Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info

    I'm encountering packet loss with the scapy sniff() function. I have a mininet network with a simple topology. A switch s1, three hosts h1, h2,, h3 and another host named spoofer. From the spoofer's interface, I'm sniffing the packets using sniff(). But when I ping h2 from h1, anything from anything, I'm noticing only a few packets are getting captured. whereas Wireshark is capturing a lot many. Especially, I noticed not a single ARP reply is captured.

    I am attaching two screenshots. Will provide any other information if required.

    Here's the arpspoof_sniff.py(I'll add the arp filter later, but still pings, ARP replies etc.. should get captured right?):
    import scapy.all as scapy
    def arp_display(pkt):
    scapy.sniff(iface='attacker-eth0',prn=arp_display, store=0, count=0)
    Pycharm calls str() on stuff you mouseover when debugging which produces endless Calling str(pkt) on Python 3 makes no sense! warnings. The maintainer said in secdev/scapy#3548 it's not a bug. What's the most efficient way to disable these warnings on my end?
    1 reply
    like this but class A is in scapy code
    Hello I have a question on sprintf. I have an answer with sr1:
    (Pdb) p ipv4google[DNS].an
    <DNSRR  rrname='www.google.fr.' type=A rclass=IN ttl=97 rdlen=None rdata= |>
    (Pdb) p ipv4google[DNSRR].rrname
    (Pdb) p ipv4google.sprintf("%DNS.an% %DNSRR.rrname%")
    "<DNSRR  rrname='www.google.fr.' type=A rclass=IN ttl=97 rdlen=None rdata= |> ??"
    Why I get ?? instead of actual narrname. Should I open a bug instead ?
    DNSRR() is not a layer on top of DNS() but a field of the DNS() layer that "works" like a packet. You could use ipv4google[DNS].an.sprintf("%rrname%").
    Do you think sublayer specifier could be supported ? So one sprintf could be called with all format ?
    Thanks for workaround
    You may open an issue to ask for that feature.
    You can already do a lot of things using sprintf
    I don't get what's missing
    "%DNS.an.rrname%", for example
    Hi, I have a issue with "ISIS_P2PAdjacencyStateTlv", when I create ISIS P2P IIH packet. such as:
    iih = Dot3(dst='09:00:2b:00:00:05', src='00:0c:29:31:a0:9f') / \
    LLC(dsap=0xfe, ssap=0xfe, ctrl=3) / \
    ISIS_CommonHdr(nlpid=0x83, version=1, idlen=0,pduversion=1, hdrreserved=0,maxareaaddr=0) / \
    ISIS_P2P_Hello(sourceid = '0102.0304.0506', holdingtime = 30, localcircuitid = 0, tlvs = [ISIS_P2PAdjacencyStateTlv(state='Up', extlocalcircuitid=3, neighboursystemid='1111.2222.3333', neighbourextlocalcircuitid=5)])
    and then crashed, "TypeError: '>=' not supported between instances of 'NoneType' and 'int'"
    Matthew Clark
    Is there a way to access the "options" part of a pcapng block? I"m trying to parse Kismet pcapng files that embed its GPS coordinates into the options part of the EPB, but don't see how I get access to it.
    zigbee how to configure the key used for NWK encryption and decryption in the case of zigbee protocol ZigbeeNWK() and then write it into PCAP format using wrpcap() ?
    zigbee: I need this key to feed into wireshark for decypting the PCAP file that wrpcap() generates

    Does scapy support IEEE 802.3 packet with LLC?
    I learned Ethernet2 Packet is majority and new standard 802.3 is minor.
    So I started to search 802.3 packet just for fun. I found one packet among 100.
    It's SNAP packet which length field is 324. the field which normally used as ether_type in Ethernet II.
    I met this kind of error messages.
    (I used latest github version)

    Traceback (most recent call last):
      File "C:\Users\...\scapy\packet.py", line 455, in __getattr__
        fld, v = self.getfield_and_val(attr)
      File "C:\Users\...\scapy\packet.py", line 450, in getfield_and_val
        raise ValueError
    Traceback (most recent call last):
        if ether_pkt.type == 0x0800:  # IPv4

    Is there a way to handle such a thing? Can you tell me what mistake I made?

    1 reply
    Akshat Tekriwal
    Is it possible to use Scapy to create and mark a packet ? My ultimate goal is to catch marked packets during routing for example, the below rule will catch all the packets with firewall mark and use 'personal_table' for them.
    I know how to use iptables to mark packets, but iptables will mark more packet than necessary.
    $ ip rule show
    0:        from all lookup local 
    32764:    from all fwmark        1 lookup personal_table
    How do I MITM using TLS records or is it possible to see the messages on the application layer using scapy?
    I want to get wifi snr with sniff on ubuntu, but the is an error as follows:

    /home/chowhao/Project/python/venv/bin/python /home/chowhao/Project/python/scn/demo/test4.py
    /home/chowhao/Project/python/venv/lib/python3.8/site-packages/scapy/layers/ipsec.py:471: CryptographyDeprecationWarning: Blowfish has been deprecated
    /home/chowhao/Project/python/venv/lib/python3.8/site-packages/scapy/layers/ipsec.py:485: CryptographyDeprecationWarning: CAST5 has been deprecated
    Traceback (most recent call last):
    File "/home/chowhao/Project/python/scn/demo/test4.py", line 19, in
    sniff(iface=interface, monitor='True', prn=call_back)
    File "/home/chowhao/Project/python/venv/lib/python3.8/site-packages/scapy/sendrecv.py", line 1263, in sniff
    sniffer._run(args, *kwargs)
    File "/home/chowhao/Project/python/venv/lib/python3.8/site-packages/scapy/sendrecv.py", line 1127, in _run
    sniff_sockets[L2socket(type=ETH_P_ALL, iface=iface,
    File "/home/chowhao/Project/python/venv/lib/python3.8/site-packages/scapy/arch/libpcap.py", line 376, in init
    self.ins = open_pcap(iface, MTU, self.promisc, 100,
    File "/home/chowhao/Project/python/venv/lib/python3.8/site-packages/scapy/arch/libpcap.py", line 247, in init
    raise OSError("Could not activate the pcap handler")
    OSError: Could not activate the pcap handler

    Process finished with exit code 1

    this my code:


    from scapy.all import *
    from scapy.config import conf
    from scapy.layers.dot11 import Dot11

    conf.use_pcap = True

    def call_back(pkg):
    if pkg.haslayer(Dot11):
    if pkg.type == 0 and pkg.subtype == 8:
    print("dBm_AntSignal=", pkg.dBm_AntSignal)
    print("dBm_AntNoise=", pkg.dBm_AntNoise)

    interface = 'wlp1s1'
    sniff(iface=interface, monitor='True', prn=call_back)

    1 reply
    The dBm_AntNoise is always None, How can I get its values?
    i need help with : padding() and nzpadding() i wanna know where the difference is between these two functions
    when i sniff packets and use padding i see the same result of it when i use nzpadding
    could someone tell me where the real difference is ?
    I want to know the difference between lower canal and high canal of the source in Scapy's PipeTools.
    I will be very appreciated if you can answer me.
    Why does it need two canal in source?
    Guillaume Valadon
    @lilakerin_twitter I sometimes use iptables nfqueue to tag specific packet
    @blog666 there is no special difference. Both are channels that you can use to combine pipes
    Guillaume Valadon
    @mjnd88 have a look at this https://github.com/secdev/scapy/blob/master/scapy/plist.py#L467 nzpadding has a different behavior when padding is null
    5 replies
    Ever thought about a scapy discord?
    hi mates, are there’re any detailed guides for custom layer dev?
    1 reply

    Regarding secdev/scapy#3793, this is pretty interesting. Turns out To-DS can sometimes be Dot11FCS where the response for a From-DS would be just Dot11. Wireshark agrees though. My bug I suppose is scapy following the standards as best as it can.

    It's an interesting bug in that it works. You would think that if Dot11FCS was the layer under RadioTap in a captured frame and then you sent it, well of course it would work. The arp would be updated as you expect.

    Even easier, do something like this:
    arping -i wlan0 -U -S
    Capture that with another nic on a 3rd party node. Where To-DS is the frame sent by the user, the From-DS is what instructs the tgt what to do.
    In making my own arping, I learned you can get novel results using Dot11() for both To-DS and From-DS
    Anywho, I updated and closed the Issue @guedou -- strange little thing. Might be interesting to use to avoid expected signature detections =)
    And using the same 3rd party sniffer can confirm it was transmitted just like a FromDS. The kernel accepted it so woohoo

    @blog666 there is no special difference. Both are channels that you can use to combine pipes

    thank you very much

    Guillaume Valadon
    @mjnd88 this is related to secdev/scapy#3797 You discarded the github issue template and that did not help pointing the problem =/
    3 replies

    hi guys, it's been a full day i'm struggling to just send a clientHello packet to a website like github.com
    i'm doing
    import scapy.layers.tls.handshake as handshake
    from scapy.all import *



    I know no destination nor clientHello paremeters are set in my example....
    should be very simple but I find no example on the web, eveything I found loads locally stored packets, no example of actually sending a clienthello packet and completing the full handshake... and I don't want to sniff I want to do everything inside the python script... any help please ?

    where is the source code of : show2() ?