Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Pierre Lalet
    @p-l-
    So you should really open an issue :)
    Daniel GarcĂ­a
    @danigargu
    thx!
    MariMari7
    @MariMari7
    Hello, I want to write a script that take Two PCAP files to compare them by Packet (time, ip_source, ip_dest, port_source, port_dest, etc ..) and save the difference into another PCAP file. Any help ??
    Venkateswaran
    @VenkateswaranJ
    Can someone help me with this StackOverflow question https://stackoverflow.com/questions/67266751/remove-tcp-option-using-scapy
    I don't want to copy-paste the question here.
    Nils Weiss
    @polybassa
    @trumpetsven You can create bytes to be sent like you showed with Scapy. It's currently not possible to dissect bytes you receive into this kind of structure. Is there a specification for such an application?
    MariMari7
    @MariMari7
    I have a large size PCAP file (about 12GB), can I parse it using Scapy ?
    PhilippTakacs
    @PhilippTakacs
    Is there a way to get DNSQR/DNSRR out of a DNS packate as a list?
    gpotter2
    @gpotter2
    You can try list(DNS(qd=DNSQR()/DNSQR()).qd.iterpayloads())
    Pooshkis
    @Pooshkis
    hi, maybe someone will have any ideas - when i'm trying to maipulate with RTP packets using scapy (e.g. change version or other header field) and then send them away, everything works, except Wireshark on the other end doesn't "see" those packets as RTP anymore, only as UDP. pkt.show() still shows those packets as RTP (on both sides).. What am I missing?
    TrumpetSven
    @trumpetsven
    @polybassa At this time I got it working wth something like: ip/tcp/bytearray(raw(DoIP(Data1)/UDS(Data1)))/bytearray(raw(DoIP(Data2)/UDS(Data2))).
    This is probably defined in ISO 14229-5, but do not have in handy now.
    Afilsi
    @Afilsi
    @MariMari7, you can use for pkt in PcapReader('datas.pcap'):, which allows to load a packet in memory only when it is needed and not to overload the memory with the complete capture.
    Michael Bruhn
    @EviLDgL_gitlab
    Hey guys. Im actually implementing an ssh client/server in scapy with the automaton framework and i came across a problem. decrypting/enrypting/parsing ect works just fine until it comes to tcp fragmentation. i discovered the tcp_reassamble method but i dont get it 100% by now. My problem is that the "ssh packet length" is encrypted so there is no way to find if the data is segmentend or not. is there any way to pass the "decryptor" object with the meta data dictionary and decrypt the first chunk of a packet and extract the "ssh packet length"? And sometimes there are multiple "small" ssh packets encrypted in one tcp payload this is kinda the contrary problem with that. i want the master_filter return the separatly. My solution so far is decrypting everything in the master_filter and overwrite the packet ref with the "big concatenated packet", but this only triggers the receive.conditions of my automaton once even if there are multiple packets returned. Is there any mechanism implemented to get the master_filter do return the sequentially or needs this to be implemented somewhere in the "scapy area" of my ssh definition? Greetings :)
    the "decryptor" object ist part of the class which contains the automaton, so one "layer" above the actuall scapy ssh implementation
    sezb51
    @sezb51
    Hello. I'm new to scapy and in my learning I'm trying to simulate a vowifi request which includes ipsec (isakmp/esp) toward ePDG then a sip register toward ims. Currently I'm struggling on the first "ike_sa_init initiator request" where I'm not able to add multiple transform proposal to the security association payload. Do you think my objective is doable with scapy ? How is the ipsec implementation so far ? Is this the proper forum for these kind of requests or is there any better repository for more data/code exchange ?
    sezb51
    @sezb51
    The below screenshot is an attempt to derive packet configuration from a working pcap capture.
    Unfortunately scapy seems unable to inspect (or support) all different sublayers and just show the "load" field populated with the data I hoped to re-use as baseline in my python code...
    scapy_isakmp_issue.png
    davehouser1
    @davehouser1
    Hello
    I am trying to configure EDNS for a DNS packet with scapy.
    I need to craft specific sections for EDNS Opt0 based on RFC7871. See section 6
    https://datatracker.ietf.org/doc/html/rfc7871
    I read though this documentation
    https://scapy.readthedocs.io/en/latest/api/scapy.layers.dns.html
    The "Display RFC-like schema" for class scapy.layers.dns.DNSRROPT(args, *kargs) does not seem to resemble this structure. Notice that RFC7871 references RFC6891 in section 6
    Is there a way to adjust scapy to send Option: Padding, and Option: CSUBNET - client subnet sections?
    I can do this with the clientsubnetoption module in python, I have tested. You can see this post for details
    https://stackoverflow.com/questions/28609181/resolve-dns-edns-with-client-subnet-option-in-python
    Plans to incorporate this into Scapy? or am I missing something
    bishop527
    @bishop527
    I'm starting to learn about the HDLC protocol and have a question about how it's implemented in Scapy. I see the address and control fields are defined, but not the Flag or FCS/CRC fields. How are those fields accounted for/handled in Scapy? Thanks.
    Guillaume Valadon
    @guedou
    @davehouser1 we have the basic EDNS0TLV RR, but you will need to do the encoding/decoding yourself. Feel free to submit a PR.
    iznogoud-zz
    @iznogoud-zz
    Hello,
    I am doing some experiments with IPsec and would like to decrypt the IKE_AUTH and INFORMATIONAL IKEv2 messages. I have access to the all the keys necessary, SK_e(i,r) and SK_a(i,r) and SPIs but am not sure this is even possible with scapy. Does anyone know if I can do this with scapy? Is there an alternative, if not?
    Thanks
    XyKong
    @TraverseBiTree
    scapy sniffing less packets than wireshark
    image.png
    XyKong
    @TraverseBiTree
    image.png
    I use a sleep() function to simulate the time spent processing tasks in callback function.
    both scapy and wireshark start at the same time
    Obviously see scapy cautions less packet than wireshark . How can I catch all packets using scapy without any packet loss
    gpotter2
    @gpotter2
    See https://scapy.readthedocs.io/en/latest/usage.html#performance-of-scapy
    Guillaume Valadon
    @guedou
    Scapy cannot match wireshark performance. To perform a fair comparison, you should replace the sleep call, by printing the packet summary.
    erfanask
    @erfanask
    hi !
    i try to snif HTTP request behind nginx
    for example my app working on port 3000 behind nginx on 443 and 80 .
    i try to bind 3000 to HTTP , thats working when i try to accesss 3000 but when i try to use port 80 or 443
    I can't see requests between nginx and my app on port 3000 .
    davidozc
    @davidozc
    Hi,
    Im trying to bind layers like following,
    bind_layers(LayerB, LayerC, fields from LayerA)
    is this possible to do so? or any other workaround to bind two layers?
    alixpat
    @alixpat:matrix.org
    [m]

    Hi,

    I'd like to redirect a tcpdump sniff to scapy.scapy.sendrecv.sniff.
    Did you have an idea ?

    AmericanWhey
    @AmericanWhey

    I apologize, I have no network analysis experience, but I have a question that I hope isn't too taxing for someone who has knowledge of what scapy or other packet forging programs are capable of. A "fact-check" website is claiming that scapy or other tool could be used to forge the entire network traffic of hundreds of Internet connected voting machines in the 2020 Presidential Election. The author isn't talking about capturing the traffic, supposedly, the capturing of the election traffic as already been done. He is claiming that scapy or other tool could be used to forge an 'alternative' version of the 2020 election traffic. To me, that would seem utterly impossible, because even if scapy or other tool were theoretically capable, the labor required to achieve such a feat without producing absolutely absurd, flawed results would be insurmountable. I wouldn't argue that a small sample of, say, 20 votes could be forged believably, but millions of votes or potentially tens of millions? No way, with the limited knowledge I have about network traffic.

    So, am I right that it is absurd to say that scapy or other program could believably be used to forge that scale and size of network traffic?

    Guillaume Valadon
    @guedou
    Given the sensitive topic, it is difficult to provide a satisfying answer without any context regarding the network protocols in use. Could you share the link to the claim?
    AmericanWhey
    @AmericanWhey

    Yes, thank-you.
    First, here's the most recent interview with the security specialist talking about the sample capture: t.ly/hEBd
    Here is an earlier interview with, I think, the same security specialist: t.ly/gdI6
    Here, t.ly/slPc beginning at timecode 01:36:05 through 01:49:45, is an interview with a different security specialist that goes into more detail. This is the first and oldest video created on the subject. Still, keep in mind, these videos were created for the general public, not network professionals, so its technical content is limited.

    Finally, here t.ly/OqXo is the article from the fact-check site that is asserting that scapy or other tool could be used to 'forge' the network capture of the 20 votes that were changed. Fine. I don't argue that's not potentially possible on a limited number like that. But, to claim that millions of votes could be forged in a highly credible way by scapy or a different tool ... I find that very hard to believe.

    Tao Wang
    @wtao0221
    Hi,
    if a field (A) is a BitField of size 3 with a following field (B) of size 5. can we directly set intended values to them (A or B)? Will scapy check whether the value is beyond its range?
    r4t31
    @r4t31

    Hello!

    How can I create a new package from raw hex string (0x16030100...)

    from scapy.all import *
load_layer("tls")

pkg = TLS("0x160301003502000031030160BE....")
pkg.show()

    this not working.

    Pierre Lalet
    @p-l-
    Try:
    from scapy.all import *
load_layer("tls")

pkg = TLS(hex_bytes("160301003502000031030160BE...."))
pkg.show()
    It should work. Here is what I get with the incomplete data you posted:
    >>> TLS(hex_bytes("160301003502000031030160BE")).show()
###[ TLS ]### 
  type      = handshake
  version   = TLS 1.0
  len       = 53    [deciphered_len= 8]
  iv        = b''
  \msg       \
   |###[ Raw ]### 
   |  load      = '\x02\x00\x001\x03\x01`\\xbe'
  mac       = b''
  pad       = b''
  padlen    = None
    Tao Wang
    @wtao0221
    Hi, is there any way to bind layers where the potential values are from a list? like bind_layers( TCP, HTTP, sport in some_list )? or should I write each value in a bind_layers() statement?
    gpotter2
    @gpotter2
    You can obviously loop on it
    for i in [1, 2, 3]:
    bind_layers(TCP, HTTP, i)
    mercurial-tim
    @mercurial-tim

    Hi folks, I've sniffed a DHCP Discover pkt via Scapy, and seems like the 'chaddr' field is not being read properly. Wireshark shows it just fine ('10:39:e9:7f:d5:81')!

    flags      : FlagsField                          = <Flag 32768 (B)> ('<Flag 0 ()>')
ciaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
yiaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
siaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
giaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
chaddr     : Field                               = b'\x109\xe9\x7f\xd5\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ("b''")

    Any thoughts why this is not showing the actual mac address here?

    gpotter2
    @gpotter2
    Are you doing ls(..) instead of pkt.show() ?
    kaitogon
    @kaitogon
    Hi I have a question please ? For each datagram exchange, TCP initiates a new session between the FTP client and the FTP server. The question is that can I change the tcp session size from scapy ?
    for ftp ?
    mercurial-tim
    @mercurial-tim
    @gpotter2 - yes doing ls(pkt). Tried pkt.show() too, same outcome:
    ###[ BOOTP ]###
           op        = BOOTREQUEST
           htype     = 1
           hlen      = 6
           hops      = 0
           xid       = 3074830325
           secs      = 0
           flags     = B
           ciaddr    = 0.0.0.0
           yiaddr    = 0.0.0.0
           siaddr    = 0.0.0.0
           giaddr    = 0.0.0.0
           chaddr    = b'4\xef\xb6\x7f\xd5\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    stereoid00
    @stereoid00
    Hi all, Can i join different packet sets into one so that I can send them with a single 'sendpfast()' method? Those packet sets use different protocols (TCP, UDP and ICMP). Of course ther option would be to use python threading and use three 'sendpfast()' commands but i'm not sure how would performance work