Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Leonard Crestez
    @cdleonard
    scanning the whole packet list is potentially slow and waiting.wait relies on polling but scapy doesn't appear to have a nicer way to do this.
    meow-watermelon
    @meow-watermelon
    Hi, want to share something that I implemented for ARP stuffing protocol by using Scapy: https://github.com/meow-watermelon/arp-stuffing - I also wrote a doc about the usage.
    cyril.lu
    @cyril.lu:matrix.org
    [m]
    Hello, is there a way to display both value and description with show(), without actually specifiying the value in the enum names? Something like
    ###[ UciControlPacket ]### 
  messageType= 0b001 (Control Command)
  packetBoundaryFlag= 0b0: Complete
  groupIdentifier= 0b0001 (UWB Session)
  reserved0 = 0
  opcodeIdentifier= 0b000001 (SESSION_DEINIT_CMD)
  reserved1 = 0
  payloadLength= 4
###[ SessionDeinitCmd ]### 
   sessionId = 1
    rtborg
    @rtborg
    Hi, is there a way to customize the message that is sent by scapy.tools.automotive.isotpscanner? Currently the message is [10 64 00 00 00 00 00 00]
    Nils Weiss
    @polybassa
    Hi, we didn't implemented a way to change the message of istopscanner. What's your usecase for this change?
    rtborg
    @rtborg
    I have an ECU which uses extended addressing plus data length like this [0xADDR 0xLEN 0xDATA0 ... 0xDATA5]
    And it will not respond to [0xADDR 0x10 0x64 ....]
    Nathan
    @nth0rpe_twitter

    Hi,

    I am trying to use the PacketField class to implement a custom packet type.
    The code detects the packets properly if I put the fields from CommandPacket directly into CustomPacket, but not when I use the PacketField class.
    It just detects the entire data as Raw rather than CustomPacket.

    Do you know why it does not like to use the PacketField in the fields?

    bind_layers(UDP, CustomPacketHolder)

class CustomPacketHolder(Packet):
    fields_desc = [
        ShortField("header", 0),
        PacketListField("data", [], CustomPacket)
    ]

class CustomPacket(Packet):
    fields_desc = [
        BitField("letter", 0, 4),
        BitField("checkBits", 0, 12),
        PacketField("command", None, CommandPacket)
    ]

    def extract_padding(self, p):
        return "", p

class CommandPacket(Packet):
    fields_desc = [
        BitField("field1", 0, 3),
        BitField("field2", 0, 5),
        BitField("field3", 0, 1),
        BitField("field4", 0, 5),
        BitField("field5", 0, 5),
        BitField("field5", 0, 1)
    ]

    def extract_padding(self, p):
        return "", p
    Leonard Crestez
    @cdleonard
    Gentle ping for secdev/scapy#3427 ?
    Nils Weiss
    @polybassa
    @rtborg we've implemented parameters for this. Both extended isotp addressing and extended can identifiers are implemented. Check the arguments and the documentation.
    rtborg
    @rtborg
    @polybassa Thanks, will do that
    bhdrozgn
    @bhdrozgn
    Hey, do you consider adding 802.11ax support? HE information is not complete in secdev/scapy/layers/dot11.py line 473
    Jonathon Anderson
    @anderbubble
    I am very new to scapy, and am trying to decode (dissect?) NFS using scapy.contrib.nfs. If I sniff() using scapy 2.4.0 (python3-scapy in debian 10.11) then I see raw Ethernet packets. But if I sniff() using scapy 2.4.5 (from pip) then I don't see any NFS packets at all, raw or otherwise. (I do see other non-NFS packets, though.) What am I doing wrong?
    Jonathon Anderson
    @anderbubble
    It seems that NFS understands that this is a local export/mount, and is putting traffic over lo rather than eth0, despite what's in /etc/exports and mount.nfs. Apparently the default iface behavior changed in scapy and, before, it listened on all iface before, but now it only listens on eth0 by default.
    Jonathon Anderson
    @anderbubble
    It still doesn't appear to be decoding / dissecting the packet as I expect but at least I see raw packets in the latest version again.
    0xKate
    @0xKate
    Are you able to do something like this? I have not messed with nfs yet, but most layers/protos are accessed by indexing the packet with it
            if nfs in pkt:
            print(pkt[nfs].show())
            print(pkt[Ether].dst)
    The sniffer wont be application aware, but you can use a lfilter to check that like this:
    >>> a=sniff(filter='ip host 8.8.8.8', lfilter=lambda x: x.haslayer(DNS), count=2)
    Jonathon Anderson
    @anderbubble
    I can give that a try; but I'm most confused because the NFS package has several different types of Packets with no hierarchy between them; so I don't know how to find packets of any NFS type.
    https://github.com/secdev/scapy/blob/master/scapy/contrib/nfs.py
    Jonathon Anderson
    @anderbubble
    @0xKate in your first example, what is the value of the nfs variable? One of the layer classes?
    0xKate
    @0xKate
    Typically the value of nfs/Ether variable in my example is a packet/layer class. What I posted wont work because its a contrib package not derived from packet. Scapy needs to actually load the contrib package to be aware of nfs. There's an example for ospf here https://lost-and-found-narihiro.blogspot.com/2012/11/python-scapy-how-to-load-extension.html but this was python 2.7. I can't find any official documentation on loading contribs for sniffing. Once Scapy is aware of it however, you should be able to do things like if nfs.ACCESS_Call in packet: and packet[nfs.ACCESS_Call].filehandle
    cyril.lu
    @cyril.lu:matrix.org
    [m]

    Hello, I am using scapy with a new protocol, which defines one of its operations like this :

    • each « config packet » is defined by a type, length and value
    • the « set config » is defined by a count and a list of config packets

    For now I defined it like this, which works well for most config packets:

    APP_CONF_PARAMS = {
    # …
    0x06: {
        'name': 'DEVICE_MAC_ADDRESS',
        'field': XLEShortField("value", default=None)},
    0x07: {
        'name': 'DST_MAC_ADDRESS',
        'field': FieldListField('value', [], XLEShortField("item", default=None), length_from=lambda pkt: (pkt.length))}
    # …
}

APP_CONF_PARAM_NAME_BY_ID = {i: data['name'] for i, data in APP_CONF_PARAMS.items()}
APP_CONF_PARAM_FIELD_BY_ID = {i: data['field'] for i, data in APP_CONF_PARAMS.items()}

class AppConfigParameter(PacketWithNoPayload):
    fields_desc=[
        XByteEnumField("type", None, APP_CONF_PARAM_NAME_BY_ID),
        FieldLenField("length", None, fmt="B", length_of="value"),
        MultipleTypeField(
            # Use a field from APP_CONF_PARAMS if it can be found
            [(field, (lambda i: lambda pkt: pkt.type == i)(i)) for i,field in APP_CONF_PARAM_FIELD_BY_ID.items()],
            # Handle the parameter as a string if type is unknown
            XStrLenField("value", None, length_from=lambda pkt:pkt.length)
        )
    ]

class SessionSetAppConfigCmd(PacketWithNoPayload):

fields_desc=[
    FieldLenField("numberOfAppConfiguration", None, fmt='B', count_of="appConfiguration"),
    PacketListField("appConfiguration", [], AppConfigParameter,
        count_from=lambda pkt: pkt.numberOfAppConfiguration)
]

    I have one problem, with a particular config parameter which is used to define the Mac address length.

    APP_CONF_PARAMS = {
    # …
    0x26: {
        'name': 'MAC_ADDRESS_MODE',
        'field': XByteEnumField("value", default=0x00, enum={
                0x00: "MAC address is 2 bytes",
                0x01: "MAC address is 8 bytes"})},
    # …
}

    When it is set to 0x01, mac addresses should be treated as as XLELongField instead of XLEShortField (as shown above).

    Do you know any other protocol behaving like this, that I could use as an example to implement mine? If not, how would you handle a case like this?
    Jonathon Anderson
    @anderbubble
    @0xKate thank you for all your help so far. I've tried to write a bit of an obtuse script to cast as wide a net as possible, and it's not seeing any of my NFS traffic as NFS traffic. What am I doing wrong? https://gist.github.com/anderbubble/fcd4238b34e17ee1f3289ea8733106e3
    (I know this isn't really how anything should be done; but hopefully my intent is clear enough in the script. For the record, nfs_filter does detect all of the NFS layer classes in the module correctly.
    Jonathon Anderson
    @anderbubble
    I may have figured it out. Turns out I'm mounted via nfs 4.2, and this only supports nfs 3! ,_,
    Jonathon Anderson
    @anderbubble
    Switching to nfs3 still hasn't made scapy dissect these as NFS. Though that was clearly wrong.
    Jonathon Anderson
    @anderbubble
    I think I figured it out! The NFS layers are based on RPC layers. Since RPC doesn't know which port it should be using, it doesn't bind to any ports by default, so there's no way for TCP to go to RPC. So I did bind_layers(TCP, RPC, sport=2049) and bind_layers(TCP, RPC, dport=2049) and now it appears to be working!
    Thanks for your patience!
    Jonathon Anderson
    @anderbubble
    Well, it seems I was prematurely excited. It's actually detecting RPC packets now, but not NFS. But I'm making progress!
    Jonathon Anderson
    @anderbubble
    @0xKate I'm noticing that there is no do_dissect() in https://github.com/secdev/scapy/blob/master/scapy/contrib/nfs.py nor in https://github.com/secdev/scapy/blob/master/scapy/contrib/oncrpc.py. Does that mean that these modules cannot dissect their respective protocols? (i.e., they can only build them?)
    0xKate
    @0xKate
    Yes you are on the right track, what you have should be working. do_dissect() is pretty low level, all you needed is the RPC + transport bindings, and to either import the contrib directly from scapy.contrib import nfs which causes all its bindings to execute, or run load_contrib('nfs') which does the same.
    from scapy.contrib.nfs import ACCESS_Call
from scapy.contrib.oncrpc import RPC
from scapy.layers.inet import UDP
from scapy.main import load_contrib
from scapy.packet import bind_layers
from scapy.sendrecv import sniff

if __name__ == '__main__':
    load_contrib('nfs')

    bind_layers(UDP, RPC, sport=2049)
    bind_layers(UDP, RPC, dport=2049)

    pkts = sniff(offline="nfsv3.pcap")

    for packet in pkts:
        if ACCESS_Call in packet:
            print(packet.show())
    gladman88
    @gladman88
    Hello! I have problem with CPU load with scapy. Doesn't matter which filter I set, scapy always use 12.5 percent of CPU when sniffing. I have intel core i7. Even if i didn't get any packets at all - 12,5% of CPU usage. Why it's happening?
    sniff_filter = "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and dst port 443"
    sniff(filter=sniff_filter, prn=self._packet_callback, store=0)
    Ansis Atteka
    @ansisatteka

    Hi, on hypervisors Virtual Machines (e.g. qemu) are usually connected to Virtual Bridges (e.g. Linux Bridge or OVS bridge) through tap devices.

    When I try to inject Ethernet frame into tap device with sendp(..., iface=vnet0) the frame goes to the VM but not to the Bridge.

    Has anyone figured out how to send such frames with scapy to the Bridge instead? Basically the goal would be that scapy would allow to imitate VM.

    Jan Kaiser
    @jankais3r
    Hi. I am trying to figure out if I could use scapy without sudo privileges to sniff traffic made by the python script itself (e.g. using the requests package). So not sniffing the whole interface traffic, just python. Is such thing possible?
    infern0d
    @infern0d:matrix.org
    [m]
    No it's not possible, you can't sniff a socket used by something else without root. (You can of course read any socket with Scapy but it will consume packets, which isn't what you're asking for)
    higher75
    @higher75
    Sometimes when I use sendpfast() to send a packet, I can't catch it and there is no alert message, but when I use send() instead, I can catch the sent packet, I don't understand why this is, maybe the length of the packet I send is too big?
    Does anyone know?
    bhdrozgn
    @bhdrozgn
    Hi, is there any way to sniff packets with scapy via a remote interface?
    smj
    @smjhero
    Hi, is there any way to implement the same lenfield is used by two or more different varfields, using FieldLenField and StrLenField? Currently I only know how to implem one lenfield -to-one varfields
    WTBCODER
    @WTBCODER
    i have the same problem. Does anyone know how to implement it?
    Paulo Sherring
    @pauloasherring
    Hello all, I have a rather degenerate use for scapy, which is to use it for pcap file manipulation. Is there an easy-ish way to have scapy not to load networking DLLs which requires admin rights, but still load the dissectors, bindings and all?
    grandnew
    @grandnew
    Hi, all. I have one question, why scapy doesn’t support SSH? I think it is very famous and common.
    bhdrozgn
    @bhdrozgn
    I found a way to capture on remote interfaces. For anyone interested in it:
    from scapy import *

def live_capture(*args):
    iface_list = [['-i', iface] for iface in args]
    dumpcap_args = ['dumpcap'] + [arg for sublist in iface_list for arg in sublist] + ['-w', '-']
    dumpcap = subprocess.Popen(args=dumpcap_args, stdout=subprocess.PIPE)

    capture = sniff(offline=dumpcap.stdout, prn=lambda pkt: pkt.show(), store=0)
    return capture

# pass your device names
live_capture('rpcap://[192.168.0.100]:2002/wl1', 'rpcap://[192.168.0.101]:2002/wl1')
    bhdrozgn
    @bhdrozgn
    Is there any way to read a capture file in reverse order or accessing the last packet in a capture file without looping whole file?
    gpotter2
    @gpotter2
    Without loading the entire file it's not possible. A packet in a pcap begins where the previous one ends.
    dorty3541
    @dorty3541
    hello, everyone. Is there any example or manual so I can craft the packets to simulate the whole ike negotiation with the vendor device such as fortigate/cisco?
    agarusa
    @agarusa
    Hi! I went through some docs and some code and it seems that docs are not about latest release (2.4.5) but more like about current repository state. There some functions and classes from docs are absent in release but present in current repository. Was this done intended or is it a bug of documentation, that those structures got into 2.4.5-docs?