Scapy p.07 – Monitoring ARP

This entry is part 7 of 11 in the series Building Network Tools with Scapy

Using Scapy in a Python Script

So far we’ve been working with Scapy in interactive mode. It’s very powerful but there are times when it would be easier to work with a Python script instead. In order to use Scapy, we have to import the Scapy module like this:

This will import all Scapy functions, but if you know that you will only need a few of the functions, you can import them individually as well like this:

Continue reading

Scapy p.08 – Making a Christmas Tree Packet

This entry is part 8 of 11 in the series Building Network Tools with Scapy

We’ve doing a lot of packet sniffing, analysis, and even some basic packet crafting of our own. With the ICMP packets we created, we only set the destination we wanted to use and let Scapy take care of the rest.

Taking Control of Protocol Fields

I want to show you how to take a bit more control over the packet creation process by creating a TCP Christmas Tree packet. I’ll let you read the details, just know that the name of this packet comes from every TCP header flag bit turned on (set to 1), so it can be said the packet is “lit up like a Christmas Tree.” Continue reading

Scapy p.09 – Scapy and DNS

This entry is part 9 of 11 in the series Building Network Tools with Scapy

We’ve been able to work with Ethernet, ARP, IP, ICMP, and TCP pretty easily so far thanks to Scapy’s built in protocol support. Next on our list of protocols to work with are UDP and DNS.

DNS Request and Response

Using the sr1() function, we can craft a DNS request and capture the returned DNS response. Since DNS runs over IP and UDP, we will need to use those in our packet: Continue reading

Scapy p.11 – Scapy Resources

This entry is part 11 of 11 in the series Building Network Tools with Scapy

I hope you had as much fun as I did getting started with Scapy. These are all starter ideas, but we’ve barely uncovered the tip of the iceberg. I’ll continue to write articles about cool Scapy tools I come up with but you should dig into the docs below and see what you find. If you have any questions or comments about this guide, feel free to contact me.

Online Resources

Continue reading

Scapy Sniffing with Custom Actions, Part 2

In the previous article I demonstrated how to add a custom function to change the formatting of the packet output in the console or do some sort of custom action with each packet. That example passed the function (a Callable) without any additional args. When the prn passed function is called (with each packet), it receives a single argument of the packet that was just sniffed.

Using nested functions to harness the power of closure, you can bind any number of arguments to the function that is executed on each packet by Scapy. In order to bind additional arguments to the prn function, we have to use nested functions (similar to a decorator). Check out this example, created to upload the scapy packet info to an API via the Python Requests module:

This may seem a little strange, but here’s an order-of-events explanation for what’s happening:

  1. We define our url & token variables, just like in the first example.
  2. We define the custom_action function. This will be run when the scapy sniff function first runs to get the value info for the prn argument. Note the two parameters that we pass into custom_action.
  3. Inside custom_action, we create another function that takes the scapy implicitly passed packet as a parameter. This is the function that will upload the packet info to our API.
  4. The upload_packet function is nested in custom_action so it has access to the url & token variables because it is inside the parent function’s scope.
  5. The return value of custom_action is the upload_packet function, so this function will be run along with every sniffed packet based on the prn argument. Even though the custom_action function is not executed to take in the url & token parameters, they are locked into the nested upload_packet function due to Python’s capacity for ‘closure’.
  6. After we define the custom_action and nested upload_packet functions, we run the Scapy sniff function with the returned value of custom_action passed via the prn argument.

Using closures to ‘lock-in’ any number of arguments to the custom_action function gives us much more flexibility. I was able to modularize my file in order to clean up my Scapy sniffing script.

Here’s another example that achieves the same affect using functools.partial to close in the url & token arguments:

See how I was able to move a big chunk of verbose packet protocol checking into a separate module by looking at my two python files in this project: Scapy-to-API

Scapy Sniffing with Custom Actions, Part 1

Scapy has a sniff function that is great for getting packets off the wire, but there’s much more to show off how great this function really is! sniff has  an argument prn that allows you to pass a function that executes with each packet sniffed. The intended purpose of this function is to control how the packet prints out in the console allowing you to replace the default packet printing display with a format of your choice.

The prn argument is defined as:

prn: function to apply to each packet. If something is returned, it is displayed. For instance you can use prn = lambda x: x.summary().

Continue reading

First Pull Request

I submitted my first GitHub Pull Request today so I figured that this development thing is doable and I might as well write some articles about my coding exploration!

What I’m feeling right now is an overwhelming of all the fantastic resources out there, it’s just impossible to absorb info as quick as I find it. I’m finding that the people in the developer community are just as nice as those I’ve reached out to in the networking world. We really just want to get some bits from point A to point B, right?!?

Dev Tools I Use

This post quickly covers the tools I’m using after about 2 months of development study and practice. I will revisit this in a year or so to se what has changed and explain what tools I still use, and what tools end up getting replaced. My workflow seems to be very generic right now and it will be interesting to see how it changes as I mature as a developer.

Continue reading