by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Thomas Grainger
    @graingert
    I think only things in scapy.modules/scapy.layers/scapy.contrib should be "loaded"
    and only when someone calls scapy.main.load_...
    in their terminal
    wheras this change always "loads" six and re and other stuff into builtins when using scapy as a library
    @gpotter2 ^
    Gabriel
    @gpotter2
    In your PR, instead of removing the _load calls, what about adding a if conf.interactive: around them?
    Thomas Grainger
    @graingert
    six, re, sock etc shouldn't endup builtin even if running as interactive
    pretty sure that nothing in scapy.arch.... become global interactive or not
    @gpotter2 maybe this is something you added for debugging when you made the PR?
    Thomas Grainger
    @graingert
    @gpotter2 looking at the code before your PR it doesn't add six to builtins when you import scrapy.arch at the console or in a script
    mstekker
    @mstekker

    Hi, just updated to newest Scapy for WPA3 support. Now I do have an issue with KillerBee (kbsniff function form scapy_extensions.py):

    return plist.PacketList(__kb_recv(kb, count = count, store = store, prn = prn, lfilter = lfilter, stop_filter = stop_filter, verbose = verbose, timeout = timeout), 'Sniffed')

    NameError: global name 'plist' is not defined

    Anyone any clue where plist now is?

    So the issue is KillerBee related.
    Thomas Grainger
    @graingert
    @p-l- why is there so much global mutation in the scapy console stuff
    @p-l- I think it would be a good idea to remove the scapy.main._load function and rely on import to import things
    david-anders
    @david-anders

    Hi all, I hope this is the right place for me to ask this question:
    I have a problem concerning the ethertype and Dot1Q headers.
    802.1Q Frames are supposed to be inserted between the Ethernet Source field, and the EtherType field,
    but it seems like they are inserted after the ethernet header (after EtherType).

    Example:
    Running:

    (Ether(dst="AA:AA:AA:AA:AA:AA", src="BB:BB:BB:BB:BB:BB", type=0xEEEE)/Dot1Q(type=0x8100, vlan=0xDDD)).build()

    Returns:

      b'\xaa\xaa\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xbb\xbb\xee\xee\r\xdd\x81\x00'

    While I expected to get (Ethertype and TPID field are switched):

      b'\xaa\xaa\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xbb\xbb\x81\x00\r\xdd\xee\xee'

    Is this behavior anticipated?

    Bharat Tak
    @devbharat
    Hey everybody, is it possible to send custom 'Advanced Data' bytes in the 'Dot11EltVendorSpecific' packet? I see only ID, len, oui and info arguments available
    Bharat Tak
    @devbharat
    image.png
    Does it just go into the info StrLenField ?
    I see the more 'standard' access point beacons sending a lot more info in the Vendor specific tag of the beacon packet, like this
    image.png
    Jacob Lapenna
    @jacoblapenna
    Can scapy read/capture packets larger than 65535 bytes? I am trying to parse USBPcap traffic from a .pcapng file which contains packets as large as 494439 bytes and scapy just ignores everything past the 65535th byte. I've scoured the API reference and cannot find any parameters related to increasing larges packet size when using rdpcap, RawPcapReader, RawPcapNgReader, or sniff offline. Any help would be greatly appreciated. Thanks!
    bishop527
    @bishop527
    Wanted to give an update on a post I made about a month ago regarding a problem with the new conf.layers.filter where the performance got a lot worse. I didn't get a response, but yesterday I updated to 2.4.3dev699 and the problem seems to have been fixed. I'd be curious to know more about what caused the problem and the fix.
    Jacob Lapenna
    @jacoblapenna
    I figured out how to get scapy to read packets larger than 65535: read packets one at a time off the RawPcapNgReader generator while specifying a number just greater than the largest expected size. In my case:
    from scapy.all import *
    
    packet_reader = RawPcapNgReader('my_pacapng_file.pcapng')
    
    while True:
        try:
            p = packet_reader.read_packet(size=500000)
            do_some_things_to_each_packet_function_or_class_here(p)
        except EOFError:
            break
    Jacob Lapenna
    @jacoblapenna
    It is also possible to set scapy.config.Conf.bufsize which defaults to 65536.
    Nawazraza
    @Nawazraza
    Hi Scapy,
    Is evolved Common Public Radio Interface (eCPRI) protocol available in scapy?
    for more information go through this link (https://wiki.wireshark.org/eCPRI)
    KyleJeong
    @KyleJeong
    Maybe not.
    Nawazraza
    @Nawazraza
    Ok, Thank you
    AdrianKeys
    @AdrianKeys

    Hi,
    I'm wondering if Scapy supports remote capture using rpcapd ?

    scapy.sniff() works perfectly when capturing local packets but I want to capture packets on another pc with rpcapd running on it.

    If rpcapd is installed on a remote machine, Wireshark/Tshark can capture remote packets by replacing local interface name with remote interface name like "rpcap://remoteip:2002/eth0".

    I tried scapy.sniff(iface ="rpcap://remoteip:2002/eth0" ) but it returned with an error saying that this interface is not found(apparently scapy checked if the interface is available on the local machine).

    If Scapy supports remote capture, what's the proper way of doing this ? I googled "scapy rpcap" but only got results of "scapy rdpcap" which is not what I want.

    Thank you very much for your time.

    Guillaume Valadon
    @guedou
    We do not support remote capture. However, that could be a nice feature to implement.
    Lorenzo Gurri
    @Recandi_gitlab
    Hello,
    I have a question about a bind_layers call in the scapy codebase.
    In scapy/layers/l2.py on line 581 the SNAP layer is being bound to the Ether layer when code=1: bind_layers(SNAP, Ether, code=1).
    In the SNAP extension, when OUI=000000, the code value's meaning is given by EtherTypes. However, when the OUI field is an organization's OUI, the layer bindings are specific to the organization.
    Shouldn't this line, and the other SNAP layer bindings around it, specify the specific OUI they are using? Otherwise wouldn't they overlap with other organization specific bindings? Thank you!
    bishop527
    @bishop527

    I'm using scapy 2.4.3dev699 and trying to use conf.layers.filter to improve performance by reducing the number of protocols being parsed. When I run the following code, which doesn't use the filter, everything works fine.

    msg = IP(src="192.168.1.2", dst="192.168.50.5") / UDP(sport=1234, dport=4321)
    send(msg)

    When I add conf.layers.filter([IP, TCP, UDP]) the above code sends the packet multiple times. After doing some digging I learned that this is because the destination MAC address can't be resolved so the packet is sent via broadcast. To only send 1 packet I have to use the following code

    conf.layers.filter([IP, TCP, UDP])
    msg = Ether(dst='00:01:02:03:04:06') / IP(src="192.168.1.2", dst="192.168.50.5") / UDP(sport=1234, dport=4321)
    sendp(msg)

    Why do I have to specifically build the Ether layer when using the filter but don't have to do it when not using the filter?

    Thanks

    Guillaume Valadon
    @guedou
    Did you try adding Ether to the list ?
    Qnner
    @Qnner
    hello dear all, I want to sniff a http response
    but its json is incomplete . how to slove?please
    Qnner
    @Qnner
    here is my simple code:
    elif pkt.haslayer(HTTPResponse):
    
        try:
            json.loads(str(pkt[Raw]))
        except Exception as e:
            print e
            print pkt[Raw]
        return
    Gabriel
    @gpotter2
    Qnner
    @Qnner
    @gpotter2 thanks a lot ^_^
    Qnner
    @Qnner
    I meet a problem here, how to sniff a gzip json file? I'v see that "This will decode HTTP packets using Content_Length or chunks, and will also decompress the packets when needed. Note: on failure, decompression will be ignored." in https://scapy.readthedocs.io/en/latest/layers/http.html, but it does not work and I am sure that my api is right
    bishop527
    @bishop527
    @guedou Yes I did. Then when I removed Ether(dst='00:01:02:03:04:06') from msg the packet isnt't sent.
    Not sure if its related but while troubleshooting this I tried using getmacbyip("192.168.50.5") but it returns None.
    Guillaume Valadon
    @guedou
    Ether was in the list when sending the frame with sendp() ?
    bishop527
    @bishop527

    Yes. I tried it with both sendp and send after adding Ether to the filter list. when using send it would send the packet via broadcast. when using sendp it didnt sent at all even though scapy says it sent a packet.

    I tested it on another system and didn't have the same problems. The only difference between the 2 systems is that the on the second system getmacbyip returned the MAC address of the destination. So my guess is that not being able to resolve the MAC is part of the problem. Just now sure how to fix that.

    Qnner
    @Qnner
    I still do not know how to solve it, about a response used gzip.
    here is my code :
    def packet_parse(pkt):
        """
        This function is executed whenever a packet is sniffed
        """
        now = time.strftime("%Y.%m.%d %H:%M:%S", time.localtime(time.time()))
        if pkt.haslayer(HTTPRequest):
            return
        elif pkt.haslayer(HTTPResponse):
            if "application/json" not in (str(pkt[HTTPResponse].Content_Type)).split(";"):
                return
            try:
                # json.loads(str(pkt[HTTPResponse].payload))
                print pkt[HTTPResponse].load
            except Exception:
                print gzip_uncompress(pkt[HTTPResponse].load)
    
    
    if __name__ == '__main__':
        load_layer("http")
        conf.contribs["http"]["auto_compression"] = True
        print conf.contribs["http"]["auto_compression"]
        # sniff(offline=r'D:\\bigResponse.pcapng', prn=packet_parse, session=TCPSession)
        sniff(offline=r'C:\Users\test1\Documents\WXWork\1688850682072943\Cache\File\2020-07\debug_web_search_44k.pcap', prn=packet_parse, session=TCPSession)
    Guillaume Valadon
    @guedou
    @bishop527 you need to set the filter as conf.layers.filter([Ether, ARP, IP, TCP]). Scapy will use Ether() and ARP() internally to perform MAC/IP resolution.
    bishop527
    @bishop527
    @guedou that solved it, thanks
    Qnner
    @Qnner

    when I sniff a http request, can I get its response matched?

    I'v tried use request's tcp.seq match response's tcp.ack. When response is small, it works,but big response, it does not work

    I see the same question on stackover flow.but nobody can solve it https://stackoverflow.com/questions/55865831/how-to-map-response-to-request-in-scapy