scapy – Interactive Packet Manipulation / Generation Tool for Linux / UNIX

Posted on in Categories Debian Linux, Hardware, Linux, Security, Ubuntu Linux, UNIX last updated January 28, 2008

Recently I started to play with scapy – a powerful interactive packet manipulation and custom packet generation program written using Python. Please note that this tool is not for a new Linux / UNIX users. This tool requires extensive knowledge of network protocols, packets, layers and other hardcore networking concepts. This tool is extermly useful for
a] Understanding network headers
b] Testing network security
c] Write your own utilities using scapy
d] Decoding protocols etc

From the man page:

You can use this tool to check the security of your own network as it allows to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics such as VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, etc.

Install scapy

Type the following command:
$ sudo apt-get install scapy

Getting started with scapy

Type scapy at a shell prompt:
$ scapy

Welcome to Scapy (v1.1.1 / f88d99910220)

You need to type various commands at scapy prompt. For example, list all supported protocols enter ls():
>>> ls()

ARP        : ARP
ASN1_Packet : None
CookedLinux : cooked linux
DHCP       : DHCP options
DNS        : DNS
DNSQR      : DNS Question Record
DNSRR      : DNS Resource Record
Dot11      : 802.11
Dot11ATIM  : 802.11 ATIM
Dot11AssoReq : 802.11 Association Request
Dot11AssoResp : 802.11 Association Response
Dot11Auth  : 802.11 Authentication
Dot11Beacon : 802.11 Beacon
Dot11Deauth : 802.11 Deauthentication
Dot11Disas : 802.11 Disassociation
Dot11Elt   : 802.11 Information Element
Dot11ProbeReq : 802.11 Probe Request
Dot11ProbeResp : 802.11 Probe Response
Dot11ReassoReq : 802.11 Reassociation Request
Dot11ReassoResp : 802.11 Reassociation Response
Dot11WEP   : 802.11 WEP packet
Dot1Q      : 802.1Q
Dot3       : 802.3
EAP        : EAP
Ether      : Ethernet
GPRS       : GPRSdummy
GRE        : GRE
HCI_ACL_Hdr : HCI ACL header
HCI_Hdr    : HCI header
HSRP       : HSRP
ICMP       : ICMP
ICMPerror  : ICMP in ICMP
IP         : IP
IPerror    : IP in ICMP
IPv6       : IPv6 not implemented here.
ISAKMP_class : None
ISAKMP_payload : ISAKMP payload
ISAKMP_payload_Hash : ISAKMP Hash
ISAKMP_payload_ID : ISAKMP Identification
ISAKMP_payload_KE : ISAKMP Key Exchange
ISAKMP_payload_Nonce : ISAKMP Nonce
ISAKMP_payload_Proposal : IKE proposal
ISAKMP_payload_Transform : IKE Transform
ISAKMP_payload_VendorID : ISAKMP Vendor ID
IrLAPCommand : IrDA Link Access Protocol Command
IrLAPHead  : IrDA Link Access Protocol Header
IrLMP      : IrDA Link Management Protocol
L2CAP_CmdHdr : L2CAP command header
L2CAP_CmdRej : L2CAP Command Rej
L2CAP_ConfReq : L2CAP Conf Req
L2CAP_ConfResp : L2CAP Conf Resp
L2CAP_ConnReq : L2CAP Conn Req
L2CAP_ConnResp : L2CAP Conn Resp
L2CAP_DisconnReq : L2CAP Disconn Req
L2CAP_DisconnResp : L2CAP Disconn Resp
L2CAP_Hdr  : L2CAP header
L2CAP_InfoReq : L2CAP Info Req
L2CAP_InfoResp : L2CAP Info Resp
LLC        : LLC
MGCP       : MGCP
MobileIP   : Mobile IP (RFC3344)
MobileIPRRP : Mobile IP Registration Reply (RFC3344)
MobileIPRRQ : Mobile IP Registration Request (RFC3344)
MobileIPTunnelData : Mobile IP Tunnel Data Message (RFC3519)
NBNSNodeStatusResponse : NBNS Node Status Response
NBNSNodeStatusResponseEnd : NBNS Node Status Response
NBNSNodeStatusResponseService : NBNS Node Status Response Service
NBNSQueryRequest : NBNS query request
NBNSQueryResponse : NBNS query response
NBNSQueryResponseNegative : NBNS query response (negative)
NBNSRequest : NBNS request
NBNSWackResponse : NBNS Wait for Acknowledgement Response
NBTDatagram : NBT Datagram Packet
NBTSession : NBT Session Packet
NTP        : NTP
NetBIOS_DS : NetBIOS datagram service
NetflowHeader : Netflow Header
NetflowHeaderV1 : Netflow Header V1
NetflowRecordV1 : Netflow Record
NoPayload  : None
PPP        : PPP Link Layer
PPPoE      : PPP over Ethernet
PPPoED     : PPP over Ethernet Discovery
Packet     : None
Padding    : Padding
PrismHeader : Prism header
RIP        : RIP header
RIPEntry   : RIP entry
Radius     : Radius
Raw        : Raw
SMBMailSlot : SMB Mail Slot Protocol
SMBNegociate_Protocol_Request_Header : SMBNegociate Protocol Request Header
SMBNegociate_Protocol_Request_Tail : SMB Negociate Protocol Request Tail
SMBNegociate_Protocol_Response_Advanced_Security : SMBNegociate Protocol Response Advanced Security
SMBNegociate_Protocol_Response_No_Security : SMBNegociate Protocol Response No Security
SMBNegociate_Protocol_Response_No_Security_No_Key : None
SMBNetlogon_Protocol_Response_Header : SMBNetlogon Protocol Response Header
SMBNetlogon_Protocol_Response_Tail_LM20 : SMB Netlogon Protocol Response Tail LM20
SMBNetlogon_Protocol_Response_Tail_SAM : SMB Netlogon Protocol Response Tail SAM
SMBSession_Setup_AndX_Request : Session Setup AndX Request
SMBSession_Setup_AndX_Response : Session Setup AndX Response
SNAP       : SNAP
SNMP       : None
SNMPbulk   : None
SNMPget    : None
SNMPinform : None
SNMPnext   : None
SNMPresponse : None
SNMPset    : None
SNMPtrapv1 : None
SNMPtrapv2 : None
SNMPvarbind : None
STP        : Spanning Tree Protocol
SebekHead  : Sebek header
SebekV1    : Sebek v1
SebekV2    : Sebek v3
SebekV2Sock : Sebek v2 socket
SebekV3    : Sebek v3
SebekV3Sock : Sebek v2 socket
Skinny     : Skinny
TCP        : TCP
TCPerror   : TCP in ICMP
UDP        : UDP
UDPerror   : UDP in ICMP
_IPv6OptionHeader : IPv6 not implemented here.

To list user commands, enter lsc():
>>> lsc()
Let us list ICMP segment structure, enter:
>>> ls(ICMP)

type       : ByteEnumField        = (8)
code       : ByteField            = (0)
chksum     : XShortField          = (None)
id         : XShortField          = (0)
seq        : XShortField          = (0)

scapy tutorial is beyond the scope of this blog. Try scapy man page and demo page here for more information:
$ man scapy

3 comment

  1. Hi,
    Which Linux distribtuion have you used to successfully lunched Scapy? I have Suse Linux 10.2 and have tried all I can to have scapy running but have not succeeded so far.

    There is no such command as this ($ sudo apt-get install scapy) used in Suse Linux for scapy installation. I manually downloaded the scapy tar.gz file from the web ans used tar -zxvf tar.gz file to unzip it. Then run the ./configure and make install commands but only received crapes from my command lines.

    Please I would appreciate if you can tell me, which distribtuion works best with Scapy. Python is just perfectly installed but not my scapy.


  2. Scapy now seemed to work BUT I have a big problem. I followed through the scapy documentation 2.0 ( until when I tried to execute the script command >>> hexdump(a), it said something about python wrapper or it may have related to some sort of incomplete packages installation.

    Do you what I might have done wrong? Can you please make a complete list of packages needed in Ubuntu that all work fine. Or should I do some configuration with my python. I have python2.5 and python2.6 on the system.


Leave a Comment