Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Guillaume Valadon
    @guedou
    Scapy cannot match wireshark performance. To perform a fair comparison, you should replace the sleep call, by printing the packet summary.
    erfanask
    @erfanask
    hi !
    i try to snif HTTP request behind nginx
    for example my app working on port 3000 behind nginx on 443 and 80 .
    i try to bind 3000 to HTTP , thats working when i try to accesss 3000 but when i try to use port 80 or 443
    I can't see requests between nginx and my app on port 3000 .
    davidozc
    @davidozc
    Hi,
    Im trying to bind layers like following,
    bind_layers(LayerB, LayerC, fields from LayerA)
    is this possible to do so? or any other workaround to bind two layers?
    alixpat
    @alixpat:matrix.org
    [m]

    Hi,

    I'd like to redirect a tcpdump sniff to scapy.scapy.sendrecv.sniff.
    Did you have an idea ?

    AmericanWhey
    @AmericanWhey

    I apologize, I have no network analysis experience, but I have a question that I hope isn't too taxing for someone who has knowledge of what scapy or other packet forging programs are capable of. A "fact-check" website is claiming that scapy or other tool could be used to forge the entire network traffic of hundreds of Internet connected voting machines in the 2020 Presidential Election. The author isn't talking about capturing the traffic, supposedly, the capturing of the election traffic as already been done. He is claiming that scapy or other tool could be used to forge an 'alternative' version of the 2020 election traffic. To me, that would seem utterly impossible, because even if scapy or other tool were theoretically capable, the labor required to achieve such a feat without producing absolutely absurd, flawed results would be insurmountable. I wouldn't argue that a small sample of, say, 20 votes could be forged believably, but millions of votes or potentially tens of millions? No way, with the limited knowledge I have about network traffic.

    So, am I right that it is absurd to say that scapy or other program could believably be used to forge that scale and size of network traffic?

    Guillaume Valadon
    @guedou
    Given the sensitive topic, it is difficult to provide a satisfying answer without any context regarding the network protocols in use. Could you share the link to the claim?
    AmericanWhey
    @AmericanWhey

    Yes, thank-you.
    First, here's the most recent interview with the security specialist talking about the sample capture: t.ly/hEBd
    Here is an earlier interview with, I think, the same security specialist: t.ly/gdI6
    Here, t.ly/slPc beginning at timecode 01:36:05 through 01:49:45, is an interview with a different security specialist that goes into more detail. This is the first and oldest video created on the subject. Still, keep in mind, these videos were created for the general public, not network professionals, so its technical content is limited.

    Finally, here t.ly/OqXo is the article from the fact-check site that is asserting that scapy or other tool could be used to 'forge' the network capture of the 20 votes that were changed. Fine. I don't argue that's not potentially possible on a limited number like that. But, to claim that millions of votes could be forged in a highly credible way by scapy or a different tool ... I find that very hard to believe.

    Tao Wang
    @wtao0221
    Hi,
    if a field (A) is a BitField of size 3 with a following field (B) of size 5. can we directly set intended values to them (A or B)? Will scapy check whether the value is beyond its range?
    r4t31
    @r4t31

    Hello!

    How can I create a new package from raw hex string (0x16030100...)

    from scapy.all import *
    load_layer("tls")
    
    pkg = TLS("0x160301003502000031030160BE....")
    pkg.show()

    this not working.

    Pierre Lalet
    @p-l-
    Try:
    from scapy.all import *
    load_layer("tls")
    
    pkg = TLS(hex_bytes("160301003502000031030160BE...."))
    pkg.show()
    It should work. Here is what I get with the incomplete data you posted:
    >>> TLS(hex_bytes("160301003502000031030160BE")).show()
    ###[ TLS ]### 
      type      = handshake
      version   = TLS 1.0
      len       = 53    [deciphered_len= 8]
      iv        = b''
      \msg       \
       |###[ Raw ]### 
       |  load      = '\x02\x00\x001\x03\x01`\\xbe'
      mac       = b''
      pad       = b''
      padlen    = None
    Tao Wang
    @wtao0221
    Hi, is there any way to bind layers where the potential values are from a list? like bind_layers( TCP, HTTP, sport in some_list )? or should I write each value in a bind_layers() statement?
    gpotter2
    @gpotter2
    You can obviously loop on it
    for i in [1, 2, 3]:
        bind_layers(TCP, HTTP, i)
    Merc
    @mercurial12

    Hi folks, I've sniffed a DHCP Discover pkt via Scapy, and seems like the 'chaddr' field is not being read properly. Wireshark shows it just fine ('10:39:e9:7f:d5:81')!

    flags      : FlagsField                          = <Flag 32768 (B)> ('<Flag 0 ()>')
    ciaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
    yiaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
    siaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
    giaddr     : IPField                             = '0.0.0.0'       ("'0.0.0.0'")
    chaddr     : Field                               = b'\x109\xe9\x7f\xd5\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ("b''")

    Any thoughts why this is not showing the actual mac address here?

    gpotter2
    @gpotter2
    Are you doing ls(..) instead of pkt.show() ?
    kaitogon
    @kaitogon
    Hi I have a question please ? For each datagram exchange, TCP initiates a new session between the FTP client and the FTP server. The question is that can I change the tcp session size from scapy ?
    for ftp ?
    Merc
    @mercurial12
    @gpotter2 - yes doing ls(pkt). Tried pkt.show() too, same outcome:
    ###[ BOOTP ]###
               op        = BOOTREQUEST
               htype     = 1
               hlen      = 6
               hops      = 0
               xid       = 3074830325
               secs      = 0
               flags     = B
               ciaddr    = 0.0.0.0
               yiaddr    = 0.0.0.0
               siaddr    = 0.0.0.0
               giaddr    = 0.0.0.0
               chaddr    = b'4\xef\xb6\x7f\xd5\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    stereoid00
    @stereoid00
    Hi all, Can i join different packet sets into one so that I can send them with a single 'sendpfast()' method? Those packet sets use different protocols (TCP, UDP and ICMP). Of course ther option would be to use python threading and use three 'sendpfast()' commands but i'm not sure how would performance work
    Afilsi
    @Afilsi
    Hi @stereoid00 I'm think it's not the best way to do it, but I would try to join them all in one big list like this: allPackets = [pack for pack in TCPSet] + [pack for pack in UDPSet] + [pack for pack in ICMPSet]
    Afilsi
    @Afilsi
    For my part, I also have a question, I have declared other tables than the usual in /etc/iproute2/rt_tables and add routes to these tables. If I do an ip route show table all, my routes are present, but conf.route does not see them.
    Is it possible to tell scapy to go read this other routes ?
    Guillaume Valadon
    @guedou
    Unfortunately no. Scapy only gets the entries in the main table. I am not aware of a simple way to access them.
    Afilsi
    @Afilsi
    Okay, thank you very much for your answer.
    PhilippTakacs
    @PhilippTakacs
    Hi following code gives None p = DNS(qd=[DNSQR()],an=[DNSRR()]) DNS(DNS(p.build()).an[0].rdlen
    is this considered as a bug?
    PhilippTakacs
    @PhilippTakacs
    • secound part: ```
      DNS(p.build()).an[0].rdlen
    Guillaume Valadon
    @guedou
    Yea this is a bug. Can you fill an issue?
    PhilippTakacs
    @PhilippTakacs
    Yes it's
    Milad
    @miladstar77
    Hello everybody, how can I read big pcap file line by line instead of one time in rdpcap … to increase reading speed
    fouzhe
    @fouzhe
    Hi, all!
    In the Fuzz function, those fields without pre-assigned values will be randomly generated, as is referred in the usage.
    However, in general, fuzzing a packet p means randomly modify some fields of p.
    So, as for a well-formed packet p, how to generate a malformed packet p' based on p using Fuzz function, or in other ways?
    Thanks!
    Afilsi
    @Afilsi
    Hello @miladstar77 , PcapReader() creates an "iterator" on your pcap file and load a packet only when it's needed. So you can simply use an for loop to read your file line by line.
    Daniel Walker
    @nickeldan
    Does scapy have a version of scapy.sendrecv.sniff that works as a context manager? I imagine something like
    with scapy.sendrecv.SniffContextManager(filter=some_bpf) as sniffer:
        scapy.sendrecv.send(some_packet)
        responses = sniffer.receive_packets(1, timeout=1) # Number of packets to receive
        if responses:
            response = responses[0]
            scapy.sendrecv.send(some_other_packet)
            # receive more packets
    For the simple case of when I want to send a packet and capture the reply, I can solve the race condition by using the started_callback keyword argument to sniff. However, for more complicated use cases, it seems cumbersome (and inefficient due to the capture initialization overhead) to call sniff over and over again with different started_callback arguments.
    fouzhe
    @fouzhe

    Hi, all!
    In the Fuzz function, those fields without pre-assigned values will be randomly generated, as is referred in the usage.
    However, in general, fuzzing a packet p means randomly modify some fields of p.
    So, as for a well-formed packet p, how to generate a malformed packet p' based on p using Fuzz function, or in other ways?
    Thanks!

    For example,

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show()
    pkt_fuzz=fuzz(pkt)  # the content of pkt doesn't change after being fuzzed
    pkt.show()

    If I want to randomly change the value of any fields of pkt, how to do that?

    Guillaume Valadon
    @guedou
    @fouzhe the corrupt_bytes() and corrupt_bit() functions can be used to modified this IP packet.
    For example:
    >>> data = hex_bydata = hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01")
    >>> hexdiff(data,hexdiff(data, corrupt_bytes(data))
    0000        E5 E6 00 14 C2 2E 1B DA  2F 7F F0 12 C0 A8 01 66   ......../......f
         0000   E5 E6 00 14 77 2E 1B DA  2F 7F F0 12 C0 A8 01 66   ....w.../......f
    0010 0010   50 5A 0A 01
    fouzhe
    @fouzhe
    @guedou Hello, thanks for your answer!
    Can I specify which field to be modified, when using function corrupt_bytes() or corrupt_bit()?
    Guillaume Valadon
    @guedou
    Unfortunately, no.
    fouzhe
    @fouzhe
    So, if I use Fuzz function, can I specify the field to be modified?
    Guillaume Valadon
    @guedou
    If you set the field value to None, yes.
    fouzhe
    @fouzhe

    If you set the field value to None, yes.

    Sometimes, set the field to None can be illegal. Would it be better if we delete the corresponding key-value in the directory pkt.fields?

    Guillaume Valadon
    @guedou
    Sorry, I meant deleting the field value, like pkt.version in your example.
    fouzhe
    @fouzhe
    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example
    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()
    fouzhe
    @fouzhe

    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()

    @guedou Hi, based on this, to randomly fuzz any well-formed packet, I'd like to give this a shot like following:

    @conf.commands.register
    def fuzz(p,  # type: Packet
             _inplace=0,  # type: int
             ):
        # type: (...) -> Packet
        """
        Transform a layer into a fuzzy layer by replacing some default values
        by random objects.
    
        :param p: the Packet instance to fuzz
        :return: the fuzzed packet.
        """
        if not _inplace:
            p = p.copy()
        q = p
        while not isinstance(q, NoPayload):
            new_default_fields = {}
            multiple_type_fields = []  # type: List[str]
    -        for f in q.fields_desc:
    +        for f in list(q.fields_desc):
                if isinstance(f, PacketListField):
                    for r in getattr(q, f.name):
                        fuzz(r, _inplace=1)
                elif isinstance(f, MultipleTypeField):
                    # the type of the field will depend on others
                    multiple_type_fields.append(f.name)
                elif f.default is not None:
                    if not isinstance(f, ConditionalField) or f._evalcond(q):
                        rnd = f.randval()
                        if rnd is not None:
                            new_default_fields[f.name] = rnd
    +                    import random
    +                    if random.randint(1,5) == 2:    # randomly delete some fields
    +                        delattr(q, f.name)
            # Process packets with MultipleTypeFields
            if multiple_type_fields:
                # freeze the other random values
                new_default_fields = {
                    key: (val._fix() if isinstance(val, VolatileValue) else val)
                    for key, val in six.iteritems(new_default_fields)
                }
                q.default_fields.update(new_default_fields)
                # add the random values of the MultipleTypeFields
                for name in multiple_type_fields:
                    fld = cast(MultipleTypeField, q.get_field(name))
                    rnd = fld._find_fld_pkt(q).randval()
                    if rnd is not None:
                        new_default_fields[name] = rnd
            q.default_fields.update(new_default_fields)
    +        if _inplace:
    +            q.fields.update(new_default_fields)
            q = q.payload
        return p

    I'm new to scapy thus is not sure whether it is correct.
    Could you please help me?
    Thanks!

    lapinouxxx
    @lapinouxxx

    Hello dev(s) and contributor(s), as I said on github, I have an issue with the wifi card 036ach and scapy. when sniffing, no packet are captured.
    This is how I simply test if the card is working or not :

    └─$ sudo python3                                               
    Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
    [GCC 10.2.1 20210110] on linux
    >>> from scapy.all import *
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> exit()

    As you can see, there is no packet at all.

    Enviromment : 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
    Scapy version : 2.4.4
    Driver of the card : latest
    lapinouxxx
    @lapinouxxx
    ( with the 036nah i have no issue at all fyi , using custom sockets and async sniffing)
    higher75
    @higher75
    who can help me ?
    IP(dst='localhost') / ICMP(type=3,code=0) / ICMPExtensionHeader()
    but the result is that :
    Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 0 (Network unreachable)
    Checksum: 0xfcff [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol, bogus version (2) ---> Why not an extended data package, but such a package?????
    0010 .... = Version: 2