by

## Where communities thrive

• Join over 1.5M+ people
• Join over 100K+ communities
• Free without limits
##### Activity
Thomas Grainger
@graingert
I think only things in scapy.modules/scapy.layers/scapy.contrib should be "loaded"
and only when someone calls scapy.main.load_...
in their terminal
wheras this change always "loads" six and re and other stuff into builtins when using scapy as a library
@gpotter2 ^
Gabriel
@gpotter2
In your PR, instead of removing the _load calls, what about adding a if conf.interactive: around them?
Thomas Grainger
@graingert
six, re, sock etc shouldn't endup builtin even if running as interactive
pretty sure that nothing in scapy.arch.... become global interactive or not
@gpotter2 maybe this is something you added for debugging when you made the PR?
Thomas Grainger
@graingert
@gpotter2 looking at the code before your PR it doesn't add six to builtins when you import scrapy.arch at the console or in a script
mstekker
@mstekker

Hi, just updated to newest Scapy for WPA3 support. Now I do have an issue with KillerBee (kbsniff function form scapy_extensions.py):

return plist.PacketList(__kb_recv(kb, count = count, store = store, prn = prn, lfilter = lfilter, stop_filter = stop_filter, verbose = verbose, timeout = timeout), 'Sniffed')

NameError: global name 'plist' is not defined

Anyone any clue where plist now is?

So the issue is KillerBee related.
Thomas Grainger
@graingert
@p-l- why is there so much global mutation in the scapy console stuff
@p-l- I think it would be a good idea to remove the scapy.main._load function and rely on import to import things
david-anders
@david-anders

Hi all, I hope this is the right place for me to ask this question:
I have a problem concerning the ethertype and Dot1Q headers.
802.1Q Frames are supposed to be inserted between the Ethernet Source field, and the EtherType field,
but it seems like they are inserted after the ethernet header (after EtherType).

Example:
Running:

(Ether(dst="AA:AA:AA:AA:AA:AA", src="BB:BB:BB:BB:BB:BB", type=0xEEEE)/Dot1Q(type=0x8100, vlan=0xDDD)).build()

Returns:

  b'\xaa\xaa\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xbb\xbb\xee\xee\r\xdd\x81\x00'

While I expected to get (Ethertype and TPID field are switched):

  b'\xaa\xaa\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xbb\xbb\x81\x00\r\xdd\xee\xee'

Is this behavior anticipated?

Bharat Tak
@devbharat
Hey everybody, is it possible to send custom 'Advanced Data' bytes in the 'Dot11EltVendorSpecific' packet? I see only ID, len, oui and info arguments available
Bharat Tak
@devbharat
Does it just go into the info StrLenField ?
I see the more 'standard' access point beacons sending a lot more info in the Vendor specific tag of the beacon packet, like this
Jacob Lapenna
@jacoblapenna
Can scapy read/capture packets larger than 65535 bytes? I am trying to parse USBPcap traffic from a .pcapng file which contains packets as large as 494439 bytes and scapy just ignores everything past the 65535th byte. I've scoured the API reference and cannot find any parameters related to increasing larges packet size when using rdpcap, RawPcapReader, RawPcapNgReader, or sniff offline. Any help would be greatly appreciated. Thanks!
bishop527
@bishop527
Wanted to give an update on a post I made about a month ago regarding a problem with the new conf.layers.filter where the performance got a lot worse. I didn't get a response, but yesterday I updated to 2.4.3dev699 and the problem seems to have been fixed. I'd be curious to know more about what caused the problem and the fix.
Jacob Lapenna
@jacoblapenna
I figured out how to get scapy to read packets larger than 65535: read packets one at a time off the RawPcapNgReader generator while specifying a number just greater than the largest expected size. In my case:
from scapy.all import *

while True:
try:
do_some_things_to_each_packet_function_or_class_here(p)
except EOFError:
break
Jacob Lapenna
@jacoblapenna
It is also possible to set scapy.config.Conf.bufsize which defaults to 65536.
Nawazraza
@Nawazraza
Hi Scapy,
Is evolved Common Public Radio Interface (eCPRI) protocol available in scapy?
KyleJeong
@KyleJeong
Maybe not.
Nawazraza
@Nawazraza
Ok, Thank you

Hi,
I'm wondering if Scapy supports remote capture using rpcapd ?

scapy.sniff() works perfectly when capturing local packets but I want to capture packets on another pc with rpcapd running on it.

If rpcapd is installed on a remote machine, Wireshark/Tshark can capture remote packets by replacing local interface name with remote interface name like "rpcap://remoteip:2002/eth0".

I tried scapy.sniff(iface ="rpcap://remoteip:2002/eth0" ) but it returned with an error saying that this interface is not found(apparently scapy checked if the interface is available on the local machine).

If Scapy supports remote capture, what's the proper way of doing this ? I googled "scapy rpcap" but only got results of "scapy rdpcap" which is not what I want.

Thank you very much for your time.

@guedou
We do not support remote capture. However, that could be a nice feature to implement.
Lorenzo Gurri
@Recandi_gitlab
Hello,
I have a question about a bind_layers call in the scapy codebase.
In scapy/layers/l2.py on line 581 the SNAP layer is being bound to the Ether layer when code=1: bind_layers(SNAP, Ether, code=1).
In the SNAP extension, when OUI=000000, the code value's meaning is given by EtherTypes. However, when the OUI field is an organization's OUI, the layer bindings are specific to the organization.
Shouldn't this line, and the other SNAP layer bindings around it, specify the specific OUI they are using? Otherwise wouldn't they overlap with other organization specific bindings? Thank you!
bishop527
@bishop527

I'm using scapy 2.4.3dev699 and trying to use conf.layers.filter to improve performance by reducing the number of protocols being parsed. When I run the following code, which doesn't use the filter, everything works fine.

msg = IP(src="192.168.1.2", dst="192.168.50.5") / UDP(sport=1234, dport=4321)
send(msg)

When I add conf.layers.filter([IP, TCP, UDP]) the above code sends the packet multiple times. After doing some digging I learned that this is because the destination MAC address can't be resolved so the packet is sent via broadcast. To only send 1 packet I have to use the following code

conf.layers.filter([IP, TCP, UDP])
msg = Ether(dst='00:01:02:03:04:06') / IP(src="192.168.1.2", dst="192.168.50.5") / UDP(sport=1234, dport=4321)
sendp(msg)

Why do I have to specifically build the Ether layer when using the filter but don't have to do it when not using the filter?

Thanks

@guedou
Did you try adding Ether to the list ?
Qnner
@Qnner
hello dear all, I want to sniff a http response
but its json is incomplete . how to slove？please
Qnner
@Qnner
here is my simple code:
elif pkt.haslayer(HTTPResponse):

try:
except Exception as e:
print e
print pkt[Raw]
return
Gabriel
@gpotter2
Qnner
@Qnner
@gpotter2 thanks a lot ^_^
Qnner
@Qnner
I meet a problem here, how to sniff a gzip json file? I'v see that "This will decode HTTP packets using Content_Length or chunks, and will also decompress the packets when needed. Note: on failure, decompression will be ignored." in https://scapy.readthedocs.io/en/latest/layers/http.html， but it does not work and I am sure that my api is right
bishop527
@bishop527
@guedou Yes I did. Then when I removed Ether(dst='00:01:02:03:04:06') from msg the packet isnt't sent.
Not sure if its related but while troubleshooting this I tried using getmacbyip("192.168.50.5") but it returns None.
@guedou
Ether was in the list when sending the frame with sendp() ?
bishop527
@bishop527

Yes. I tried it with both sendp and send after adding Ether to the filter list. when using send it would send the packet via broadcast. when using sendp it didnt sent at all even though scapy says it sent a packet.

I tested it on another system and didn't have the same problems. The only difference between the 2 systems is that the on the second system getmacbyip returned the MAC address of the destination. So my guess is that not being able to resolve the MAC is part of the problem. Just now sure how to fix that.

Qnner
@Qnner
I still do not know how to solve it, about a response used gzip.
here is my code :
def packet_parse(pkt):
"""
This function is executed whenever a packet is sniffed
"""
now = time.strftime("%Y.%m.%d %H:%M:%S", time.localtime(time.time()))
if pkt.haslayer(HTTPRequest):
return
elif pkt.haslayer(HTTPResponse):
if "application/json" not in (str(pkt[HTTPResponse].Content_Type)).split(";"):
return
try:
except Exception:

if __name__ == '__main__':
conf.contribs["http"]["auto_compression"] = True
print conf.contribs["http"]["auto_compression"]
# sniff(offline=r'D:\\bigResponse.pcapng', prn=packet_parse, session=TCPSession)
sniff(offline=r'C:\Users\test1\Documents\WXWork\1688850682072943\Cache\File\2020-07\debug_web_search_44k.pcap', prn=packet_parse, session=TCPSession)
@bishop527 you need to set the filter as conf.layers.filter([Ether, ARP, IP, TCP]). Scapy will use Ether() and ARP() internally to perform MAC/IP resolution.