Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    meow-watermelon
    @meow-watermelon
    Hi, what's the correct and proper way to get the data payload from Raw layer? I'm using packet[Raw] and packet.getlayer(Raw) can get the data payload but Scapy always shows "WARNING: Calling str(pkt) on Python 3 makes no sense!". I understand the output in bytes but what the heck of this warning messages? Shall I ignore? Or any other methods are available? Thanks.
    oh it's packet[Raw].load
    meow-watermelon
    @meow-watermelon
    Hi, when I use sniff(prn=prn..), there will be the prn return value displayed if processed, is there any way to silence this? Thanks.
    shall I use lfilter instead?
    meow-watermelon
    @meow-watermelon
    Hi, when I run scapy -H I see many warnings like /usr/lib/python3.10/site-packages/prompt_toolkit/renderer.py:514: DeprecationWarning: The explicit passing of coroutine objects to asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11., is there any way to suppress those info?
    strayge
    @strayge

    I've got pcap for 30 seconds (91MB, 519k packets) and its dissect takes forever (~100 sec).
    Tried disable most payload_guess for Ether / IP / TCP / UDP but got very minor (~5%) speed up.

    Is there any way to speed up packets dissect, as I actually only need TCP / UDP fields and not underlying layers?

    Found similar issue secdev/scapy#2055 from 2019, but best answer was switch to other libraries.

    Profiling shows most time at field access:

    147.559 MainThread  <thread>:12524
    └─ 147.558 <module>  <stdin>:1
       └─ 147.558 <listcomp>  <stdin>:1
          └─ 147.076 __call__  scapy\base_classes.py:370
             └─ 144.964 __init__  scapy\packet.py:129
                ├─ 134.626 dissect  scapy\packet.py:998
                │  ├─ 126.404 do_dissect_payload  scapy\packet.py:972
                │  │  ├─ 115.127 __call__  scapy\base_classes.py:370
                │  │  │  └─ 114.058 __init__  scapy\packet.py:129
                │  │  │     ├─ 101.785 dissect  scapy\packet.py:998
                │  │  │     │  ├─ 65.001 do_dissect_payload  scapy\packet.py:972
                │  │  │     │  │  ├─ 54.295 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │  └─ 53.096 __init__  scapy\packet.py:129
                │  │  │     │  │  │     ├─ 40.858 dissect  scapy\packet.py:998
                │  │  │     │  │  │     │  ├─ 29.573 do_dissect  scapy\packet.py:952
                │  │  │     │  │  │     │  │  ├─ 10.320 getfield  scapy\fields.py:2200
                │  │  │     │  │  │     │  │  │  ├─ 5.328 m2i  scapy\fields.py:2922
                │  │  │     │  │  │     │  │  │  │  └─ 4.508 _fixup_val  scapy\fields.py:2906
                │  │  │     │  │  │     │  │  │  │     └─ 4.073 __init__  scapy\fields.py:2711
                │  │  │     │  │  │     │  │  │  │        └─ 3.156 __setattr__  scapy\fields.py:2825
                │  │  │     │  │  │     │  │  │  │           └─ 3.110 [self]
                │  │  │     │  │  │     │  │  │  └─ 4.221 [self]
                │  │  │     │  │  │     │  │  ├─ 5.086 [self]
                │  │  │     │  │  │     │  │  ├─ 4.822 getfield  scapy\layers\inet.py:367
                │  │  │     │  │  │     │  │  │  └─ 3.282 m2i  scapy\layers\inet.py:376
                │  │  │     │  │  │     │  │  │     └─ 2.178 [self]
                │  │  │     │  │  │     │  │  ├─ 4.564 getfield  scapy\fields.py:245
                │  │  │     │  │  │     │  │  │  └─ 2.903 [self]
                │  │  │     │  │  │     │  │  └─ 3.500 do_copy  scapy\fields.py:258
                │  │  │     │  │  │     │  │     └─ 1.989 copy  scapy\fields.py:2839
                │  │  │     │  │  │     │  │        └─ 1.721 __init__  scapy\fields.py:2711
                │  │  │     │  │  │     │  └─ 10.373 do_dissect_payload  scapy\packet.py:972
                │  │  │     │  │  │     │     ├─ 5.279 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │     │     │  └─ 4.892 __init__  scapy\packet.py:1878
                │  │  │     │  │  │     │     │     └─ 4.563 __init__  scapy\packet.py:129
                │  │  │     │  │  │     │     └─ 4.348 guess_payload_class  scapy\packet.py:1011
                │  │  │     │  │  │     │        └─ 1.795 [self]
                │  │  │     │  │  │     ├─ 4.619 [self]
                │  │  │     │  │  │     ├─ 2.740 __setattr__  scapy\packet.py:456
                │  │  │     │  │  │     ├─ 2.138 __call__  scapy\base_classes.py:370
                │  │  │     │  │  │     │  └─ 1.531 [self]
                │  │  │     │  │  │     └─ 2.020 init_fields  scapy\packet.py:224
                │  │  │     │  │  │        └─ 1.582 do_init_cached_fields  scapy\packet.py:251
    secenhance
    @secenhance:matrix.org
    [m]
    Hi, I am currently trying to extend scapy to support 802.11 Fine Timing Measurement. As there are a lot of optional parameter in each paket I was wondering where I should inspect the data and decide dynamically which parts are included? My current approach is overwriting the pre_dissect call and partially parse header fields indicating the presence of optional data. I am not sure where I can set properties or similar to use the conditional field afterwards. Where can I find similar code in scapy or where should I do the check for optional and variable length/sub fields?
    ``` name = "Optional Fine Timing measurement request frame parts"
    fields_desc = [
        # Measurement Request Header 1
        ByteField("element_id1", 0),
        ByteField("length1", 0),
        ByteField("token1", 0),
        ByteField("request_mode1", 0),
        ByteEnumField("measurement_type1", 0, measurement_type),
        # LCI Request
        ByteEnumField("LCI_Location_Subject", 0, location_subject),
        # Measurement Request Header 2
        ByteField("element_id2", 0),
        ByteField("length2", 0),
        ByteField("token2", 0),
        ByteField("request_mode2", 0),
        ByteEnumField("measurement_type1", 0, measurement_type),
        # Location Civic Request Field
        ByteEnumField("Civic_Location_Subject", 0, location_subject),
        ByteEnumField("Civic_Location_Type", 0, civic_location_type),
        ByteEnumField(
            "Location_Service_Interval_Units", 0, civic_location_interval_units
        ),``` 
    These are all optional and I can deduct which type of measurement request based on the request_mode.
    secenhance
    @secenhance:matrix.org
    [m]
    I found similar code in the dot11/dns/bgp layer and it is now optionally parsing the frame parts.
    partially parsing some values in pre_dissect and setting class attributes for usage in the conditional field worked. https://github.com/tweidinger/scapy/blob/74a8cfd5a54a4813d9737d0d5a3e6e8d0d2a7598/scapy/layers/dot11.py#L2135 it's a work in progress but all feedback is welcome.
    pyharbor
    @pyharbor

    Hey I'm thinking of using scapy inside of python module's but I'm really put off that I can't import it efficiently

    import scapy.all as scapy

    really just doesn't cut it because there is zero autocompletion within an ide like pycharm. I tried doing something more targeted like.

    from scapy.compat import raw
    from scapy.layers.dns import DNS
    from scapy.layers.inet import UDP, IP, in4_chksum

    But when I do this I get hit with circular import errors. Is there something I'm missing?

    meow-watermelon
    @meow-watermelon
    Hi, anyone knows how to use sniff() call to sniff all interfaces? by default it will only sniff conf.iface interface
    Guillaume Valadon
    @guedou
    @pyharbor which Scapy version?
    cyril.lu
    @cyril.lu:matrix.org
    [m]
    Hello, is there a less verbose way to get a field human readable representation?
    assert 0 == rsp.payload.status # Ok but I would like to compare it the the defined enum value
    assert "STATUS_OK" == rsp.payload.status # Which cannot be done like this
    
    def field2str(pkt, field_name):
        field, val = pkt.getfield_and_val(field_name)
        return field.i2repr(pkt, val)
    
    assert "STATUS_OK" == field2str(rsp.payload, 'status') # Can be done like this, but looks too verbose to me
    Pierre Lalet
    @p-l-
    The best way to get what you want would probably be rsp.sprintf("%layer_name.status%") (replace layer_name using the real name)
    pyharbor
    @pyharbor
    @guedou scapy==2.4.5
    Guillaume Valadon
    @guedou
    @pyharbor try the master version on github. This was fixed.
    pyharbor
    @pyharbor
    ooh ok cool
    Mauro Condarelli
    @mcondarelli

    Hi, I just started looking into scapy (I'm using scapy 2.4.5 with CPython 3.8).
    A very stupid program I wrote to extract from long .pcap a small piece I need:

    import datetime
    from scapy.all import PcapWriter, PcapReader, EDecimal
    
    
    class PcapHandler:
        def __init__(self, fn):
            self.fn = fn
    
        @staticmethod
        def _normalize(dt):
            if isinstance(dt, float):
                return EDecimal(dt)
            if isinstance(dt, datetime.datetime):
                return EDecimal(dt.timestamp())
            if isinstance(dt, str):
                return EDecimal(datetime.datetime.fromisoformat(dt).timestamp())
    
        def trim(self, start, end, output):
            s = self._normalize(start)
            e = self._normalize(end)
            with PcapWriter(output) as fo:
                with PcapReader(self.fn) as fi:
                    for n, pkt in enumerate(fi):
                        print(f'{n:6d}', end='\r')
                        if pkt.time > e:
                            break
                        if pkt.time >= s:
                            fo.write(pkt)
                            print()
    
    
    if __name__ == '__main__':
        h = PcapHandler('20211025T114023A.pcap')
        h.trim('2021-10-25T12:01:53', '2021-10-25T12:01:55', 'tt.pcap')

    ... actually works, but outputs also a stream of : WARNING: Calling str(pkt) on Python 3 makes no sense!
    What am I doing wrong?

    Leonard Crestez
    @cdleonard
    what is the right way to "wait for specific packets received"?
    the sendrecv interface of scapy seems to have very specific ideas about "who replies to what"
    I end up writing waiting.wait(pred) where pred goes and digs around inside sniffer.session.toPacketList
    luwangli
    @luwangli
    I have a pcap file which can be open by Wireshark, so I know it's Link type is Cisco HDLC. However, when I use scapy to read this pcap file, the error is "WARNING: PcapReader: unknown LL type [104]/[0x68]. Using Raw packets". what should I do?
    from scapy.all import * pcap = PcapReader("200test.pcap")
    meow-watermelon
    @meow-watermelon
    @cdleonard you want to stop sniffing once received a specific packet and do something?
    If in that case, check stop_filter parameter in sniff function, it allows you to write a callback function to decide when to stop sniffing then using lfilter parameter function to define what to do about the received packet.
    meow-watermelon
    @meow-watermelon
    @mcondarelli just my guess, that fo.write(pkt) is trying to convert the pkt into string
    from the python io doc: f.write(string) writes the contents of string to the file, returning the number of characters written.
    Leonard Crestez
    @cdleonard
    @meow-watermelon no I want to wait for a specific packet and continue testing
    scanning the whole packet list is potentially slow and waiting.wait relies on polling but scapy doesn't appear to have a nicer way to do this.
    meow-watermelon
    @meow-watermelon
    Hi, want to share something that I implemented for ARP stuffing protocol by using Scapy: https://github.com/meow-watermelon/arp-stuffing - I also wrote a doc about the usage.
    cyril.lu
    @cyril.lu:matrix.org
    [m]
    Hello, is there a way to display both value and description with show(), without actually specifiying the value in the enum names? Something like
    ###[ UciControlPacket ]### 
      messageType= 0b001 (Control Command)
      packetBoundaryFlag= 0b0: Complete
      groupIdentifier= 0b0001 (UWB Session)
      reserved0 = 0
      opcodeIdentifier= 0b000001 (SESSION_DEINIT_CMD)
      reserved1 = 0
      payloadLength= 4
    ###[ SessionDeinitCmd ]### 
       sessionId = 1
    rtborg
    @rtborg
    Hi, is there a way to customize the message that is sent by scapy.tools.automotive.isotpscanner? Currently the message is [10 64 00 00 00 00 00 00]
    Nils Weiss
    @polybassa
    Hi, we didn't implemented a way to change the message of istopscanner. What's your usecase for this change?
    rtborg
    @rtborg
    I have an ECU which uses extended addressing plus data length like this [0xADDR 0xLEN 0xDATA0 ... 0xDATA5]
    And it will not respond to [0xADDR 0x10 0x64 ....]
    Nathan
    @nth0rpe_twitter

    Hi,

    I am trying to use the PacketField class to implement a custom packet type.
    The code detects the packets properly if I put the fields from CommandPacket directly into CustomPacket, but not when I use the PacketField class.
    It just detects the entire data as Raw rather than CustomPacket.

    Do you know why it does not like to use the PacketField in the fields?

    bind_layers(UDP, CustomPacketHolder)
    
    class CustomPacketHolder(Packet):
        fields_desc = [
            ShortField("header", 0),
            PacketListField("data", [], CustomPacket)
        ]
    
    class CustomPacket(Packet):
        fields_desc = [
            BitField("letter", 0, 4),
            BitField("checkBits", 0, 12),
            PacketField("command", None, CommandPacket)
        ]
    
        def extract_padding(self, p):
            return "", p
    
    class CommandPacket(Packet):
        fields_desc = [
            BitField("field1", 0, 3),
            BitField("field2", 0, 5),
            BitField("field3", 0, 1),
            BitField("field4", 0, 5),
            BitField("field5", 0, 5),
            BitField("field5", 0, 1)
        ]
    
        def extract_padding(self, p):
            return "", p
    Leonard Crestez
    @cdleonard
    Gentle ping for secdev/scapy#3427 ?
    Nils Weiss
    @polybassa
    @rtborg we've implemented parameters for this. Both extended isotp addressing and extended can identifiers are implemented. Check the arguments and the documentation.
    rtborg
    @rtborg
    @polybassa Thanks, will do that
    bhdrozgn
    @bhdrozgn
    Hey, do you consider adding 802.11ax support? HE information is not complete in secdev/scapy/layers/dot11.py line 473
    Jonathon Anderson
    @anderbubble
    I am very new to scapy, and am trying to decode (dissect?) NFS using scapy.contrib.nfs. If I sniff() using scapy 2.4.0 (python3-scapy in debian 10.11) then I see raw Ethernet packets. But if I sniff() using scapy 2.4.5 (from pip) then I don't see any NFS packets at all, raw or otherwise. (I do see other non-NFS packets, though.) What am I doing wrong?
    Jonathon Anderson
    @anderbubble
    It seems that NFS understands that this is a local export/mount, and is putting traffic over lo rather than eth0, despite what's in /etc/exports and mount.nfs. Apparently the default iface behavior changed in scapy and, before, it listened on all iface before, but now it only listens on eth0 by default.
    Jonathon Anderson
    @anderbubble
    It still doesn't appear to be decoding / dissecting the packet as I expect but at least I see raw packets in the latest version again.
    0xKate
    @0xKate
    Are you able to do something like this? I have not messed with nfs yet, but most layers/protos are accessed by indexing the packet with it
            if nfs in pkt:
                print(pkt[nfs].show())
                print(pkt[Ether].dst)
    The sniffer wont be application aware, but you can use a lfilter to check that like this:
    >>> a=sniff(filter='ip host 8.8.8.8', lfilter=lambda x: x.haslayer(DNS), count=2)
    Jonathon Anderson
    @anderbubble
    I can give that a try; but I'm most confused because the NFS package has several different types of Packets with no hierarchy between them; so I don't know how to find packets of any NFS type.
    Jonathon Anderson
    @anderbubble
    @0xKate in your first example, what is the value of the nfs variable? One of the layer classes?
    0xKate
    @0xKate
    Typically the value of nfs/Ether variable in my example is a packet/layer class. What I posted wont work because its a contrib package not derived from packet. Scapy needs to actually load the contrib package to be aware of nfs. There's an example for ospf here https://lost-and-found-narihiro.blogspot.com/2012/11/python-scapy-how-to-load-extension.html but this was python 2.7. I can't find any official documentation on loading contribs for sniffing. Once Scapy is aware of it however, you should be able to do things like if nfs.ACCESS_Call in packet: and packet[nfs.ACCESS_Call].filehandle