Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Prayag Koirala
    @Prayag10Prayag_twitter
    image.png
    Michael Bruhn
    @EviLDgL_gitlab
    @Prayag10Prayag_twitter hey that means you dont have an IP Layer in that packet (maybe it doesnt exist?). just do one pkt.show() before you do your ip check
    so you can have a look whats the packet containing
    Michael Brandeis
    @michaelbrandeis
    @gpotter2 - Had some time to look over the issues with the pcapng again. To be honest, the implementation in scapy is pretty far from the standard. It looks like fixing it will require refactoring or adjusting quite a bit more than I had anticipate to overcome the f.seek(0) call. If anyone wants to chat with me about the issues I'd be happy to sync up. I'm not a pcapng format expert, just going off of what is shown here https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
    Michael Brandeis
    @michaelbrandeis
    i do wonder if it makes sense to drop the tcpdump read pipe and just use tcpdump to filter to a temp file, and then read the temp file instead
    Michael Brandeis
    @michaelbrandeis
    ok, found another brutal bug with pcapng option parsing. which will resolve quite a bit of issues
    options = self.read_options(block[16:]) should be options = self.read_options(block[8:]) - so scapy was skipping the first option in every read, which had useful things like the time resolution
    Michael Brandeis
    @michaelbrandeis
    I've merged a fix for the issues I ran into
    secdev/scapy#2895
    Konstantin Goretzki
    @konstantingoretzki
    Hi there. Hope it's ok to ask questions here. Is there any possibility to keep on sniffing if the interface goes down for a second? If is use tcpdump then I see that tcpdump gets stopped (tcpdump: pcap_loop: The interface went down). After I manually restart tcpdump it keeps on showing the packets I am looking for. However scapy look like it hangs after I restarted the interface and does not get back to the state where it can sniff. Has anbody an idea on how to fix/ work around this problem? I am unfortunately in the situation where the interface needs to restart for a second. Thank you!
    Amine Choukir
    @amchoukir
    Hello Everyone, I am trying to edit an mDNS pcap but once writing it back it displays as malformed in wireshark. From the byte layout it seems that the capture is truncated after the edit.
    2 replies
    Afilsi
    @Afilsi
    @gpotter2 Thank you very much for your answer! I'll try this as soon as I can! And sorry for my response time...
    Gabriel
    @gpotter2
    @konstantingoretzki Does it at least stop sniffing or does it never crashes when the interface reloads ?
    You could try to reload the interfaces and routes using conf.route.resync() and conf.ifaces.reload()
    Konstantin Goretzki
    @konstantingoretzki

    @gpotter2 From my tests it does stop sniffing (because I do not see any packets anymore) and never crashes as well. I just can see that restarting tcpdump does get the packets while scapy with the same filter skips them all, therefore I think that it stopped sniffing. Unfortunately no exception is dropped. I do not get the OSError for an unavailable network device. I only get this if I start the sniff with an interface that's not available at the startup.

    Reloading the interfaces/ routes is defintely a great idea that I will try. Guess the only problem is then that I do not know when exactly the interface goes down.
    Also it could be a problem that the script runs on a Pi0. The imports of the needed scapy lib parts take quite a while, therefore I can not easily start a new instance of the script.

    Fabian Freyer
    @fabianfreyer
    Hi! I'd like to sniff on a named pipe with live pcap data, but I'm not really sure how to. Apparently just using sniff(offline="/tmp/pipe") doesn't work; it just throws an exception stating that it's "Not a supported capture file".
    Fabian Freyer
    @fabianfreyer
    I've verified that if I copy the pcap data to a regular file, it does work
    Keath Milligan
    @keathmilligan
    Hi. I am unable sniff packets on the Windows loopback adapter using Scapy 2.4.2. It works for physical interfaces and I have a recent version of npcap installed (and Wireshark is able to capture local packets). get_if_list() shows \\Device\\NPF_Loopback but this doesn't work as a name to give for "iface".
    Gabriel
    @gpotter2
    Please retry using 2.4.4 or the github version
    Keath Milligan
    @keathmilligan
    Thanks. 2.4.4 works.
    sai sashankh donkena
    @sashankh
    pkt.summary() on a vxlan encapped packet shows only the inner packet instead of displaying the whole packet. Should this be fixed?
    Milo Rue
    @milorue
    I'm currently trying to send an array of structs over a custom packet is there a way to do this, I tried FieldLenField("numDevices", None), FieldListField("sensorArray", None, ByteField("sensorStruct", 0), count_from=lambda pkt: pkt.numDevices)
    the structs are packed beforehand and then placed in args for the packet sensorArray=[struct1, struct2]
    I get an error of struct.error: required argument is not an integer
    I can run packet.show() but not packet.show2() or send() the packet
    mendaxi
    @mendaxi_twitter
    Hi, I was having an issue running a previously working script, where doing from scapy.all import srp, Ether... would result in a FileNotFound exception -- however I was able to remedy the issue by changing line 30 of arch/bpf/core.py to LIBC = cdll.LoadLibrary(find_library("c"))
    I don't know if anyone else has encountered the issue -- I am on Debian Unstable and Python 3.9
    Guillaume Valadon
    @guedou
    Could you share the faulty script? This file should not be loaded on Linux.
    stemadde
    @stemadde

    Hi everybody, recently i started working on a new project, basically my aim is to intercept live network packets, to intercept emails and scan the attachments, all is working fine until i send mails with total dimension > 100KB, in which case capture of the single email stops, and parsing result obviously in a corrupted attachment. Is there any hard limit inside scapy lib? Or am I doing something wrong?
    Scapy version is 2.4.3
    Script is installed on a pfSense 2.4.5, FreeBSD 11.3-STABLE
    Code:

    def startSniffer(interface):
        ip_addr = get_if_addr(interface)
        sniff(iface=interface, prn=packet_filter,
              filter="port 993 or port 143 or port 110 or port 995")
    def packet_filter(pkt):
        flags = pkt.sprintf("%r,TCP.flags%")
        if flags == "PA":
            non_escaped_load = str(pkt.getfieldval("load"))
        if flags == "A":
            non_escaped_load = str(pkt.payload.payload.payload)
        load = bytes(non_escaped_load, "utf-8").decode("unicode-escape")

    and then i start parsing the payload

    Michael Bruhn
    @EviLDgL_gitlab
    Okay i just saw that something like tls (record) has implemented something like this already. ill try to understand the current scapy implementation of this
    original question deleted until i read further into the tls implementation
    mendaxi
    @mendaxi_twitter

    Could you share the faulty script? This file should not be loaded on Linux.

    from scapy.all import srp

    Kyander
    @Kyander
    I would like to ask, is it possible to listen for ICMP requests and then send our own crafter reply with scapy?
    Guillaume Valadon
    @guedou
    Yes, we call that AnsweringMachine. It is documented
    Kyander
    @Kyander
    Thank you so much, I have been searching for it for a while!
    coffee70
    @coffee70
    Hi I keep trying to use filtering with sniff() and I keep getting this message WARNING: Cannot set filter: libpcap is not available. Cannot compile filter !But I have libpcap installed on my computer.
    coffee70
    @coffee70

    I also tried setting

    conf.use_pcap=True

    and it tells me

    WARNING: No libpcap provider available ! pcap won't be used

    Any ideas?

    Guillaume Valadon
    @guedou
    Which OS / Scapy / Python versions are you using ?
    coffee70
    @coffee70
    Mac OS Big Sur, Python 3.8.5, Scapy 2.4.4
    Guillaume Valadon
    @guedou
    Thanks. How did you install Scapy?
    coffee70
    @coffee70
    Im almost positive I used pip to install it

    i used the command

    pip install scapy

    but i didn't use these:

    pip install --pre scapy[basic]

    or

    pip install --pre scapy[complete]

    because I got a weird error with the last two. I thought using the last one would work because I figured it would install libpcap correctly but pip said it couldn't find any program with that name.

    coffee70
    @coffee70
    so i just stuck with the original command and that installed scapy for me
    Guillaume Valadon
    @guedou
    Could you try to clone the repo using git then sudo ./run_scapy as shown in the video here https://github.com/secdev/scapy ?
    coffee70
    @coffee70
    should I uninstall the scapy I have now?
    coffee70
    @coffee70

    Okay so I uninstalled the libpcap I had installed with brew and I uninstalled the scapy I installed with pip. Then I cloned the repo using the instructions and tried to run the sniff filter without libpcap installed from brew and I got the same error message and then I tried installing libpcap again with brew and tried running the sniff fitler and got the same message.

    Could this be because I have libpcap installed with homebrew. I tried using pip but pip says there is nothing it can find with the name libpcap. When I install it with brew it tells me that libpcap is keg-only and that macOS already provides this software built in and that if I need libpcap in the PATH i should use this command:

    echo 'export PATH="/usr/local/opt/libpcap/bin:$PATH"' >> ~/.zshrc

    I guess i really dont know what any of that means. but it seems like if macOS already has libpcap built in I shouldnt need to install it at all, but even with the brew version uninstalled nothing works.

    Brew also says :

    For compilers to find libpcap you may need to set:
      export LDFLAGS="-L/usr/local/opt/libpcap/lib"
      export CPPFLAGS="-I/usr/local/opt/libpcap/include"

    is scapy a compiler? I don't really know what that means. I have tried running these commands as they are printed but it didn't work.

    mendaxi
    @mendaxi_twitter
    Is the save_unanswered argument in sr or srp implemented? I've attempted to use it on two separate devices and it does not seem to work.
    e.x.
    sr(IP(dst="192.168.1.1-10")/ICMP(), timeout=2, save_unanswered=False)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 510, in sr
        result = sndrcv(s, x, *args, **kargs)
      File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 278, in sndrcv
        sndrcver = SndRcvHandler(*args, **kwargs)
    TypeError: __init__() got an unexpected keyword argument 'save_unanswered'
    Gabriel
    @gpotter2
    @coffee70 What do you get if you do import scapy.libs.winpcapy
    coffee70
    @coffee70

    @gpotter2 Okay I think you are on to something here. So put in that import statement and I get:

    ---------------------------------------------------------------------------
    OSError                                   Traceback (most recent call last)
    <ipython-input-1-78641cd0714a> in <module>
    ----> 1 import scapy.libs.winpcapy
    
    ~/scapy/scapy/libs/winpcapy.py in <module>
         36     _lib_name = find_library("pcap")
         37     if not _lib_name:
    ---> 38         raise OSError("Cannot find libpcap.so library")
         39     _lib = CDLL(_lib_name)
         40 
    
    OSError: Cannot find libpcap.so library

    so it seems it cannot find it at all.

    What should I do?