packeth – Simple Packet Generation Tool

Our daily work requires us from time to time to play around with very specific packets and frames. Sometimes this might be very specific BGP packets, sometimes specific layer 2 control protocol frames. No matter what your requirement is, packeth is a very powerful tool which allows you to generate frames and packets with a simple GUI.
Packeth can be found in Ubuntu 16.04 default repository, so you just have to apt-get install packeth. If you have an X server on your system and install xorg on the generator machine as well, you can use the GUI on your system with ssh x-forward.

First, you have to select an Interface in the menu. This can be any interface on the devices, even vlan or tunnel interfaces.
Now let’s have a look on the Link Layer part. This is most relevant in case that you want to create specific Ethernet frames. You can select between 802.3 Ethernet, Ethernet II. The 802.1Q mode also allows you to use Q-in-Q tags, with different TPID such as stacked 0x8100, 0x9100 or also 802.1ad conform 0x88a8. As per Ethernet type, you can set a specific ethertype or LLC/DSAP/SSAP etc.
In regard to Layer 2, we often use packeth for metro Ethernet services transparency verifications. For example, Spanning Tree: Here you would use the well known multicast destination address 01:80:c2:00:00:00, 802.3 Ethernet with DSAP 0x42, SSAP 0x42 and Ctrl 0x03.

In tcpdump, this looks like the following:

18:48:51.837264 12:34:56:78:90:ab > 01:80:c2:00:00:00, 802.3, length 3: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 0000.00:00:00:00:00:00.0000, length 43
message-age 0.00s, max-age 0.00s, hello-time 0.00s, forwarding-delay 0.00s
root-id 0000.00:00:00:00:00:00, root-pathcost 0

In another example, we would use Ethernet II with destination address 01:80:c2:00:00:02 and ethertype 0x8809. Can you guess what we are talking about here? Exactly, that’s LACP. As some E-Line CPEs do very deep L2CP inspection, we can also add a custom payload to make this frame a correct and plausible LACPDU. Let’s use the following Value as User defined payload:

0101011491f40004961f506a80000000001247000000021400000000000000000000000000003b0000000310000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.

This would look like this in tcpdump:

18:54:03.185580 12:34:56:78:90:ab > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110
Actor Information TLV (0x01), length 20
System 00:04:96:1f:50:6a, System Priority 37364, Key 32768, Port 18, Port Priority 0
State Flags [Activity, Timeout, Aggregation, Default]
Partner Information TLV (0x02), length 20
System 00:00:00:00:00:00, System Priority 0, Key 0, Port 0, Port Priority 0
State Flags [Activity, Timeout, Synchronization, Collecting, Distributing]
Collector Information TLV (0x03), length 16
Max Delay 2
Terminator TLV (0x00), length 0

You can also use the tool to generate IP Packets. Therefore, you can just select Ethertype IPv4. One really cool thing is that you can always use User defined payload as the next layer, as well as a list of reasonable Next Layer protocols, as TCP/UDP/ICMP/IGMP as IPv4 Payload. If you select one of the predefined payloads, the GUI presents you all the possible flags and field that you can easily edit.
If you just want to copy the TCP payload of a previously captured pcap you can extract the TCP payload in wireshark and paste it into packeth’s TCP payload field. You cloud also select User defined Payload in the IPv4 section, and paste a copy from a previously captured IPv4 payload. This ability to really specify what parts that you want to play around in the GUI and what further plain payload should be added to the packet makes this tool very powerful. There are also far more features in the program, fell free to play around with it.