Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    Jonathon Anderson
    @0xKate thank you for all your help so far. I've tried to write a bit of an obtuse script to cast as wide a net as possible, and it's not seeing any of my NFS traffic as NFS traffic. What am I doing wrong? https://gist.github.com/anderbubble/fcd4238b34e17ee1f3289ea8733106e3
    (I know this isn't really how anything should be done; but hopefully my intent is clear enough in the script. For the record, nfs_filter does detect all of the NFS layer classes in the module correctly.
    Jonathon Anderson
    I may have figured it out. Turns out I'm mounted via nfs 4.2, and this only supports nfs 3! ,_,
    Jonathon Anderson
    Switching to nfs3 still hasn't made scapy dissect these as NFS. Though that was clearly wrong.
    Jonathon Anderson
    I think I figured it out! The NFS layers are based on RPC layers. Since RPC doesn't know which port it should be using, it doesn't bind to any ports by default, so there's no way for TCP to go to RPC. So I did bind_layers(TCP, RPC, sport=2049) and bind_layers(TCP, RPC, dport=2049) and now it appears to be working!
    Thanks for your patience!
    Jonathon Anderson
    Well, it seems I was prematurely excited. It's actually detecting RPC packets now, but not NFS. But I'm making progress!
    Jonathon Anderson
    @0xKate I'm noticing that there is no do_dissect() in https://github.com/secdev/scapy/blob/master/scapy/contrib/nfs.py nor in https://github.com/secdev/scapy/blob/master/scapy/contrib/oncrpc.py. Does that mean that these modules cannot dissect their respective protocols? (i.e., they can only build them?)
    Yes you are on the right track, what you have should be working. do_dissect() is pretty low level, all you needed is the RPC + transport bindings, and to either import the contrib directly from scapy.contrib import nfs which causes all its bindings to execute, or run load_contrib('nfs') which does the same.
    from scapy.contrib.nfs import ACCESS_Call
    from scapy.contrib.oncrpc import RPC
    from scapy.layers.inet import UDP
    from scapy.main import load_contrib
    from scapy.packet import bind_layers
    from scapy.sendrecv import sniff
    if __name__ == '__main__':
        bind_layers(UDP, RPC, sport=2049)
        bind_layers(UDP, RPC, dport=2049)
        pkts = sniff(offline="nfsv3.pcap")
        for packet in pkts:
            if ACCESS_Call in packet:
    Hello! I have problem with CPU load with scapy. Doesn't matter which filter I set, scapy always use 12.5 percent of CPU when sniffing. I have intel core i7. Even if i didn't get any packets at all - 12,5% of CPU usage. Why it's happening?
    sniff_filter = "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and dst port 443"
    sniff(filter=sniff_filter, prn=self._packet_callback, store=0)
    Ansis Atteka

    Hi, on hypervisors Virtual Machines (e.g. qemu) are usually connected to Virtual Bridges (e.g. Linux Bridge or OVS bridge) through tap devices.

    When I try to inject Ethernet frame into tap device with sendp(..., iface=vnet0) the frame goes to the VM but not to the Bridge.

    Has anyone figured out how to send such frames with scapy to the Bridge instead? Basically the goal would be that scapy would allow to imitate VM.

    Jan Kaiser
    Hi. I am trying to figure out if I could use scapy without sudo privileges to sniff traffic made by the python script itself (e.g. using the requests package). So not sniffing the whole interface traffic, just python. Is such thing possible?
    No it's not possible, you can't sniff a socket used by something else without root. (You can of course read any socket with Scapy but it will consume packets, which isn't what you're asking for)
    Sometimes when I use sendpfast() to send a packet, I can't catch it and there is no alert message, but when I use send() instead, I can catch the sent packet, I don't understand why this is, maybe the length of the packet I send is too big?
    Does anyone know?
    Hi, is there any way to sniff packets with scapy via a remote interface?
    Hi, is there any way to implement the same lenfield is used by two or more different varfields, using FieldLenField and StrLenField? Currently I only know how to implem one lenfield -to-one varfields
    i have the same problem. Does anyone know how to implement it?
    Paulo Sherring
    Hello all, I have a rather degenerate use for scapy, which is to use it for pcap file manipulation. Is there an easy-ish way to have scapy not to load networking DLLs which requires admin rights, but still load the dissectors, bindings and all?
    Hi, all. I have one question, why scapy doesn’t support SSH? I think it is very famous and common.
    I found a way to capture on remote interfaces. For anyone interested in it:
    from scapy import *
    def live_capture(*args):
        iface_list = [['-i', iface] for iface in args]
        dumpcap_args = ['dumpcap'] + [arg for sublist in iface_list for arg in sublist] + ['-w', '-']
        dumpcap = subprocess.Popen(args=dumpcap_args, stdout=subprocess.PIPE)
        capture = sniff(offline=dumpcap.stdout, prn=lambda pkt: pkt.show(), store=0)
        return capture
    # pass your device names
    live_capture('rpcap://[]:2002/wl1', 'rpcap://[]:2002/wl1')
    Is there any way to read a capture file in reverse order or accessing the last packet in a capture file without looping whole file?
    Without loading the entire file it's not possible. A packet in a pcap begins where the previous one ends.
    hello, everyone. Is there any example or manual so I can craft the packets to simulate the whole ike negotiation with the vendor device such as fortigate/cisco?
    Hi! I went through some docs and some code and it seems that docs are not about latest release (2.4.5) but more like about current repository state. There some functions and classes from docs are absent in release but present in current repository. Was this done intended or is it a bug of documentation, that those structures got into 2.4.5-docs?
    You are absolutely correct, the "latest" (default) doc relates to the current repo. You can find the "stable" = released doc over https://scapy.readthedocs.io/en/stable/
    How can we write packets sniffed with AsyncSniffer to a pcap file without using prn?

    How can we write packets sniffed with AsyncSniffer to a pcap file without using prn?

    Okay, I just achieved this by applying the same thing used in sniff method to my AsyncSniffer object:

    from scapy.utils import wrpcap
    from scapy.compat import cast
    from scapy.plist import PacketList
    def write_async(capture):
        capture = cast(PacketList, capture.results)
        wrpcap('capture.pcap', capture)

    Hello all,

    The other day I was working on WEP encryption and decryption with scapy and I came across what I consider a bug in 2.4.5.

    A Python3 example:

    import binascii
    import pyDot11
    from rc4 import rc4
    from scapy.all import *
    keyText = '0123456789'
    pkts = rdpcap('../PCAPs/ICMPs/wep_pings.pcap')
    pkt = pkts[0]
    iVal = pkt[Dot11WEP].iv.decode('latin1')
    seed = pyDot11.wepCrypto.seedGen(iVal, keyText).decode('latin1')
    stream = rc4(pkt.wepdata.decode('latin1'), iVal+ seed)

    A Python2 example:

    ... and my long drawn up post deleted itself, lovely
    Without going into it detailed again let me ask. Is there a reason that hexstr() works differently in Python3 than it did in Python2?
    In [60]: hexstr(stream, onlyhex = 1)
    Out[60]: 'C2 AA C2 AA 03 00 00 00 08 00 45 00 00 54 00 00 40 00 40 01 C3 B0 3B C3 80 C2 A8 64 C2 88 C3 80 C2 A8 64 C2 94 08 00 C2 9D 65 C3 87 06 00 00 C2 9C C3 99 C3 B6 C2 B9 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
    With some modifications:
    newStream = []
    newStream.append(" ".join(map(lambda stream:"%02x"%ord(stream), stream)))
    newStream = "  ".join(newStream)
    In [65]: newStream
    Out[65]: 'aa aa 03 00 00 00 08 00 45 00 00 54 00 00 40 00 40 01 f0 3b c0 a8 64 88 c0 a8 64 94 08 00 9d 65 c7 06 00 00 9c d9 f6 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
    the object newStream is the expected output. Thanks for any assistance.
    It's not clear how it's working differently on Python 2 and 3 when reading your examples :/?
    C2 AA C2 AA -vs- aa aa
    hexstr() is adding C2 to the start of it, twice.
    @infern0d:matrix.org ^
    I miss the "old style" way whereby you could do str(<scapy object>) and it would print out the repr. I built pyDot11 around that modeling. The shift for pyDot11 over to Python3 is fun for sure. We can now decrypt WEP natively using Python3 and scapy 2.4.5.
    2 replies
    It will handle Open, WEP or WPA; each with their own trick aside from Open for pure injection.
    The stream obj ^^ debugging took me some time as I kept following the math for RC4 and couldn't wrap my head around the diffs for 2v3; I had "assumed" hexstr() was the same as I had no reason to think otherwise as far as the bytes, their accuracy and order go.
    For the PCAPs in question:
    There is also now a question of Dot11FCS being missing in a unique and interesting way for ICMP these days vs when I took the PCAP of the wep traffic from years back.
    As those bytes don't change it must therefore be the "scapy interpretation".
    I'd like to know what are the exact parameters passed to tshatk/tcpdump. How can I do that?
    10 replies
    stryngs (stryngs): hexstr works fine as long as you pass it bytes in both cases. I can't reproduce your issue
    @infern0d:matrix.org The string in question that converts incorrectly when using hexstr() is:
    you parsing it as bytes right?