How to Implement Spoofing Wireshark in NS2
To simulate IP spoofing in Network Simulator 2 (NS2) and evaluate the attack using Wireshark, we can configure a network topology in which a malicious node transfer packets with a forged source IP address (spoofing) and capture the traffic using NS2’s trace feature. When captured, we can convert the trace file to a PCAP file format to be evaluated in Wireshark.
The below is a step-by-step guide to execute IP spoofing in NS2 and evaluate it with Wireshark:
Steps-by-Step Implementation:
- Create a network topology in NS2 with legitimate nodes and a malicious node that will perform IP spoofing.
- Simulate legitimate traffic between nodes.
- Simulate spoofed traffic from a malicious node using a forged source IP.
- Capture the network traffic in a trace file.
- Convert the trace file to PCAP format.
- Analyse the traffic in Wireshark.
- Set up a Basic IP Spoofing Simulation in NS2
Below is an NS2 TCL script that mimic IP spoofing. In this example, we have three nodes:
- n0: A legitimate source.
- n1: A victim (target node).
- n2: A malicious node performing IP spoofing, pretending to be n0.
TCL Script for NS2 (IP Spoofing Simulation)
# Create a new simulator instance
set ns [new Simulator]
# Open trace and nam files
set tracefile [open “spoofing_trace.tr” w]
$ns trace-all $tracefile
set namfile [open “spoofing.nam” w]
$ns namtrace-all-wireless $namfile
# Define network nodes
set n0 [$ns node] ;# Legitimate source
set n1 [$ns node] ;# Victim node (target of spoofed traffic)
set n2 [$ns node] ;# Malicious node (IP spoofing attacker)
# Create a UDP connection from n0 to n1 (normal traffic)
set udp0 [new Agent/UDP]
set null0 [new Agent/Null]
$ns attach-agent $n0 $udp0
$ns attach-agent $n1 $null0
$ns connect $udp0 $null0
# Create a CBR application to simulate normal traffic
set cbr0 [new Application/Traffic/CBR]
$cbr0 set packetSize_ 512
$cbr0 set rate_ 128Kb
$cbr0 attach-agent $udp0
# Function to simulate IP spoofing attack from the malicious node (n2)
proc ip_spoofing_attack { attacker victim spoofed_src } {
global ns
# Create UDP agents for the attacker (malicious traffic)
set udp_attacker [new Agent/UDP]
set null_attacker [new Agent/Null]
$ns attach-agent $attacker $udp_attacker
$ns attach-agent $victim $null_attacker
$ns connect $udp_attacker $null_attacker
# Create CBR traffic for spoofed traffic
set cbr_attack [new Application/Traffic/CBR]
$cbr_attack set packetSize_ 512
$cbr_attack set rate_ 1Mb ;# Higher rate for the attack traffic
$cbr_attack attach-agent $udp_attacker
# Spoof the source IP address by setting it to the IP of the legitimate source (n0)
$udp_attacker set srcAddr_ [$spoofed_src set node_]
# Start sending spoofed traffic
$ns at 2.0 “$cbr_attack start”
$ns at 5.0 “$cbr_attack stop”
}
# Start legitimate traffic from n0 to n1
$ns at 1.0 “$cbr0 start”
$ns at 5.0 “$cbr0 stop”
# Schedule the IP spoofing attack from n2, spoofing the IP of n0
$ns at 2.0 “ip_spoofing_attack $n2 $n1 $n0”
# Define finish procedure
proc finish {} {
global ns tracefile namfile
$ns flush-trace
close $tracefile
close $namfile
exec nam spoofing.nam &
exit 0
}
# End the simulation at 6.0 seconds
$ns at 6.0 “finish”
# Run the simulation
$ns run
Explanation of the Script:
- Legitimate Traffic: Valid traffic flows from node n0 to node n1 using UDP and a CBR (Constant Bit Rate) application.
- Malicious Traffic: Node n2 (the attacker) sends spoofed packets to node n1, using the IP address of n0 (legitimate source) as the spoofed source address.
- Traffic Capture: All traffic is logged in the trace file (spoofing_trace.tr) for later analysis.
- Convert NS2 Trace File to PCAP Format
NS2 uses its own trace file format that is essential to be converted to PCAP format so it can be evaluated in Wireshark.
Option 1: Using a Custom Python Script for Trace to PCAP Conversion
We need to compose a Python script that parses the NS2 trace file and make a PCAP file.
Below is an instance using Scapy to convert the trace:
from scapy.all import *
import re
def ns2_to_pcap(trace_file, pcap_file):
packets = []
with open(trace_file, ‘r’) as f:
for line in f:
if line.startswith(‘+’) or line.startswith(‘-‘):
fields = line.split()
src = fields[2] # Source node
dst = fields[3] # Destination node
size = int(fields[5]) # Packet size
# Create a packet with spoofed source IP
packet = IP(src=src, dst=dst) / UDP() / Raw(load=”X” * size)
packets.append(packet)
# Save the packets to a PCAP file
wrpcap(pcap_file, packets)
# Convert NS2 trace file to PCAP format
ns2_to_pcap(‘spoofing_trace.tr’, ‘spoofing_attack.pcap’)
- Analyse the Traffic in Wireshark
- Open the generated PCAP file (spoofing_attack.pcap) in Wireshark.
- Use Wireshark filters to evaluate spoofed traffic, like filter by source IP (ip.src == <legitimate_source_ip>) to test for spoofed packets.
- We need to monitor on how the malicious node (n2) is sending packets with the source IP address of the legitimate node (n0).
Customizing the Spoofing Attack
- TCP Spoofing: we can mimic a TCP spoofing attack by exchanging UDP with TCP. Basically change the agent types and mimic a SYN flood or TCP hijacking.
- Multiple Attackers: Add more malicious nodes to mimic an allocated spoofing attack. We can replicate the spoofing function for more nodes.
- Different Attack Rates: Modify the packet rate in the CBR attack to mimic more or less aggressive attacks.
We had understood and get a knowledge on how to setup and how to transfer the packets with the source address that were executed using the ns2 tool. We will also provide the valuable insights on how the spoofing wireshark attacks will perform in other simulation tools.
ns2project.com team is here to share exciting project ideas, providing you with innovative topics to dive into. We also offer personalized assistance for implementing Spoofing Wireshark in NS2.Get comparison analysis done by our developers.