

Subpackages

C_Extensions Package

WrapperArgsFactory Module

WrapperMessage Module

Functions Package

EncodingFunction Moduleclass netzob.Common.Functions.EncodingFunction.EncodingFunction(type, name)

Bases: netzob.Common.Functions.RenderingFunction.RenderingFunction

TYPE = ‘EncodingFunction’

apply(message)

getConversionAddressingTable(message)

getName()

getType()

setName(name)

setType(type)



FunctionApplicationTable Moduleclass netzob.Common.Functions.FunctionApplicationTable.FunctionApplicationTable(splittedData)

Bases: object

applyFunction(function, i_start, i_end)

getInitialConversionAddressingTable()

getResult()

getSegments(i_start, i_end)

getTags(col, i_local)

insertTagInEncoded(col, i_local, i_global, tag, currentValue)

registerTag(i_col, idTag, i, tag)

updateConversionAddressingTable(old_start, old_end, new_start, new_end)

updateConversionAddressingTableWithTable(table)

RenderingFunction Moduleclass netzob.Common.Functions.RenderingFunction.RenderingFunction(superType)

Bases: object

getID()

getPriority()

getSuperType()

static loadFromXML(rootElement, namespace, version)loadFromXML: Function which parses an XML and extract from it the definition of a rendering function@param rootElement: XML root of the function @return an instance of a function @throw NameError ifXML invalid

static save(function, root, namespace_workspace)

setPriority(priority)

TransformationFunction Moduleclass netzob.Common.Functions.TransformationFunction.TransformationFunction(type,

name)Bases: netzob.Common.Functions.RenderingFunction.RenderingFunction

TYPE = ‘TransformationFunction’

apply(message)apply: Apply the function on the provided message

getConversionAddressingTable(message)

getName()

getType()

reverse(message)reverse: Apply the reverse function on the provided message

save(root, namespace_common)Save under the provided XML root the current transformation function

setName(name)



setType(type)

VisualizationFunction Moduleclass netzob.Common.Functions.VisualizationFunction.VisualizationFunction(type,

name)Bases: netzob.Common.Functions.RenderingFunction.RenderingFunction

TYPE = ‘VisualizationFunction’

getName()

getTags()

getType()

setName(name)

setType(type)

Subpackages

Encoding Package

FormatFunction Module

Transformation Package

BZ2Function Module

Base64Function Module

CustomFunction Module

GZipFunction Module

Visualization Package

BackgroundColorFunction Moduleclass netzob.Common.Functions.Visualization.BackgroundColorFunction.BackgroundColorFunction(name,

color)Bases: netzob.Common.Functions.VisualizationFunction.VisualizationFunction

TYPE = ‘BackgroundColorFunction’

getTags()



TextColorFunction Moduleclass netzob.Common.Functions.Visualization.TextColorFunction.TextColorFunction(name,

color)Bases: netzob.Common.Functions.VisualizationFunction.VisualizationFunction

TYPE = ‘TextColorFunction’

getTags()

MMSTD Package

MMSTD Module

Subpackages

Actors Package

AbstractChannel Module

MMSTDVisitor Module

SimpleCommunicationChannel Module

Subpackages

NetworkChannels Package

InstanciatedNetworkServer Module

NetworkClient Module

NetworkServer Module

Dictionary Package

AbstractionLayer Module



DictionaryEntry Moduleclass netzob.Common.MMSTD.Dictionary.DictionaryEntry.DictionaryEntry(id, name,

value)

compare(val, indice, negative, dictionary)

forget(temporary)

generate()

getID()

getName()

getValue()

isActive()

learn(val, indice)

restore()

send(negative, dictionary)

setID(id)

setName(name)

undoForget()

MMSTDDictionary Moduleclass netzob.Common.MMSTD.Dictionary.MMSTDDictionary.MMSTDDictionary(variables,

entries)

getEntries()

getEntry(id)

getVariableByID(id)

getVariables()

Memory Module

_Variable Moduleclass netzob.Common.MMSTD.Dictionary._Variable.Variable(typeVariable, idVar, name)

Variable: Definition of a variable defined in a dictionary

compare(value, indice, negative, vocabulary, memory)compare: Compare the current variable to the end (starting at the “indice”-th character) of value.

@type value: bitarray.bitarray @param value: a bit array a subarray of which we compare to the currentvariable binray value. @type indice: integer @param indice: the starting point of comparison in value.@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: integer @return: the number of letters that matches,-1 if it does not match.



getDescription(negative, vocabulary, memory)getDescription: Get the full description of the variable.

@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: string @return: the full description of the variable.

getID()

getName()

getTypeVariable()

getUncontextualizedDescription()getUncontextualizedDescription: Get the uncontextualized description of the variable (no use of memoryor vocabulary).

@rtype: string @return: the uncontextualized description of the variable.

getValue(negative, vocabulary, memory)getValue: Get the current value of the variable it can be the original value if its set and not forget or thevalue in memory if it has one else its NONE.

@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: (bitarray.bitarray, string) @return: the current ormemorized value of the variable in both bitarray and string format.

getValueToSend(negative, vocabulary, memory)getValueToSend: Get the current value of the variable it can be the original value if its set and not forgetor the value in memory if it has one or it generates one and save its value in memory.

@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @type vocab-ulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the current project.@type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory which cancontain a former value of the variable. @rtype: (bitarray.bitarray, string) @return: the current, memorizedvalue or a generated value of the variable in both bitarray and string format.

isMutable()

learn(value, indice, negative, vocabulary, memory)learn: Compare the current variable to the end (starting at the “indice”-th character) of value. Moreover itstores learns from the provided message.

@type value: bitarray.bitarray @param value: a bit array a subarray of which we compare to the currentvariable binray value. @type indice: integer @param indice: the starting point of comparison in value.@type negative: boolean @param negative: tells if we use the variable or a logical not of it. @typevocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of the currentproject. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a memory whichcan contain a former value of the variable. @rtype: integer @return: the number of letters that matches,-1 if it does not match.

static loadFromXML(xmlRoot, namespace, version)loadFromXML: Load a variable from an XML definition. Calls its proper heir function for it to create thevariable.

@type xmlRoot: lxml.etree.Element @param xmlRoot: the root of the XML definition. @type names-pace: string @param namespace: the namespace (precision) associated to the variable in the XML



definition. @type version: string @param version: the version of the load needed. @rtype: net-zob.Common.MMSTD.Dictionary.Variable.Variable @return: a variable constructed from this XML defi-nition.

restore(vocabulary, memory)restore: Restore learned value from the last execution of the variable.

@type vocabulary: netzob.Common.Vocabulary.Vocabulary @param vocabulary: the vocabulary of thecurrent project. @type memory: netzob.Common.MMSTD.Memory.Memory @param memory: a mem-ory which can contain a former value of the variable.

setID(idVar)

setName(name)

setTypeVariable(typeVariable)

toXML(root, namespace)toXML: Create the xml tree associated to this variable.

@type root: lxml.etree.Element @param root: the root of the tree being built. @type namespace: string@param namespace: a namespace used as a precision in the variable tree.

Subpackages

DataTypes Package

AbstractType Module

AbstractWordType Module

BinaryType Module

DecimalWordType Module

HexWordType Module

IPv4WordType Module

IntegerType Module

MACWordType Module

WordType Module

RelationTypes Package



AbstractRelationType Moduleclass netzob.Common.MMSTD.Dictionary.RelationTypes.AbstractRelationType.AbstractRelationType(sized,

min-Chars=0,max-Chars=0,de-lim-iter=None,fac-tor=1,off-set=0)

AbstractRelationType: It defines the type of a relation variable.

computeValue(writingToken)computeValue: Compute the value of the variable according to its type.

@type writingToken: netzob.Common.MMSTD.Dictionary.VariableProcessingToken.VariableWritingToken.VariableWritingToken@param writingToken: a token which contains all critical information on this access. @rtype: bitarray@return: the computed value.

getAssociatedDataType()

getFactor()

getNbBits()

getNbChars()

getOffset()

getType()getType: Return a string describing the current Type.

@rtype: string @return: the current type in string format.

makeAssociatedDataType(sized, minChars, maxChars, delimiter)Make the associated data type.

@type minChars: integer @type sized: boolean @param sized: tell if the variable can be delimited by asize or by a delimiter. @param minChars: the minimum number of elementary character the value of thisvariable can have. @type maxChars: integer @param maxChars: the maximum number of elementarycharacter the value of this variable can have. @type delimiter: bitarray @param delimiter: a set of bitsthat tells where the associated variable ends.

static makeType(typeString, sized, minChars, maxChars, delimiter, factor, offset)

setAssociatedDataType(dataType)

toString()

BinarySizeRelationType Module

WordSizeRelationType Module

Values Package

AbstractValue Module



Aggregate Module

EndValue Module

TextValue Module

VarValue Module

VariableProcessingToken Package

AbstractVariableProcessingToken Moduleclass netzob.Common.MMSTD.Dictionary.VariableProcessingToken.AbstractVariableProcessingToken.AbstractVariableProcessingToken(negative,

vo-cab-u-lary,mem-ory,value)

AbstractVariableProcessingToken: A communication token used by variable when they are processed.

appendLinkedValue(value)

getIndex()

getLinkedValue()

getMemory()

getNegative()

getValue()

getVocabulary()

isOk()

setOk(ok)

setValue(value)

VariableReadingToken Module

VariableWritingToken Module

Variables Package

AbstractLeafVariable Module

AbstractNodeVariable Module

AbstractVariable Module



AggregateVariable Module

AlternateVariable Module

ComputedRelationVariable Module

DataVariable Module

RepeatVariable Module

_AbstractRelationVariable Module

_AggregateVariable Module

_AlternateVariable Moduleclass netzob.Common.MMSTD.Dictionary.Variables._AlternateVariable.AlternateVariable(idVar,

name,chil-dren)

Bases: netzob.Common.MMSTD.Dictionary._Variable.Variable

AlternateVariable: A node variable that makes an alternative of all its children.

addChild(child)

compare(value, indice, negative, vocabulary, memory)compare: Compare the current variable to the end (starting at the “indice”-th character) of value. Returnthe number of letters that matches, -1 if it does not match.

getChildren()

getDescription(negative, vocabulary, memory)getDescription: Get the full description of the variable.

getUncontextualizedDescription()getUncontextualizedDescription: Get the uncontextualized description of the variable (no use of memoryor vocabulary).

getValue(negative, vocabulary, memory)getValue: Get the current value of the variable it can be the original value if its set and not forget or thevalue in memory if it has one else its NONE.

getValueToSend(negative, vocabulary, memory)getValueToSend: Get the current value of the variable it can be the original value if its set and not forgetor the value in memory if it has one or it generates one and save its value in memory.

learn(value, indice, negative, vocabulary, memory)learn: Compare the current variable to the end (starting at the “indice”-th character) of value. Moreover itstores learns from the provided message. Return the number of letters that matches, -1 if it does not match.

static loadFromXML(xmlRoot, namespace, version)loadFromXML: Load an alternate variable from an XML definition.

restore(vocabulary, memory)restore: Restore learned value from the last execution of the variable.



toXML(root, namespace)toXML: Create the xml tree associated to this variable.

_BinaryVariable Module

_ComputedRelationVariable Module

_DecimalWordVariable Module

_DirectRelationVariable Module

_DynLenStringVariable Module

_HexVariable Module

_IPVariable Moduleclass netzob.Common.MMSTD.Dictionary.Variables._IPVariable.IPVariable(id, name,

default-Var)

Bases: netzob.Common.MMSTD.Dictionary._Variable.Variable

generateValue(negative, dictionary)

getValue(negative, dictionary)

learn(val, indice, isForced, dictionary)

string2bin(aStr)

_IPv4Variable Module

_IntVariable Module

_MD5Variable Module

_ReferencedVariable Module

_WordVariable Module

MemOpexs Package



MemOpex Moduleclass netzob.Common.MMSTD.MemOpexs.MemOpex.MemOpex(type, id, transitionId)

getID()

getTransitionID()

getType()

static loadFromXML(xmlRoot, namespace, version)


setID(id)

setTransitionID(transitionID)

Subpackages

impl Package

ForgetMemOpex Moduleclass netzob.Common.MMSTD.MemOpexs.impl.ForgetMemOpex.ForgetMemOpex(id, tran-

sitionId,variableId)

Bases: netzob.Common.MMSTD.MemOpexs.MemOpex.MemOpex

getVariableID()



setVariableID(variableID)

States Package

AbstractState Moduleclass netzob.Common.MMSTD.States.AbstractState.AbstractState(type, id, name)

activate()

addMemOpex(memOpex)

deactivate()

executeAsClient(abstractionLayer)

executeAsMaster(abstractionLayer)

getID()

getMemOpexs()

getName()

getTransitions()

getType()



isActive()


registerTransition(transition)

removeMemOpex(memOpex)


setID(id)

setName(name)

Subpackages

impl Package

NormalState Moduleclass netzob.Common.MMSTD.States.impl.NormalState.NormalState(id, name)

Bases: netzob.Common.MMSTD.States.AbstractState.AbstractState



getID()

getName()

getTransitions()




setID(id)

setName(name)

unregisterTransition(transition)

StartState Moduleclass netzob.Common.MMSTD.States.impl.StartState.StartState(id, name)

Bases: netzob.Common.MMSTD.States.AbstractState.AbstractState



getID()

getName()

getTransitions()






setID(id)

setName(name)

Symbols Package

AbstractSymbol Moduleclass netzob.Common.MMSTD.Symbols.AbstractSymbol.AbstractSymbol(type)

getType()

Subpackages

impl Package

DictionarySymbol Moduleclass netzob.Common.MMSTD.Symbols.impl.DictionarySymbol.DictionarySymbol(dictionaryEntry)

Bases: netzob.Common.MMSTD.Symbols.AbstractSymbol.AbstractSymbol

TYPE = ‘DictionarySymbol’

getEntry()

getID()

getName()

isEquivalent(symbol)

setEntry(entry)

setID(id)

write(writingToken)write: Grant a writing access to the entry. Retrieve and return the value issued from this access.

@type writingToken: netzob.Common.MMSTD.Dictionary.VariableProcessingToken.VariableWritingToken.VariableWritingToken@param writingToken: a token which contains all critical information on this writing access. @rtype:bitarray @return: the value this acces writes.

EmptySymbol Module

UnknownSymbol Module

Transitions Package



AbstractTransition Moduleclass netzob.Common.MMSTD.Transitions.AbstractTransition.AbstractTransition(type,

id,name,in-put-State,out-put-State)

activate()

deactivate()


executeAsMaster(abstractLayer)

getDescription()

getID()

getInputState()

getName()

getOutputState()

getType()

isActive()

isValid(inputSymbol)

static loadFromXML(states, vocabulary, xmlRoot, namespace, version)

setID(id)

setInputState(inputState)

setName(name)

setOutputState(outputState)

toXMLString(idStartState)

Subpackages

impl Package

CloseChannelTransition Module



class netzob.Common.MMSTD.Transitions.impl.CloseChannelTransition.CloseChannelTransition(id,name,in-put-State,out-put-State,dis-con-nec-tion-Time)

Bases: netzob.Common.MMSTD.Transitions.AbstractTransition.AbstractTransition

TYPE = ‘CloseChannel’

closeConnection(abstractionLayer)



getDescription()

getDisconnectionTime()

isValid(receivedSymbol)

static loadFromXML(states, xmlTransition, namespace, version)


OpenChannelTransition Moduleclass netzob.Common.MMSTD.Transitions.impl.OpenChannelTransition.OpenChannelTransition(id,

name,in-put-State,out-put-State,con-nec-tion-Time,maxNum-berO-fAt-tempt)


TYPE = ‘OpenChannel’





getConnectionTime()

getDescription()

getMaxNumberOfAttempt()


static loadFromXML(states, xmlTransition, namespace, version)

openConnection(abstractionLayer)


SemiStochasticTransition Module

SimpleTransition Moduleclass netzob.Common.MMSTD.Transitions.impl.SimpleTransition.SimpleTransition(id,

name,in-put-State,out-put-State,time-Be-fore-Act-ing,out-put-Sym-bol)




getDescription()

getOutputSymbol()

getTimeBeforeActing()


static parse(xmlTransition, dictionary, states)

toXMLString(idStartState)

Models Package

AbstractMessage Module

FileMessage Module



IPCMessage Module

IRPDeviceIoControlMessage Module

IRPMessage Module

L2NetworkMessage Module



RawMessage Module

Subpackages

Factories Package

AbstractMessageFactory Module

FileMessageFactory Module

IPCMessageFactory Moduleclass netzob.Common.Models.Factories.IPCMessageFactory.IPCMessageFactory

Bases: object

XML_SCHEMA_TYPE = ‘netzob-common:IPCMessage’

static addPropertiesToElement(xmlMessage, message, namespace)

static loadFromXML(rootElement, namespace, version)

static save(message, xmlMessage, namespace_project, namespace)

IRPDeviceIoControlMessageFactory Module

IRPMessageFactory Module

L2NetworkMessageFactory Module



OldFormatNetworkMessageFactory Module



RawMessageFactory Module

Plugins Package

AbstractPluginController Module

AbstractPluginView Moduleclass netzob.Common.Plugins.AbstractPluginView.AbstractPluginView(plugin, con-

troller)Bases: object

Regroup methods any plugins’ view must be able to access

getController()Returns the controller attached to the current plugin @return: the controller

getPlugin()Returns the current plugin definition class @return: the plugin definition

CapturerPlugin Module

ExporterPlugin Module

FileImporterPlugin Module

NetzobPlugin Module

PluginChecker Module

Subpackages

Capturers Package

AbstractCapturer Module

AbstractCapturerController Module

AbstractCapturerView Module

Exporters Package

AbstractExporterController Module

AbstractExporterView Module



Extensions Package

CapturerMenuExtension Moduleclass netzob.Common.Plugins.Extensions.CapturerMenuExtension.CapturerMenuExtension(netzob,

con-troller,ac-tion-Name,menu-Text,menu-S-tock=None,men-u-Ac-cel=None,menu-Tooltip=None)

Bases: netzob.Common.Plugins.Extensions.GlobalMenuExtension.GlobalMenuExtension

executeAction(widget, vocabularyView, data=None)

getActions()

getUIDefinition()

ExportMenuExtension Moduleclass netzob.Common.Plugins.Extensions.ExportMenuExtension.ExportMenuExtension(netzob,

con-troller,ac-tion-Name,menu-Text,menu-S-tock=None,men-u-Ac-cel=None,menu-Tooltip=None)

Bases: netzob.Common.Plugins.Extensions.GlobalMenuExtension.GlobalMenuExtension

ExportMenuExtension: A generic export menu extension.

executeAction(widget, data=None)executeAction: Start the controller. Called when the menu entry is selected.

getActions()getActions:



@rtype: List @return: the list of all information on the action associated to the menu extension.

getUIDefinition()getUIDefinition: Return the User Interface definition of this menu extension.

@rtype: string @return: an xml string representing the menu extension.

GlobalMenuExtension Moduleclass netzob.Common.Plugins.Extensions.GlobalMenuExtension.GlobalMenuExtension

Bases: netzob.Common.Plugins.Extensions.NetzobExtension.NetzobExtension

NetzobExtension Moduleclass netzob.Common.Plugins.Extensions.NetzobExtension.NetzobExtension

Bases: object

Importers Package

AbstractFileImporterController Module

AbstractFileImporterView Module

AbstractImporterController Module

AbstractImporterView Module

Threads Package

Job Moduleclass netzob.Common.Threads.Job.Job(generator)

Bases: object

Wrap a co-routines that yields asynchronous tasks (see Task class).

Task Moduleclass netzob.Common.Threads.Task.Task

Bases: object

Base class for asynchronous tasks.

cancel()

config(return_cb, exception_cb)Set return and exception callbacks.

run()

Subpackages

Tasks Package



SleepTask Module

ThreadedTask Module

Type Package

Endianess Moduleclass netzob.Common.Type.Endianess.Endianess

BIG = ‘big-endian’

LITTLE = ‘little-endian’

Format Moduleclass netzob.Common.Type.Format.Format

ALPHA = ‘alpha’

ALPHA_NUM = ‘alphanum’

ASCII = ‘ascii’

BASE64_DEC = ‘base64dec’

BASE64_ENC = ‘base64enc’

BINARY = ‘binary’

DECIMAL = ‘decimal’

FLOAT = ‘float’

HEX = ‘hex’

IP = ‘ip’

IPv4 = ‘ipv4’

NUM = ‘num’

OCTAL = ‘octal’

STRING = ‘string’

formatVisualizationUnitSizes = {‘binary’: 1, ‘hex’: 4, ‘string’: 8}

static getExtendedSupportedFormats()

static getPossibleFormats(values)getPossibleFormats: Given the provided values, it computes the possible formats the values can be. returnsa list of format

static getSupportedFormats()

static getUnitSize(format)



Sign Moduleclass netzob.Common.Type.Sign.Sign

SIGNED = ‘signed’

UNSIGNED = ‘unsigned’

TypeConvertor Module

TypeIdentifier Moduleclass netzob.Common.Type.TypeIdentifier.TypeIdentifier

getTypes(val)

isAscii(val)

isBase64(val)

isHexString(val)

UnitSize Moduleclass netzob.Common.Type.UnitSize.UnitSize

BIT = ‘bit’

BITS16 = ‘16-bits’





NONE = ‘none’

static getMaxDigitForTypeAndUnitSize(aType, unitSize)

static getPackDefiniton(unitSize)

static getSizeInBits(unitSize)

unitSizeInBits = {‘32-bits’: 32, ‘16-bits’: 16, ‘8-bits’: 8, ‘bit’: 1, ‘4-bits’: 4, ‘64-bits’: 64}

Export Package

RawExport Module

class netzob.Export.RawExport.RawExport(netzob)Bases: object

getXMLDefinition(symbolID)



ScapyExport Module

class netzob.Export.ScapyExport.ScapyExport(netzob)Bases: object

getScapyDefinition(symbolID)

TextExport Module

class netzob.Export.TextExport.TextExport(netzob)Bases: object

getTextDefinition(symbolID)

ExternalLibs Package

xdot Module

Import Package

AbstractImporter Module

ApiImport Module

ThirdPartyImport Module

XMLImport Module

Subpackages

GOTPoisoning Package

GOTPoisoner Moduleclass netzob.Import.GOTPoisoning.GOTPoisoner.GOTPoisoner(parasite, injector)

injectProcess(pid)

HijackedFunction Moduleclass netzob.Import.GOTPoisoning.HijackedFunction.HijackedFunction(name, return-

Type, param-eters, source)

getEndOfFunction()

getName()

getParameters()

getParasiteFunctionDeclaration()

getParasitePrototype()



getPrototype()

getReturnType()

getSource()

static loadFromXML(rootElement)

setName(name)

setParameters(parameters)

setReturnType(returnType)

setSource(source)

InjectorGenerator Moduleclass netzob.Import.GOTPoisoning.InjectorGenerator.InjectorGenerator(tmp_folder,

parasite)

compileInjector()

getFolder()

getLibName()

getLibPath()

getParasiteSignature()

getShellCode()

getSourceCode()

produceShellCode()

writeInjectorToFile()

ParasiteGenerator Moduleclass netzob.Import.GOTPoisoning.ParasiteGenerator.ParasiteGenerator(tmp_folder)

addAnHijackedFunctions(function)

compileParasite()

getFifoFile()

getFunctions()

getParasitesSignature()

getSourceCode()

getSourceCodeHeader()

getSourceCodeOfWriteFunction()

getSourceCodeParasiteCoreFunctions()

linkParasite()

writeParasiteToFile()



PrototypesRepositoryParser Moduleclass netzob.Import.GOTPoisoning.PrototypesRepositoryParser.PrototypesRepositoryParser

static loadFromXML(file)

ThirdParties Package

AbstractThirdPartyImporter Moduleclass netzob.Import.ThirdParties.AbstractThirdPartyImporter.AbstractThirdPartyImporter(id,

name)Bases: object

getId()

getName()

parse(paths)

OSpy Module

TreeViews Package

TreeProcessesGenerator Module

Inference Package

Subpackages

Grammar Package

Angluin Module

AutomaticGrammarAbstractionView Module

AutomaticGrammarInferenceView Module

GrammarInferer Module

LearningAlgorithm Module

MQCache Module

Subpackages

EquivalenceOracles Package



AbstractEquivalenceOracle Moduleclass netzob.Inference.Grammar.EquivalenceOracles.AbstractEquivalenceOracle.AbstractEquivalenceOracle(type)

Bases: object

findCounterExample(mmstd)

WMethodNetworkEquivalenceOracle Module

Oracles Package

AbstractOracle Moduleclass netzob.Inference.Grammar.Oracles.AbstractOracle.AbstractOracle(type)

Bases: object

start(mmstd)

stop()

NetworkOracle Module

Queries Package

MembershipQuery Module

Vocabulary Package

DataCarver Module

SearchResult Moduleclass netzob.Inference.Vocabulary.SearchResult.SearchResult(message, description)

Bases: object

addSegment(i_start, i_end)

getDescription()

getMessage()

getSegments()

getVariationDescription()


setVariationDescription(variationDescription)



SearchTask Moduleclass netzob.Inference.Vocabulary.SearchTask.SearchTask(description, data, type)

Bases: object

getDescription()

getResults()

getVariations()

registerResults(r, v)

registerVariation(data, description)


SearchView Module

Searcher Module

SizeFieldIdentifier Module

_VariableView Module

Subpackages

Alignment Package

AsciiAlign Module

NeedlemanAndWunsch Module

UPGMA Module

Simulator Package

XDotWidget Module

UI Package

ModelReturnCodes Module

Created on 28 juin 2012

@author: fabien



NetzobAbstractController Module

NetzobAbstractPerspectiveController Module

NetzobAbstractPerspectiveView Module

NetzobAbstractView Module

NetzobWidgets Module

Subpackages

Common Package

AboutDialog Module

Subpackages

Controllers Package

AvailablePluginsController Module

BugReporterController Module

CustomTransformationFunctionController Module

MoveMessageController Module

ProjectExportController Module

ProjectImportController Module

ProjectPropertiesController Module

WorkspaceConfigurationController Module

WorkspaceSelectorController Module

Views Package

AvailablePluginsView Module

BugReporterCertificateErrorView Module



BugReporterView Module

CustomTransformationFunctionView Module

MoveMessageView Module

ProjectExportView Module

ProjectImportView Module

ProjectPropertiesView Module

WorkspaceConfigurationView Module

WorkspaceSelectorView Module

Export Package

Subpackages

Controllers Package

RawExportController Module

ScapyExportController Module

TextExportController Module

Views Package

RawExportView Module

ScapyExportView Module

TextExportView Module

Fuzzing Package

Subpackages

Grammar Package



Subpackages

Controllers Package

CreateCloseChannelTransitionController Module

CreateOpenChannelTransitionController Module

CreateSemiStochasticTransitionController Module

CreateStateController Module

DeleteStateController Module

DeleteTransitionController Module

EditStateController Module

GrammarController Module

Subpackages

Menus Package

ContextualMenuOnStateController Module

Views Package

CreateCloseChannelTransitionView Module

CreateOpenChannelTransitionView Module

CreateSemiStochasticTransitionView Module

CreateStateView Module

DeleteStateView Module

DeleteTransitionView Module

EditStateView Module



GrammarView Module

GrammarXDotWidget Module

Subpackages

Menus Package

ContextualMenuOnStateView Module

Import Package

ImportFileChooserDialog Module

Subpackages

Controllers Package

ConfirmImportMessagesController Module

Views Package

ConfirmImportMessagesView Module

Simulator Package

Subpackages

Controllers Package

CreateNetworkActorController Module

SimulatorController Module

Views Package

CreateNetworkActorView Module

SimulatorView Module

TraceManager Package



Subpackages

Controllers Package

ApplicativeDataImportController Module

ApplicativeDataManagerController Module

TraceManagerController Module

Views Package

ApplicativeDataImportView Module

ApplicativeDataManagerView Module

TraceManagerView Module

Vocabulary Package

Subpackages

Controllers Package

EnvironmentDependenciesSearcherController Module

FieldAnalysisController Module

FilterMessagesController Module

FindSizeFieldsController Module

MessageTableController Module

MessagesDistributionController Module

PopupEditFieldController Module

RelationsController Module

ResearchController Module



SplitFieldController Module

VariableController Module

VariableDisplayerController Module

VocabularyController Module

Subpackages

Menus Package

ContextualMenuOnFieldController Module

ContextualMenuOnLayerController Module

Partitioning Package

ForcePartitioningController Module

ResetPartitioningController Module

SequenceAlignmentController Module

SimplePartitioningController Module

SmoothPartitioningController Module

Views Package

EnvironmentDependenciesSearcherView Module

FieldAnalysisView Module

FilterMessagesView Module

MessageTableView Module

MessagesDistributionView Module

PopupEditFieldView Module



RelationsView Module

ResearchView Module

SearchResultsView Module

SplitFieldView Module

VariableDisplayerView Module

VariableView Module

VocabularyView Module

Subpackages

Menus Package

ContextualMenuOnFieldView Module

ContextualMenuOnLayerView Module

Partitioning Package

ForcePartitioningView Module

ResetPartitioningView Module

SequenceAlignmentView Module

SimplePartitioningView Module

SmoothPartitioningView Module


CHAPTER 7

Indices and tables

• Table of content

• genindex

• modindex

• search

77


78 Chapter 7. Indices and tables

Python Module Index

nnetzob.Common.Automata, 36netzob.Common.CommandLine, 36netzob.Common.DepCheck, 36netzob.Common.EnvironmentalDependencies,

37netzob.Common.EnvironmentalDependency,

37netzob.Common.ExecutionContext, 37netzob.Common.Functions.EncodingFunction,

42netzob.Common.Functions.FunctionApplicationTable,

43netzob.Common.Functions.RenderingFunction,

43netzob.Common.Functions.TransformationFunction,

43netzob.Common.Functions.Visualization.BackgroundColorFunction,

44netzob.Common.Functions.Visualization.TextColorFunction,

45netzob.Common.Functions.VisualizationFunction,

44netzob.Common.Grammar, 37netzob.Common.LoggingConfiguration, 38netzob.Common.MMSTD.Dictionary._Variable,

46netzob.Common.MMSTD.Dictionary.DictionaryEntry,

46netzob.Common.MMSTD.Dictionary.MMSTDDictionary,

46netzob.Common.MMSTD.Dictionary.RelationTypes.AbstractRelationType,

49netzob.Common.MMSTD.Dictionary.VariableProcessingToken.AbstractVariableProcessingToken,

50netzob.Common.MMSTD.Dictionary.Variables._AlternateVariable,

51

netzob.Common.MMSTD.Dictionary.Variables._IPVariable,52

netzob.Common.MMSTD.MemOpexs.impl.ForgetMemOpex,53

netzob.Common.MMSTD.MemOpexs.MemOpex,53

netzob.Common.MMSTD.States.AbstractState,53

netzob.Common.MMSTD.States.impl.NormalState,54

netzob.Common.MMSTD.States.impl.StartState,54

netzob.Common.MMSTD.Symbols.AbstractSymbol,55

netzob.Common.MMSTD.Symbols.impl.DictionarySymbol,55

netzob.Common.MMSTD.Transitions.AbstractTransition,56

netzob.Common.MMSTD.Transitions.impl.CloseChannelTransition,56

netzob.Common.MMSTD.Transitions.impl.OpenChannelTransition,57

netzob.Common.MMSTD.Transitions.impl.SimpleTransition,58

netzob.Common.Models.Factories.IPCMessageFactory,59

netzob.Common.NetzobException, 38netzob.Common.Order, 38netzob.Common.Plugins.AbstractPluginView,

60netzob.Common.Plugins.Extensions.CapturerMenuExtension,

61netzob.Common.Plugins.Extensions.ExportMenuExtension,

61netzob.Common.Plugins.Extensions.GlobalMenuExtension,

62netzob.Common.Plugins.Extensions.NetzobExtension,

62

79


netzob.Common.Process, 38netzob.Common.Property, 39netzob.Common.PropertyList, 39netzob.Common.Sequence, 40netzob.Common.SharedLib, 40netzob.Common.SignalsManager, 41netzob.Common.Threads.Job, 62netzob.Common.Threads.Task, 62netzob.Common.Type.Endianess, 63netzob.Common.Type.Format, 63netzob.Common.Type.Sign, 64netzob.Common.Type.TypeIdentifier, 64netzob.Common.Type.UnitSize, 64netzob.Common.XSDResolver, 42netzob.Export.RawExport, 64netzob.Export.ScapyExport, 65netzob.Export.TextExport, 65netzob.Import.GOTPoisoning.GOTPoisoner,

65netzob.Import.GOTPoisoning.HijackedFunction,

65netzob.Import.GOTPoisoning.InjectorGenerator,

66netzob.Import.GOTPoisoning.ParasiteGenerator,

66netzob.Import.GOTPoisoning.PrototypesRepositoryParser,

67netzob.Import.ThirdParties.AbstractThirdPartyImporter,

67netzob.Inference.Grammar.EquivalenceOracles.AbstractEquivalenceOracle,

68netzob.Inference.Grammar.Oracles.AbstractOracle,

68netzob.Inference.Vocabulary.SearchResult,

68netzob.Inference.Vocabulary.SearchTask,

69netzob.NetzobPluginManagement, 35netzob.NetzobResources, 35netzob.release, 35netzob.UI.ModelReturnCodes, 69

80 Python Module Index

Netzob Documentation

Documents

netzob documentationrelease

netzob overview2

netzob ca

development of netzob

core of netzob

vocabulary inference

main modules of netzob

main features of netzob