Using Scapy in a Python Script

So far we’ve been working with Scapy in interactive mode. It’s very powerful but there are times when it would be easier to work with a Python script instead. In order to use Scapy, we have to import the Scapy module like this:

This will import all Scapy functions, but if you know that you will only need a few of the functions, you can import them individually as well like this:

The biggest different with running Scapy in a script is that the output may not be as verbose as interactive mode. If you’re not getting all the output you need, make sure to try using the print command. Here’s an example with our previous ping example:

 

 

Using Scapy to monitor ARP traffic

Let’s pretend that there is concern about someone potentially trying to use an ARP poisoning attack on our network. Using Scapy, we want to write a script that will listen to packets and print out all ARP requests and responses. We can do that very simply using the Scapy sniff() function and the filter argument like this:

 

This is a very simple script that gives us some good visibility to what’s happening with ARP on our network. But what if we wanted to customize the output a little bit? Maybe we can get it in a format that would be easy to write to a file or send to some type of external monitoring server.

Using the prn Argument to Customize sniff() Output

I’m going to introduce the prn argument and show you how to do change what Scapy prints out for each packet:

 

Basically, what the prn argument lets us do is replace the default Scapy printout of the packet summary and run our own function to determine how Scapy prints out. That’s really cool! It works by passing the packet object to the defined function, in this case arp_display(), each time a packet is sniffed that matches the specified filter.

We can do a lot more with that prn argument and passing more than just the packet object to the custom defined function using nested functions. That’s outside the scope of this guide but feel free to read about it here: Scapy Sniffing with Custom Actions

 

Series Navigation<< Scapy p.06 – Sending and Receiving with ScapyScapy p.08 – Making a Christmas Tree Packet >>

This article has 12 comments

  1. rama

    how if I want to just only capture arp reply/reqest that come to host where I run this code? because I dont need ARP message from other host on my subnet, just just ARP that income to my host? I will use it for make a script that can prevent arp poisoning base on arp reply/request that my host receive

          1. rama

            i use sam code like yours and at the end of code i wtire this
            print sniff(prn=arp_display, filter=”arp and ip host 10.0.0.23″, store=0, count=100)

          2. rama

            oh problem solved, I’ve read on BPF syntax from your information and I know what syntax that I should use, thanks 😀

  2. Kashif Ahmad

    I cannot use scapy in python script as you have mentioned here. Whenever I try to run the code it gives me an error of “Permission not permitted”. Below is the summary of the error.

    Traceback (most recent call last):
      File “/home/pi/111.py”, line 4, in
        pkts = sniff(filter=”arp”,count=10)
      File “/usr/local/lib/python2.7/dist-packages/scapy/sendrecv.py”, line 593, in sniff
        **karg)]
      File “/usr/local/lib/python2.7/dist-packages/scapy/arch/linux.py”, line 485, in __init__
        self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
      File “/usr/lib/python2.7/socket.py”, line 187, in __init__
        _sock = _realsocket(family, type, proto)
    error: [Errno 1] Operation not permitted

    I hope if you could help me with this.

Leave a Reply

Your email address will not be published. Required fields are marked *