Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    JRSmile
    @jrsmile
    Hi Everyone, I am trying to implement a new layer above tcp for scapy contrib, unfortunately i am having a hard time to implement the tcp_reassemble function. the protocol i try to dissect has a bundle_len field with multiple segments in it and can be (must not be) zlib compressed. i have a nearly working example here: https://gist.github.com/jrsmile/77b036189d609bf1633b5e7b9ab969ee but i can't figure out what to do if a bundle is stretched over multiple tcp packets. so the if else statement only works when the bundle_len is exactly what is expected or more, but if i get less i have to void the packet. (which i don't want). Could someone hint me in the right direction how to concatenate the "to much" case with the "to less" part?
    Michael Bruhn
    @EviLDgL_gitlab
    Hey, im using for quiet a while now to rebuild state machines for different networks protocols. lately im experimenting alot with the scapy automaton and i came across a problem i dont know how to handle properly. Right now im trying to implement a protocol (l2tpv3) which has the options to run multiple "sessions" within one big control flow. Right now i built the automaton for the "control handshake" and wanna implement the multisession handling. Is it possible and if so how: that i split the control and session automatons and let the control-automaton "spawn" new session automatons whenever i need a new session. The main problem that i have here is the coupling of the automatons. How can i feed the packets from the control-automaton to the right session automaton and vice versa? I started to have a look into the Pipes but im not sure if this is suited for this purpose
    KyleJeong
    @KyleJeong

    I have trouble when I use "count_from="

    Let's assume there is a field named "cnt", and external(or global) variable (not part of Packet) "max_val"

    I want this kind of settting. But it's not working. Please help me.

    count_from = lambda pkt: max_val if pkt.cnt == 0 else pkt.cnt
    infern0d
    @infern0d:matrix.org
    [m]
    Are you sure you don't want
    lambda pkt: min(pkt.cnt or 0, max_val)
    KyleJeong
    @KyleJeong
    I tried, but it seems not working.
    ThisIsDmOnLive
    @ThisIsDmOnLive
    Hey i get a problem with scapy cuz i cant find module scapy.all as scappy when i import .-.
    ThisIsDmOnLive
    @ThisIsDmOnLive

    import scapy.layers.inet as scapy

    def scan(ip):
    scapy.arping(ip)

    scan("xx.x.x.x/24")
    Traceback (most recent call last):
    File "network_scanner.py", line 1, in <module>
    import scapy.layers.inet as scapy
    ImportError: No module named scapy.layers.inet

    ThisIsDmOnLive
    @ThisIsDmOnLive
    the other thing what i try its scapy.all as scapy
    KyleJeong
    @KyleJeong

    Are you sure you don't want
    lambda pkt: min(pkt.cnt or 0, max_val)

    I tested more. Root cause of the problem is we can't see global variable "max_val" in the fields_desc, I think.

    Mariano Gómez
    @mrngomez

    Hello everyone! Just a quick question regarding https://github.com/secdev/scapy/blob/dcd54d59c94b83632b74e268e8b14026cbcd67c8/scapy/contrib/http2.py#L2672

    parse_txt_hdrs' type hints clearly state that this metod has a string as input, but the first thing that it does is embed the string in a BytesIO object, which requires bytes as an input, is this a leftover from a previous version of the code or rather a typo? Thanks in advance

    KyleJeong
    @KyleJeong
    Is there a trick to insert one bye in front of Packet?
    Conceptually this kind of operation is needed. I am developing a trick to resolve the 'max_val' thing I mentioned above.
    new_packet = b'\x02' + old_packet
    KyleJeong
    @KyleJeong

    Is there a trick to insert one bye in front of Packet?
    Conceptually this kind of operation is needed. I am developing a trick to resolve the 'max_val' thing I mentioned above.

    new_packet = b'\x02' + old_packet

    I tried this way. It seems working

    new_packet = Packet(max_val.to_bytes(1, 'big') + raw(old_packet))
    KyleJeong
    @KyleJeong

    I found a strange thing in packet print.
    It seems there are extra backslashes. I am not sure which one is correct.

    Packet type is

    IP / TCP 47.1.1.1:42219 > 47.1.1.5:ssh PA / Raw

    Raw after TCP in Old Version (Released version, my old log record)

    ###[ Raw ]###
            load      = '\x0f*E\x12\x83^\x86\xfca\xa9....

    Raw after TCP in New Version (GIT version)

    ###[ Raw ]###
            load      = '\x0f*E\x12\\x83^\\x86\\xfca\\xa9....
    davehouser1
    @davehouser1
    Hello is anyone available to answer a question about why Scapy is not respecting Linux kernel ip rules?
    That is the problem btw. I made a post here about it, no responses yet, any one know why this is happening?
    https://unix.stackexchange.com/questions/675178/ip-rule-not-respecting-packet-generation-how-to-fix
    Pierre
    @p-l-
    I have added an answer
    davehouser1
    @davehouser1
    Ok so there is no way to work with ip rules?
    Thank you for the response.
    I actually am using scapy for testing, I am working with some other C++ code, which uses the sendto() library.
    Does scapy use the same thing?
    Pierre
    @p-l-
    Nope, Scapy forges the packets and uses raw sockets to send them.
    You may want to use the socket library
    meow-watermelon
    @meow-watermelon
    Hi, what's the correct and proper way to get the data payload from Raw layer? I'm using packet[Raw] and packet.getlayer(Raw) can get the data payload but Scapy always shows "WARNING: Calling str(pkt) on Python 3 makes no sense!". I understand the output in bytes but what the heck of this warning messages? Shall I ignore? Or any other methods are available? Thanks.
    oh it's packet[Raw].load
    meow-watermelon
    @meow-watermelon
    Hi, when I use sniff(prn=prn..), there will be the prn return value displayed if processed, is there any way to silence this? Thanks.
    shall I use lfilter instead?
    meow-watermelon
    @meow-watermelon
    Hi, when I run scapy -H I see many warnings like /usr/lib/python3.10/site-packages/prompt_toolkit/renderer.py:514: DeprecationWarning: The explicit passing of coroutine objects to asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11., is there any way to suppress those info?
    strayge
    @strayge

    I've got pcap for 30 seconds (91MB, 519k packets) and its dissect takes forever (~100 sec).
    Tried disable most payload_guess for Ether / IP / TCP / UDP but got very minor (~5%) speed up.

    Is there any way to speed up packets dissect, as I actually only need TCP / UDP fields and not underlying layers?

    Found similar issue secdev/scapy#2055 from 2019, but best answer was switch to other libraries.

    Profiling shows most time at field access:

    147.559 MainThread  <thread>:12524
    └─ 147.558 <module>  <stdin>:1
       └─ 147.558 <listcomp>  <stdin>:1
          └─ 147.076 __call__  scapy\base_classes.py:370
             └─ 144.964 __init__  scapy\packet.py:129
                ├─ 134.626 dissect  scapy\packet.py:998
                │  ├─ 126.404 do_dissect_payload  scapy\packet.py:972
                │  │  ├─ 115.127 __call__  scapy\base_classes.py:370
                │  │  │  └─ 114.058 __init__  scapy\packet.py:129
                │  │  │     ├─ 101.785 dissect  scapy\packet.py:998
                │  │  │     │  ├─ 65.001 do_dissect_payload  scapy\packet.py:972
                │  │  │     │  │  ├─ 54.295 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │  └─ 53.096 __init__  scapy\packet.py:129
                │  │  │     │  │  │     ├─ 40.858 dissect  scapy\packet.py:998
                │  │  │     │  │  │     │  ├─ 29.573 do_dissect  scapy\packet.py:952
                │  │  │     │  │  │     │  │  ├─ 10.320 getfield  scapy\fields.py:2200
                │  │  │     │  │  │     │  │  │  ├─ 5.328 m2i  scapy\fields.py:2922
                │  │  │     │  │  │     │  │  │  │  └─ 4.508 _fixup_val  scapy\fields.py:2906
                │  │  │     │  │  │     │  │  │  │     └─ 4.073 __init__  scapy\fields.py:2711
                │  │  │     │  │  │     │  │  │  │        └─ 3.156 __setattr__  scapy\fields.py:2825
                │  │  │     │  │  │     │  │  │  │           └─ 3.110 [self]
                │  │  │     │  │  │     │  │  │  └─ 4.221 [self]
                │  │  │     │  │  │     │  │  ├─ 5.086 [self]
                │  │  │     │  │  │     │  │  ├─ 4.822 getfield  scapy\layers\inet.py:367
                │  │  │     │  │  │     │  │  │  └─ 3.282 m2i  scapy\layers\inet.py:376
                │  │  │     │  │  │     │  │  │     └─ 2.178 [self]
                │  │  │     │  │  │     │  │  ├─ 4.564 getfield  scapy\fields.py:245
                │  │  │     │  │  │     │  │  │  └─ 2.903 [self]
                │  │  │     │  │  │     │  │  └─ 3.500 do_copy  scapy\fields.py:258
                │  │  │     │  │  │     │  │     └─ 1.989 copy  scapy\fields.py:2839
                │  │  │     │  │  │     │  │        └─ 1.721 __init__  scapy\fields.py:2711
                │  │  │     │  │  │     │  └─ 10.373 do_dissect_payload  scapy\packet.py:972
                │  │  │     │  │  │     │     ├─ 5.279 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │     │     │  └─ 4.892 __init__  scapy\packet.py:1878
                │  │  │     │  │  │     │     │     └─ 4.563 __init__  scapy\packet.py:129
                │  │  │     │  │  │     │     └─ 4.348 guess_payload_class  scapy\packet.py:1011
                │  │  │     │  │  │     │        └─ 1.795 [self]
                │  │  │     │  │  │     ├─ 4.619 [self]
                │  │  │     │  │  │     ├─ 2.740 __setattr__  scapy\packet.py:456
                │  │  │     │  │  │     ├─ 2.138 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │     │  └─ 1.531 [self]
                │  │  │     │  │  │     └─ 2.020 init_fields  scapy\packet.py:224
                │  │  │     │  │  │        └─ 1.582 do_init_cached_fields  scapy\packet.py:251
    secenhance
    @secenhance:matrix.org
    [m]
    Hi, I am currently trying to extend scapy to support 802.11 Fine Timing Measurement. As there are a lot of optional parameter in each paket I was wondering where I should inspect the data and decide dynamically which parts are included? My current approach is overwriting the pre_dissect call and partially parse header fields indicating the presence of optional data. I am not sure where I can set properties or similar to use the conditional field afterwards. Where can I find similar code in scapy or where should I do the check for optional and variable length/sub fields?
    ``` name = "Optional Fine Timing measurement request frame parts"
    fields_desc = [
        # Measurement Request Header 1
        ByteField("element_id1", 0),
        ByteField("length1", 0),
        ByteField("token1", 0),
        ByteField("request_mode1", 0),
        ByteEnumField("measurement_type1", 0, measurement_type),
        # LCI Request
        ByteEnumField("LCI_Location_Subject", 0, location_subject),
        # Measurement Request Header 2
        ByteField("element_id2", 0),
        ByteField("length2", 0),
        ByteField("token2", 0),
        ByteField("request_mode2", 0),
        ByteEnumField("measurement_type1", 0, measurement_type),
        # Location Civic Request Field
        ByteEnumField("Civic_Location_Subject", 0, location_subject),
        ByteEnumField("Civic_Location_Type", 0, civic_location_type),
        ByteEnumField(
            "Location_Service_Interval_Units", 0, civic_location_interval_units
        ),``` 
    These are all optional and I can deduct which type of measurement request based on the request_mode.
    secenhance
    @secenhance:matrix.org
    [m]
    I found similar code in the dot11/dns/bgp layer and it is now optionally parsing the frame parts.
    partially parsing some values in pre_dissect and setting class attributes for usage in the conditional field worked. https://github.com/tweidinger/scapy/blob/74a8cfd5a54a4813d9737d0d5a3e6e8d0d2a7598/scapy/layers/dot11.py#L2135 it's a work in progress but all feedback is welcome.
    pyharbor
    @pyharbor

    Hey I'm thinking of using scapy inside of python module's but I'm really put off that I can't import it efficiently

    import scapy.all as scapy

    really just doesn't cut it because there is zero autocompletion within an ide like pycharm. I tried doing something more targeted like.

    from scapy.compat import raw
    from scapy.layers.dns import DNS
    from scapy.layers.inet import UDP, IP, in4_chksum

    But when I do this I get hit with circular import errors. Is there something I'm missing?

    meow-watermelon
    @meow-watermelon
    Hi, anyone knows how to use sniff() call to sniff all interfaces? by default it will only sniff conf.iface interface
    Guillaume Valadon
    @guedou
    @pyharbor which Scapy version?
    cyril.lu
    @cyril.lu:matrix.org
    [m]
    Hello, is there a less verbose way to get a field human readable representation?
    assert 0 == rsp.payload.status # Ok but I would like to compare it the the defined enum value
    assert "STATUS_OK" == rsp.payload.status # Which cannot be done like this
    
    def field2str(pkt, field_name):
        field, val = pkt.getfield_and_val(field_name)
        return field.i2repr(pkt, val)
    
    assert "STATUS_OK" == field2str(rsp.payload, 'status') # Can be done like this, but looks too verbose to me
    Pierre
    @p-l-
    The best way to get what you want would probably be rsp.sprintf("%layer_name.status%") (replace layer_name using the real name)
    pyharbor
    @pyharbor
    @guedou scapy==2.4.5
    Guillaume Valadon
    @guedou
    @pyharbor try the master version on github. This was fixed.
    pyharbor
    @pyharbor
    ooh ok cool
    Mauro Condarelli
    @mcondarelli

    Hi, I just started looking into scapy (I'm using scapy 2.4.5 with CPython 3.8).
    A very stupid program I wrote to extract from long .pcap a small piece I need:

    import datetime
    from scapy.all import PcapWriter, PcapReader, EDecimal
    
    
    class PcapHandler:
        def __init__(self, fn):
            self.fn = fn
    
        @staticmethod
        def _normalize(dt):
            if isinstance(dt, float):
                return EDecimal(dt)
            if isinstance(dt, datetime.datetime):
                return EDecimal(dt.timestamp())
            if isinstance(dt, str):
                return EDecimal(datetime.datetime.fromisoformat(dt).timestamp())
    
        def trim(self, start, end, output):
            s = self._normalize(start)
            e = self._normalize(end)
            with PcapWriter(output) as fo:
                with PcapReader(self.fn) as fi:
                    for n, pkt in enumerate(fi):
                        print(f'{n:6d}', end='\r')
                        if pkt.time > e:
                            break
                        if pkt.time >= s:
                            fo.write(pkt)
                            print()
    
    
    if __name__ == '__main__':
        h = PcapHandler('20211025T114023A.pcap')
        h.trim('2021-10-25T12:01:53', '2021-10-25T12:01:55', 'tt.pcap')

    ... actually works, but outputs also a stream of : WARNING: Calling str(pkt) on Python 3 makes no sense!
    What am I doing wrong?

    Leonard Crestez
    @cdleonard
    what is the right way to "wait for specific packets received"?
    the sendrecv interface of scapy seems to have very specific ideas about "who replies to what"
    I end up writing waiting.wait(pred) where pred goes and digs around inside sniffer.session.toPacketList
    luwangli
    @luwangli
    I have a pcap file which can be open by Wireshark, so I know it's Link type is Cisco HDLC. However, when I use scapy to read this pcap file, the error is "WARNING: PcapReader: unknown LL type [104]/[0x68]. Using Raw packets". what should I do?
    from scapy.all import * pcap = PcapReader("200test.pcap")
    meow-watermelon
    @meow-watermelon
    @cdleonard you want to stop sniffing once received a specific packet and do something?
    If in that case, check stop_filter parameter in sniff function, it allows you to write a callback function to decide when to stop sniffing then using lfilter parameter function to define what to do about the received packet.
    meow-watermelon
    @meow-watermelon
    @mcondarelli just my guess, that fo.write(pkt) is trying to convert the pkt into string
    from the python io doc: f.write(string) writes the contents of string to the file, returning the number of characters written.
    Leonard Crestez
    @cdleonard
    @meow-watermelon no I want to wait for a specific packet and continue testing
    scanning the whole packet list is potentially slow and waiting.wait relies on polling but scapy doesn't appear to have a nicer way to do this.
    meow-watermelon
    @meow-watermelon
    Hi, want to share something that I implemented for ARP stuffing protocol by using Scapy: https://github.com/meow-watermelon/arp-stuffing - I also wrote a doc about the usage.