Signup/Sign In

Introduction to scapy

After the last tutorial, you must have gained enough understanding about what you can do using dpkt module. In this lesson we will have a look at another python module which allows us to send, sniff, dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.

Introduction to Scapy module

Why do we want to use scapy?

You might wonder why do we want to use scapy when we already have dpkt module. Aren't they doing the same thing! Well not exactly, the fact is that scapy provides us with a lot more functionalities than any other tool or module.

Apart from its basic usage to sniff network packets, scapy also performs other tasks, that most of the other tools can't do, like sending invalid frames, injecting your own 802.11 frames, combining techniques(VLAN hopping + ARP cache poisoning, VOIP decoding on WEP encrypted channel etc.) etc.

802.11 frames are basically wireless frame packets which cannot be manipulated using dpkt library.

So come, let's not waste any more time and install scapy:

sudo pip install scapy

Or to download the package and install it, follow the link here.

Firing up (Running) scapy

  1. If you are running a terminal session (Mac OSx users) or if you are a linux user, then:

    $ sudo scapy

    Welcome to Scapy (2.0.1-dev) >>>

  2. If you are a Windows user, then:


    INFO: No IPv6 support in kernel WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.0.1-dev) >>>

Introduction to Scapy

If you don't have all optional packages installed, scapy will inform you that some features will not be available:

INFO: Can't import python gnuplot wrapper . Won't be able to plot. INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().

Reading pcap files

You can read packets from a pcap file and write them to another pcap file.

>>> a = rdpcap("/home/ntal8/Desktop/bkp_pcap/rawcap.pcap")
>>> a

<rawcap.pcap: TCP:749 UDP:134 ICMP:0 Other:2>

A glimpse at scapy's features

  1. TCP Traceroute: Unlike other traceroute programs, who wait for each node to reply before going to the next, scapy sends all the packets at the same time.

    Introduction to Scapy

    The last line is in fact the result of the function: A traceroute result object and a packet list of unanswered packets.

  2. TCP Port Scanning: Send a TCP SYN on each port. Wait for a SYN-ACK or an RST or an ICMP error.
    >>> res,unans = sr( IP(dst = "target")
    ...   	/TCP(flags="S", dport=(1,1024)) )

    Possible result visualization: open ports

    >>> res.nsummary( lfilter=lambda (s,r): (r.haslayer(TCP) and (r.getlayer(TCP).flags & 2)) )

To know more about the fuctionalities and features of scapy, visit scapy's Official Documentation.