Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Anindya Das

    Hello, I am on a Ubuntu 18.04.5 LTS (source) and I using scapy to send ICMP packets with a custom payload to a destination IP (also an Ubuntu system).
    The source has two interfaces: eth0 and eth1.
    I want to send layer 3 packets from both the interfaces eth0 and eth1. Likewise I use send() function.

    I am also using tcpdump to check whether the packets are sent to the interface (iface parameter) mentioned in the function.

    • When I use send(IP(dst='dst_ip')/ICMP(), iface='eth0') I see that the packet leave via the eth0 interface and I get a icmp echo reply.
    • But, when I use send(IP(dst='dst_ip')/ICMP(), iface='eth1'), I see that the packet leave via eth0 again and not eth1. At the destination I receive the packet with source IP of eth0 and the icmp reply is sent for eth0 IP.
    • But, when I use ping -I eth1 'dst_ip' I see packets going out of eth1 interface, and the destination receives packets with source ip of eth1 and send echo replies to eth1.
    • is it possible to get the same functionality in scapy using the send() function and mentioning the iface parameter?
    I am using scapy 2.4.5
    Guillaume Valadon
    @brifordwylie this secdev/scapy#3385 fixes the issue. Can you try it?
    @hundredmiles you needs to use conf.iface instead
    Anindya Das
    @guedou conf.iface returns the default gw interface which is eth0 in this case. How can I redirect packets to eth1?
    Guillaume Valadon
    Set it to eth1
    Anindya Das
    Does not work. The packet is still sent out via eth0.
    Also, why do we need the extra step of setting conf.iface to eth1 and then using iface=conf.iface? If the argument iface is supplied in send(), should it automatically force the packet out of the mentioned interface and set the source address to that of the outgoing interface?
    what is the easiest way to tell sr() consider multible segments of a tcp connection as an awnser? currently only the packages with exect matching sequence number are returned, but i know there are more packages
    Brian Wylie
    @guedou secdev/scapy#3385 works great.. thank you so much for the quick turnaround :)
    Haram Park
    I need approval..!! check it please
    Anindya Das
    I am trying to sniff on multiple interfaces in Scapy. As per documentation it is possible. However, I am getting AttributeError
    I am using sniff(filter='icmp', iface=['eth0', 'eth1'], prn=lambda x: x.show())
        iface_b = create_string_buffer(network_name(iface).encode("utf8"))
    AttributeError: 'list' object has no attribute 'encode'
    Are you using the latest github dev version?
    Hi everyone, I was wondering whether scapy offers any tools for collecting flow-level details i.e the total number of packets in a flow, the in-out bytes and packets and so on. Maybe have I missed something in the documentation because I see scapy working only in packet level and not flow level?
    I only see scapy being able to decode a Netflow packet but not collect flow statistics itself.
    Anindya Das
    @infern0d:matrix.org yes ,I am using the latest version
    Hi Everyone, I am trying to implement a new layer above tcp for scapy contrib, unfortunately i am having a hard time to implement the tcp_reassemble function. the protocol i try to dissect has a bundle_len field with multiple segments in it and can be (must not be) zlib compressed. i have a nearly working example here: https://gist.github.com/jrsmile/77b036189d609bf1633b5e7b9ab969ee but i can't figure out what to do if a bundle is stretched over multiple tcp packets. so the if else statement only works when the bundle_len is exactly what is expected or more, but if i get less i have to void the packet. (which i don't want). Could someone hint me in the right direction how to concatenate the "to much" case with the "to less" part?
    Michael Bruhn
    Hey, im using for quiet a while now to rebuild state machines for different networks protocols. lately im experimenting alot with the scapy automaton and i came across a problem i dont know how to handle properly. Right now im trying to implement a protocol (l2tpv3) which has the options to run multiple "sessions" within one big control flow. Right now i built the automaton for the "control handshake" and wanna implement the multisession handling. Is it possible and if so how: that i split the control and session automatons and let the control-automaton "spawn" new session automatons whenever i need a new session. The main problem that i have here is the coupling of the automatons. How can i feed the packets from the control-automaton to the right session automaton and vice versa? I started to have a look into the Pipes but im not sure if this is suited for this purpose

    I have trouble when I use "count_from="

    Let's assume there is a field named "cnt", and external(or global) variable (not part of Packet) "max_val"

    I want this kind of settting. But it's not working. Please help me.

    count_from = lambda pkt: max_val if pkt.cnt == 0 else pkt.cnt
    Are you sure you don't want
    lambda pkt: min(pkt.cnt or 0, max_val)
    I tried, but it seems not working.
    Hey i get a problem with scapy cuz i cant find module scapy.all as scappy when i import .-.

    import scapy.layers.inet as scapy

    def scan(ip):

    Traceback (most recent call last):
    File "network_scanner.py", line 1, in <module>
    import scapy.layers.inet as scapy
    ImportError: No module named scapy.layers.inet

    the other thing what i try its scapy.all as scapy

    Are you sure you don't want
    lambda pkt: min(pkt.cnt or 0, max_val)

    I tested more. Root cause of the problem is we can't see global variable "max_val" in the fields_desc, I think.

    Mariano Gómez

    Hello everyone! Just a quick question regarding https://github.com/secdev/scapy/blob/dcd54d59c94b83632b74e268e8b14026cbcd67c8/scapy/contrib/http2.py#L2672

    parse_txt_hdrs' type hints clearly state that this metod has a string as input, but the first thing that it does is embed the string in a BytesIO object, which requires bytes as an input, is this a leftover from a previous version of the code or rather a typo? Thanks in advance

    Is there a trick to insert one bye in front of Packet?
    Conceptually this kind of operation is needed. I am developing a trick to resolve the 'max_val' thing I mentioned above.
    new_packet = b'\x02' + old_packet

    Is there a trick to insert one bye in front of Packet?
    Conceptually this kind of operation is needed. I am developing a trick to resolve the 'max_val' thing I mentioned above.

    new_packet = b'\x02' + old_packet

    I tried this way. It seems working

    new_packet = Packet(max_val.to_bytes(1, 'big') + raw(old_packet))

    I found a strange thing in packet print.
    It seems there are extra backslashes. I am not sure which one is correct.

    Packet type is

    IP / TCP > PA / Raw

    Raw after TCP in Old Version (Released version, my old log record)

    ###[ Raw ]###
            load      = '\x0f*E\x12\x83^\x86\xfca\xa9....

    Raw after TCP in New Version (GIT version)

    ###[ Raw ]###
            load      = '\x0f*E\x12\\x83^\\x86\\xfca\\xa9....
    Hello is anyone available to answer a question about why Scapy is not respecting Linux kernel ip rules?
    That is the problem btw. I made a post here about it, no responses yet, any one know why this is happening?
    I have added an answer
    Ok so there is no way to work with ip rules?
    Thank you for the response.
    I actually am using scapy for testing, I am working with some other C++ code, which uses the sendto() library.
    Does scapy use the same thing?
    Nope, Scapy forges the packets and uses raw sockets to send them.
    You may want to use the socket library
    Hi, what's the correct and proper way to get the data payload from Raw layer? I'm using packet[Raw] and packet.getlayer(Raw) can get the data payload but Scapy always shows "WARNING: Calling str(pkt) on Python 3 makes no sense!". I understand the output in bytes but what the heck of this warning messages? Shall I ignore? Or any other methods are available? Thanks.
    oh it's packet[Raw].load
    Hi, when I use sniff(prn=prn..), there will be the prn return value displayed if processed, is there any way to silence this? Thanks.
    shall I use lfilter instead?
    Hi, when I run scapy -H I see many warnings like /usr/lib/python3.10/site-packages/prompt_toolkit/renderer.py:514: DeprecationWarning: The explicit passing of coroutine objects to asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11., is there any way to suppress those info?

    I've got pcap for 30 seconds (91MB, 519k packets) and its dissect takes forever (~100 sec).
    Tried disable most payload_guess for Ether / IP / TCP / UDP but got very minor (~5%) speed up.

    Is there any way to speed up packets dissect, as I actually only need TCP / UDP fields and not underlying layers?

    Found similar issue secdev/scapy#2055 from 2019, but best answer was switch to other libraries.

    Profiling shows most time at field access:

    147.559 MainThread  <thread>:12524
    └─ 147.558 <module>  <stdin>:1
       └─ 147.558 <listcomp>  <stdin>:1
          └─ 147.076 __call__  scapy\base_classes.py:370
             └─ 144.964 __init__  scapy\packet.py:129
                ├─ 134.626 dissect  scapy\packet.py:998
                │  ├─ 126.404 do_dissect_payload  scapy\packet.py:972
                │  │  ├─ 115.127 __call__  scapy\base_classes.py:370
                │  │  │  └─ 114.058 __init__  scapy\packet.py:129
                │  │  │     ├─ 101.785 dissect  scapy\packet.py:998
                │  │  │     │  ├─ 65.001 do_dissect_payload  scapy\packet.py:972
                │  │  │     │  │  ├─ 54.295 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │  └─ 53.096 __init__  scapy\packet.py:129
                │  │  │     │  │  │     ├─ 40.858 dissect  scapy\packet.py:998
                │  │  │     │  │  │     │  ├─ 29.573 do_dissect  scapy\packet.py:952
                │  │  │     │  │  │     │  │  ├─ 10.320 getfield  scapy\fields.py:2200
                │  │  │     │  │  │     │  │  │  ├─ 5.328 m2i  scapy\fields.py:2922
                │  │  │     │  │  │     │  │  │  │  └─ 4.508 _fixup_val  scapy\fields.py:2906
                │  │  │     │  │  │     │  │  │  │     └─ 4.073 __init__  scapy\fields.py:2711
                │  │  │     │  │  │     │  │  │  │        └─ 3.156 __setattr__  scapy\fields.py:2825
                │  │  │     │  │  │     │  │  │  │           └─ 3.110 [self]
                │  │  │     │  │  │     │  │  │  └─ 4.221 [self]
                │  │  │     │  │  │     │  │  ├─ 5.086 [self]
                │  │  │     │  │  │     │  │  ├─ 4.822 getfield  scapy\layers\inet.py:367
                │  │  │     │  │  │     │  │  │  └─ 3.282 m2i  scapy\layers\inet.py:376
                │  │  │     │  │  │     │  │  │     └─ 2.178 [self]
                │  │  │     │  │  │     │  │  ├─ 4.564 getfield  scapy\fields.py:245
                │  │  │     │  │  │     │  │  │  └─ 2.903 [self]
                │  │  │     │  │  │     │  │  └─ 3.500 do_copy  scapy\fields.py:258
                │  │  │     │  │  │     │  │     └─ 1.989 copy  scapy\fields.py:2839
                │  │  │     │  │  │     │  │        └─ 1.721 __init__  scapy\fields.py:2711
                │  │  │     │  │  │     │  └─ 10.373 do_dissect_payload  scapy\packet.py:972
                │  │  │     │  │  │     │     ├─ 5.279 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │     │     │  └─ 4.892 __init__  scapy\packet.py:1878
                │  │  │     │  │  │     │     │     └─ 4.563 __init__  scapy\packet.py:129
                │  │  │     │  │  │     │     └─ 4.348 guess_payload_class  scapy\packet.py:1011
                │  │  │     │  │  │     │        └─ 1.795 [self]
                │  │  │     │  │  │     ├─ 4.619 [self]
                │  │  │     │  │  │     ├─ 2.740 __setattr__  scapy\packet.py:456
                │  │  │     │  │  │     ├─ 2.138 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │     │  └─ 1.531 [self]
                │  │  │     │  │  │     └─ 2.020 init_fields  scapy\packet.py:224
                │  │  │     │  │  │        └─ 1.582 do_init_cached_fields  scapy\packet.py:251
    Hi, I am currently trying to extend scapy to support 802.11 Fine Timing Measurement. As there are a lot of optional parameter in each paket I was wondering where I should inspect the data and decide dynamically which parts are included? My current approach is overwriting the pre_dissect call and partially parse header fields indicating the presence of optional data. I am not sure where I can set properties or similar to use the conditional field afterwards. Where can I find similar code in scapy or where should I do the check for optional and variable length/sub fields?
    ``` name = "Optional Fine Timing measurement request frame parts"
    fields_desc = [
        # Measurement Request Header 1
        ByteField("element_id1", 0),
        ByteField("length1", 0),
        ByteField("token1", 0),
        ByteField("request_mode1", 0),
        ByteEnumField("measurement_type1", 0, measurement_type),
        # LCI Request
        ByteEnumField("LCI_Location_Subject", 0, location_subject),
        # Measurement Request Header 2
        ByteField("element_id2", 0),
        ByteField("length2", 0),
        ByteField("token2", 0),
        ByteField("request_mode2", 0),
        ByteEnumField("measurement_type1", 0, measurement_type),
        # Location Civic Request Field
        ByteEnumField("Civic_Location_Subject", 0, location_subject),
        ByteEnumField("Civic_Location_Type", 0, civic_location_type),
            "Location_Service_Interval_Units", 0, civic_location_interval_units
    These are all optional and I can deduct which type of measurement request based on the request_mode.
    I found similar code in the dot11/dns/bgp layer and it is now optionally parsing the frame parts.
    partially parsing some values in pre_dissect and setting class attributes for usage in the conditional field worked. https://github.com/tweidinger/scapy/blob/74a8cfd5a54a4813d9737d0d5a3e6e8d0d2a7598/scapy/layers/dot11.py#L2135 it's a work in progress but all feedback is welcome.

    Hey I'm thinking of using scapy inside of python module's but I'm really put off that I can't import it efficiently

    import scapy.all as scapy

    really just doesn't cut it because there is zero autocompletion within an ide like pycharm. I tried doing something more targeted like.

    from scapy.compat import raw
    from scapy.layers.dns import DNS
    from scapy.layers.inet import UDP, IP, in4_chksum

    But when I do this I get hit with circular import errors. Is there something I'm missing?

    Hi, anyone knows how to use sniff() call to sniff all interfaces? by default it will only sniff conf.iface interface
    Guillaume Valadon
    @pyharbor which Scapy version?
    Hello, is there a less verbose way to get a field human readable representation?
    assert 0 == rsp.payload.status # Ok but I would like to compare it the the defined enum value
    assert "STATUS_OK" == rsp.payload.status # Which cannot be done like this
    def field2str(pkt, field_name):
        field, val = pkt.getfield_and_val(field_name)
        return field.i2repr(pkt, val)
    assert "STATUS_OK" == field2str(rsp.payload, 'status') # Can be done like this, but looks too verbose to me