Writing Packets to Trace File with Scapy

This is just a quick follow-up post to accompany the previous Importing packets from trace files with scapy post. So you’ve sniffed or generated some packets with scapy and it’s time to write them to file to analyze and double-check your work. Here’s a simple example of how to save those packets.

Tada!  That’s it. There’s no options or special functions, you probably should do your packet processing before you write the packets to file.

Importing packets from trace files with scapy

Scapy is amazingly flexible when it comes to creating packets, but in some cases you may want to mangle or change packets that you’ve sniffed and saved in a trace file. Scapy currently supports .cap and .pcap files, but unfortunately no .pcapng files (yet…).  Reading these files are possible through the rdpcap() function:

*Thanks to packetlife.net for the iBGP capture found here.

Continue reading

Scapy p.01 – Scapy Introduction and Overview

This entry is part 1 of 11 in the series Building Network Tools with Scapy

What is Scapy?

No one can introduce Scapy better than the creator or the project himself:

“Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery…

It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

– Phil @ secdev.org

Continue reading

Scapy p.02 – Installing Python and Scapy

This entry is part 2 of 11 in the series Building Network Tools with Scapy

Installing Python

Scapy was originally written for Python 2, but since the 2.4 release (March 2018), you can now use Scapy with Python 3.4+! I will prefer Python 3 in examples but will also include notes about big differences between each python version and Scapy if they exist.

If you’re using a Mac or running some version of *nix you probably already have Python 2 (and maybe even Python 3) installed. To check, open a terminal and type python3 or python. You should see something like this:

If you are running Windows or for some other reason do not have Python installed already, go to the Python download page and grab the installer for your platform.

Installing Scapy

There are multiple ways to install Scapy depending on your platform. Check out the Scapy installation guides to find instructions and installer packages relevant to your platform. Once Scapy is installed, you should be able to run it from the terminal, just like we did with Python, and get something that looks like this:

I highly recommend install IPython in your scapy environment as it makes interactive mode much more enjoyable!

Continue reading

Scapy p.03 – Scapy Interactive Mode

This entry is part 3 of 11 in the series Building Network Tools with Scapy

Running Scapy

Scapy can be run in two different modes, interactively from a terminal window and programmatically from a Python script. Let’s start getting familiar with Scapy using the interactive mode.

Scapy comes with a short script to start interactive mode so from your terminal you can just type scapy:

Continue reading

Scapy p.04 – Looking at Packets

This entry is part 4 of 11 in the series Building Network Tools with Scapy

Packets, Layers, and Fields. Oh My!

Scapy uses Python dictionaries as the data structure for packets. Each packet is a collection of nested dictionaries with each layer being a child dictionary of the previous layer, built from the lowest layer up. Visualizing the nested packet layers would look something like this:

Each field (such as the Ethernet ‘dst’ value or ICMP ‘type’ value) is a key:value pair in the appropriate layer. These fields (and nested layers) are all mutable so we can reassign them in place using the assignment operator. Scapy has packet methods for viewing the layers and fields that I will introduce next.

Packet summary() and show() Methods

Now let’s go back to our pkt and have some fun with it using Scapy’s Interactive mode. We already know that using the summary() method will give us a quick look at the packet’s layers:

Continue reading

Scapy p.05 – Sending our First Packet; ARP Response

This entry is part 5 of 11 in the series Building Network Tools with Scapy

With a good understanding of how to view our packets we can now move onto some packet generation. Let’s talk a bit about sniffing first and how existing packets are our best tool for creating new ones.

Sniff() function arguments

We’ve used the sniff() function a couple times already to capture some packets for viewing. I’m going to explain a little bit more about the sniff() function and its arguments. Continue reading

Scapy p.06 – Sending and Receiving with Scapy

This entry is part 6 of 11 in the series Building Network Tools with Scapy

We’ve sniffed some packets, dig down into packet layers and fields, and even sent some packets. Great job! It’s time to step up our game with Scapy and start really using some of the power Scapy contains. Please Note: this next example is for education and example only. Please be responsible on your network, especially at work!

Scapy Send/Receive Function

Let’s get familiar with the sr(), sr1(), srp(), and srp1() functions. Just like the send(), function, the ‘p’ at the end of the function name means that we’re sending at L2 instead of L3. The functions with a ‘1’ in them mean that Scapy will send the specified packet and end after receiving 1 answer/response instead of continuing to listen for answers/responses. I’ll reference both functions as sr(), but the examples will use the correct function.

Continue reading

Scapy p.07 – Monitoring ARP

This entry is part 7 of 11 in the series Building Network Tools with Scapy

Using Scapy in a Python Script

So far we’ve been working with Scapy in interactive mode. It’s very powerful but there are times when it would be easier to work with a Python script instead. In order to use Scapy, we have to import the Scapy module like this:

This will import all Scapy functions, but if you know that you will only need a few of the functions, you can import them individually as well like this:

Continue reading

Scapy p.08 – Making a Christmas Tree Packet

This entry is part 8 of 11 in the series Building Network Tools with Scapy

We’ve doing a lot of packet sniffing, analysis, and even some basic packet crafting of our own. With the ICMP packets we created, we only set the destination we wanted to use and let Scapy take care of the rest.

Taking Control of Protocol Fields

I want to show you how to take a bit more control over the packet creation process by creating a TCP Christmas Tree packet. I’ll let you read the details, just know that the name of this packet comes from every TCP header flag bit turned on (set to 1), so it can be said the packet is “lit up like a Christmas Tree.” Continue reading