RTMPT packet error decode/slice/capture

[niyetsin]

Hi @shramos

#24 I'm having a similar issue with the RTMP

By the time I try to use Polymorph with Nginx Server and VLC client to capture packets between them, I always get this capture structure from wireshark,
Wireshark

I'm not able to filter some packets using functions with strings, this means that, everytime that I want to filter them using a function like this one;

I get something like this as response:

As you can see from this image above, the function was able to found 15 packets with a header.csid = 3, the weird part of this, is that when I try to see those packets on wireshark I only get 5 of them;

In order to try fixing this issue, I changed the type of the field 'string' as bytes, Then I run the function again, and I got this;

I attached also the structure of the header.csid field:

If you need to try by yourself, I linked my repository that I'm using for the server and the client;

Github

Thanks in advance!

[shramos]

Hi @niyetsin,

This is because of the way Polymorph works, it is important that before reading the explanation I am going to make in this commentary, you understand what I answered in the issue that you quote in your message: #24 (comment)

When we enter the intercept command, Polymorph intercepts any network packet received by our operating system, regardless of the network protocol. The functions we have defined will be executed on all network packets arriving at the operating system. This means that in your case, Polymorph intercepts RTMPT traffic and any other traffic received by your operating system at that time. The template is a way to facilitate access to certain bytes in network packets. It looks for a sequence of bytes in a position and interprets them according to a type.

Taking into account the function you have defined.

Imagine that the header.csid field of the RTMPT protocol corresponds to byte 100 of the network packet (you can see exactly which byte it corresponds to by accessing the field's interface in polymorph and using the show command), when Polymorph starts intercepting, it will start receiving all the packets arriving at the operating system and will try to access byte 100 and interpret it with the type that appears in the template. If it turns out that the packet corresponds to another protocol and does not even have 100 bytes, it will issue an exception (in your case, it will enter through the exception branch and print "fail"). Otherwise, it will check whether the byte 100 after interpreting it corresponds to 3.

This is the mechanics that polymorph uses, the first functions that are added should be to filter the packets that we are interested in modifying, with the return packet sentence, what we do is that that packet passes to the next function that we have defined, on the other hand, with the return None sentence, what we do is that that network packet does not pass to the following functions and is sent to its destination without executing anything else on it.

Now we are going to interpret the results that it has provided to you.

What polymorph is telling you in this image is that it has received 14 packets, of which 11 do not have the header.csid or the string field (the exception has been issued), either because they are network packets from another protocol or because that type of RTMPT packet does not have those fields. If you don't apply the filter on wireshark, you'll probably see all the network packets and the protocols they belong to.

To test everything I write, try adding these two functions separately:

def filter_rtmpt(packet):
    try:
        if packet["RTMPT"]["header.csid"] == 3:
            print("RTMPT packet arrived!")
            print("Executing next function...")
            return packet
    except:
        print("Another packet arrived!")
        print("Sending the packet to destination")
        return None

def print_string(packet):
    try:
        print("Captured", packet["RTMPT"]["string"])
        return packet
    except:
        print("The RTMPT package does not have the string field")
        return None

The first function will take care of filtering the network packets of the RTMPT protocol and the second one will try to print on the screen the string field of these packets, if they have it.

As I mentioned in the previous issue, if you have understood this concept, it is interesting to take a look at the wiki to understand other capabilities that polymorph has such as structs or global variables.