#PACKET CAPTURE TOOL THREE WAY HAND SHAKE MAC#
If no MAC is supplied, a random one is chosen. The dst_mac attribute explicitly sets the MAC address for packets from the flow destination. The src_mac attribute explicitly sets the MAC address for packets from the flow source. The handshake is always added relative to the location of the flow declaration in the synfile. The tcp.initialize attribute informs Flowsynth that the flow should have an autogenerated TCP three-way handshake included in the output. The following flow attributes are currently supported: tcp.initialize The DNS query and response is not included in the output. The first A record returned for DNS entry will be used as the IP address throughout the session. If a DNS record is specified in the flow declaration (instead of an explicit IP address) then Flowsynth will resolve the DNS entry at the time of the flow's declaration. Usageįlow default tcp :31337 > :80 (tcp.initialize ) įor the interim, directionality should always be specified as to server: > During the output phase the native packets are delivered to the user in one of the two output formats, as a hexdump, or as a native PCAP file. Once all of the events have been rendered to native pcaps the output phase occurs. Specific features of attributes, like converting ' \x3A' to ' :' take place.Protocol-specific intelligence, like TCP SEQ/ACK calculations, and ACK generation take place.
In this phase of the application several important things happen: Once all the instructions have been parsed and processed, Flowsynth iterates over the compiler timeline and renders any events to native packets. Using the same methods described above, Flowsynth will parse the event declaration and add it to the compiler timeline. The last event declaration that is parsed by the application shows the server's response to the client. Flowsynth will read these instructions and generate an entry in the compiler timeline for this event. In this case, a HTTP request is being rendered. The two 'content' attributes are used to specify the packet's payload. Just like the flow declaration, each optional attribute must be closed with a semicolon ( ). Once the parent flow and directionality have been established Flowsynth will parse the optional attributes section. The directionality for this specific event is '>', or TO_SERVER. Once this event is associated with the flow any protocol specific values (like TCP SEQ and ACK numbers) will automatically be applied to the event. Flowsynth will immediately identify that this event declaration belongs to the 'default' flow that was just declared. Flow default tcp :12323 > :80 ( tcp.initialize ) ĭefault > ( content:"GET / HTTP/1.1\x0d\x0a" content:"Host: \x0d\x0a\x0d\x0a" ) ĭefault ( content.