wfilter: generic packet filtering and processing tool
wfilter
allows simple packet processing and filtering and is intended to be
used chained with other WHAD tools. This tool can alter packets coming from the
previous tool in the processing chain to the next tool (upstream) or the other way
(downstream).
Usage
... | wfilter [OPTIONS] FILTER | ...
Command-line options
wplay supports the following options:
--down
: process downstream packets--up
: process upstream packets--transform
(-t
): apply a transform to packets--invert
(-e
): invert filter--forward
(-f
): forward packets that do not match the specified filter (dropped by default)--load
(-l
): load specified Python module containing extra Scapy layers definitions
Specifying a filter
wfilter
relies on a filter to process the flow of packets going through the
packet processing chain, this filter is defined as a Python expression that must
return a boolean value. The packet is available in this expression as p
(also
as pkt
or packet
for readability) and is a Scapy packet object.
For instance, specifying the filter BTLE_ADV_IND in p
will specify a filter
that would match any packet that contains the BTLE_ADV_IND
layer (Bluetooth
Low Energy indirected advertisement in this specific case).
Inverting filter
The --invert / -e
option will invert the filter expression.
Specifying additional Scapy layers
The --load / -l
option can be used to specify a Python module containing
additional Scapy layers definitions to load. This can come handy when working
on non-standard protocols for which Scapy does not have any layer defined.
This option can be used more than once to load as many Python module as necessary.
Applying a transform to matching packets
The --transform / -t
option can be used to transform a packet that matches
the provided filter, combined with --up
or --down
to specify which packets
need to be processed. --up
will tell wfilter
to process upstream packets,
that is packets sent by the previous tool in the processing chain to the next tool
while --down
will apply this transform to downstream packets coming from the
next tool to the previous tool in the chain. If both --up
and --down
are
specified, transform will be applied to upstream and downstream packets.
The transform must be specified as a Python expression altering the packet,
refered as p
in the transform expression.
Note
Non-matching packets will not be forwarded as dropped by default by the specified filter.
Applying a transform to matching packets and forwarding other packets
The --forward / -f
option tells wfilter
to apply the specified transform
to packets that match the provided filter expression, as detailed above, but
also to forward other packets without applying any transform instead of just
dropping them.
Therefore, combining --transform
with --forward
allow to apply a specific
transform on some packets while keeping the others untouched.
Simple packet filtering
As a first example, we are going to filter BLE packets to only keep BLE advertisements from a specific advertising device (cc:5f:f0:e5:81:75):
$ wplay --flush ressources/pcaps/ble_discovery.pcap ble | wfilter "BTLE_ADV_IND in p and p.AdvA == 'cc:5f:f0:e5:81:75'"
[ raw=True, decrypted=False, timestamp=0, channel=0, rssi=-50, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0, processed=False, encrypt=False ]
<BTLE access_addr=0x8e89bed6 crc=0x0 |<BTLE_ADV RxAdd=public TxAdd=public ChSel=#2 RFU=0 PDU_type=ADV_IND Length=0x25 |<BTLE_ADV_IND AdvA=cc:5f:f0:e5:81:75 data=[<EIR_Hdr len=2 type=flags |<EIR_Flags flags=general_disc_mode+br_edr_not_supported |>>, <EIR_Hdr len=17 type=complete_list_128_bit_svc_uuids |<EIR_CompleteList128BitServiceUUIDs svc_uuids=[UUID('bdce0001-e90d-4685-b89d-5578cd199a9f')] |>>, <EIR_Hdr len=9 type=mfg_specific_data |<EIR_Manufacturer_Specific_Data company_id=0xffff |<Raw load='u\\x81\\xe5\\xf0_\\xcc' |>>>] |>>>
[ raw=True, decrypted=False, timestamp=86188, channel=0, rssi=-50, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0, processed=False, encrypt=False ]
<BTLE access_addr=0x8e89bed6 crc=0x0 |<BTLE_ADV RxAdd=public TxAdd=public ChSel=#2 RFU=0 PDU_type=ADV_IND Length=0x25 |<BTLE_ADV_IND AdvA=cc:5f:f0:e5:81:75 data=[<EIR_Hdr len=2 type=flags |<EIR_Flags flags=general_disc_mode+br_edr_not_supported |>>, <EIR_Hdr len=17 type=complete_list_128_bit_svc_uuids |<EIR_CompleteList128BitServiceUUIDs svc_uuids=[UUID('bdce0001-e90d-4685-b89d-5578cd199a9f')] |>>, <EIR_Hdr len=9 type=mfg_specific_data |<EIR_Manufacturer_Specific_Data company_id=0xffff |<Raw load='u\\x81\\xe5\\xf0_\\xcc' |>>>] |>>>
Simple packet processing
Next, we are going to modify the received signal strength of all packets to -20:
$ wplay --flush ressources/pcaps/ble_discovery.pcap ble | wfilter -t "p.metadata.rssi=-20" --down
[ raw=True, decrypted=False, timestamp=0, channel=0, rssi=-20, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0, processed=False, encrypt=False ]
<BTLE access_addr=0x8e89bed6 crc=0x0 |<BTLE_ADV RxAdd=public TxAdd=public ChSel=#2 RFU=0 PDU_type=ADV_IND Length=0x25 |<BTLE_ADV_IND AdvA=cc:5f:f0:e5:81:75 data=[<EIR_Hdr len=2 type=flags |<EIR_Flags flags=general_disc_mode+br_edr_not_supported |>>, <EIR_Hdr len=17 type=complete_list_128_bit_svc_uuids |<EIR_CompleteList128BitServiceUUIDs svc_uuids=[UUID('bdce0001-e90d-4685-b89d-5578cd199a9f')] |>>, <EIR_Hdr len=9 type=mfg_specific_data |<EIR_Manufacturer_Specific_Data company_id=0xffff |<Raw load='u\\x81\\xe5\\xf0_\\xcc' |>>>] |>>>
[ raw=True, decrypted=False, timestamp=86188, channel=0, rssi=-20, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0, processed=False, encrypt=False ]
<BTLE access_addr=0x8e89bed6 crc=0x0 |<BTLE_ADV RxAdd=public TxAdd=public ChSel=#2 RFU=0 PDU_type=ADV_IND Length=0x25 |<BTLE_ADV_IND AdvA=cc:5f:f0:e5:81:75 data=[<EIR_Hdr len=2 type=flags |<EIR_Flags flags=general_disc_mode+br_edr_not_supported |>>, <EIR_Hdr len=17 type=complete_list_128_bit_svc_uuids |<EIR_CompleteList128BitServiceUUIDs svc_uuids=[UUID('bdce0001-e90d-4685-b89d-5578cd199a9f')] |>>, <EIR_Hdr len=9 type=mfg_specific_data |<EIR_Manufacturer_Specific_Data company_id=0xffff |<Raw load='u\\x81\\xe5\\xf0_\\xcc' |>>>] |>>>
Or we also can change the advertiser address to 11:22:33:44:55:66 for every BTLE_ADV_IND
packet:
$ wplay --flush ressources/pcaps/ble_discovery.pcap ble | wfilter -t "p[BTLE_ADV_IND].AdvA='11:22:33:44:55:66'" --down "BTLE_ADV_IND in p"
[ raw=True, decrypted=False, timestamp=0, channel=0, rssi=-50, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0, processed=False, encrypt=False ]
<BTLE access_addr=0x8e89bed6 crc=0x0 |<BTLE_ADV RxAdd=public TxAdd=public ChSel=#2 RFU=0 PDU_type=ADV_IND Length=0x25 |<BTLE_ADV_IND AdvA=11:22:33:44:55:66 data=[<EIR_Hdr len=2 type=flags |<EIR_Flags flags=general_disc_mode+br_edr_not_supported |>>, <EIR_Hdr len=17 type=complete_list_128_bit_svc_uuids |<EIR_CompleteList128BitServiceUUIDs svc_uuids=[UUID('bdce0001-e90d-4685-b89d-5578cd199a9f')] |>>, <EIR_Hdr len=9 type=mfg_specific_data |<EIR_Manufacturer_Specific_Data company_id=0xffff |<Raw load='u\\x81\\xe5\\xf0_\\xcc' |>>>] |>>>
[ raw=True, decrypted=False, timestamp=86188, channel=0, rssi=-50, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0, processed=False, encrypt=False ]
<BTLE access_addr=0x8e89bed6 crc=0x0 |<BTLE_ADV RxAdd=public TxAdd=public ChSel=#2 RFU=0 PDU_type=ADV_IND Length=0x25 |<BTLE_ADV_IND AdvA=11:22:33:44:55:66 data=[<EIR_Hdr len=2 type=flags |<EIR_Flags flags=general_disc_mode+br_edr_not_supported |>>, <EIR_Hdr len=17 type=complete_list_128_bit_svc_uuids |<EIR_CompleteList128BitServiceUUIDs svc_uuids=[UUID('bdce0001-e90d-4685-b89d-5578cd199a9f')] |>>, <EIR_Hdr len=9 type=mfg_specific_data |<EIR_Manufacturer_Specific_Data company_id=0xffff |<Raw load='u\\x81\\xe5\\xf0_\\xcc' |>>>] |>>>