Scapy is amazingly flexible when it comes to creating packets, but in some cases you may want to mangle or change packets that you’ve sniffed and saved in a trace file. Scapy currently supports .cap and .pcap files, but unfortunately no .pcapng files (yet…).  Reading these files are possible through the rdpcap() function:

*Thanks to packetlife.net for the iBGP capture found here.

Then we can view, edit, change the packets like we could with any other packets that were sniffed or created with scapy.

 

Reading .pcaps with a custom function

We can also use scapy’s sniff() function to read packets from a .pcap file using the offline argument as show here:

This will allow us to use the prn() function to import the packets with custom functions, as covered in this post. Here we can count the packets as we import them from the .pcap file:

 Manipulating packets during import

We can also make a more useful function during import that changes the packets as we import.  This example below just will clear the MAC addresses to keep physical device information anonymous, but with the power of python and a little imagination the possibilities are endless!

Check back soon for the next post in this series where we cover writing packets (sniffed, created, or mangled with scapy) back to .cap/.pcap files!

This article has 2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *