1SCAPY(1)                    General Commands Manual                   SCAPY(1)
2
3
4

NAME

6       scapy - Interactive packet manipulation tool
7

SYNOPSIS

9       scapy [options]
10

DESCRIPTION

12       This manual page documents briefly the scapy tool.
13
14       scapy is a powerful interactive packet manipulation tool, packet gener‐
15       ator, network scanner, network discovery, packet sniffer, etc.  It  can
16       for  the moment replace hping, parts of nmap, arpspoof, arp-sk, arping,
17       tcpdump, tshark, p0f, ...
18
19       scapy uses the python interpreter as a command board. That  means  that
20       you  can  use  directly  python  language (assign variables, use loops,
21       define functions, etc.) If you give a file as parameter  when  you  run
22       scapy, your session (variables, functions, intances, ...) will be saved
23       when you leave the interpretor, and restored the next time  you  launch
24       scapy.
25
26       The idea is simple. Those kind of tools do two things : sending packets
27       and receiving answers. That's what scapy does : you  define  a  set  of
28       packets, it sends them, receives answers, matches requests with answers
29       and returns a list of packet couples (request, answer) and  a  list  of
30       unmatched  packets.  This has the big advantage over tools like nmap or
31       hping that an answer is not reduced to (open/closed/filtered),  but  is
32       the whole packet.
33
34       On  top of this can be build more high level functions, for example one
35       that does traceroutes and give as a result only the start  TTL  of  the
36       request and the source IP of the answer. One that pings a whole network
37       and gives the list of machines answering. One that does a portscan  and
38       returns a LaTeX report.
39
40

OPTIONS

42       Options for scapy are:
43
44       -h     display usage
45
46       -d     increase log verbosity. Can be used many times.
47
48       -s FILE
49              use  FILE  to  save/load  session  values (variables, functions,
50              intances, ...)
51
52       -p PRESTART_FILE
53              use PRESTART_FILE instead of  $HOME/.scapy_prestart.py  as  pre-
54              startup file
55
56       -P     do not run prestart file
57
58       -c STARTUP_FILE
59              use  STARTUP_FILE  instead of $HOME/.scapy_startup.py as startup
60              file
61
62       -C     do not run startup file
63
64

COMMANDS

66       Only the vital commands to begin are listed here for the moment.
67
68       ls()   lists supported protocol layers. If a protocol layer is given as
69              parameter, lists its fields and types of fields.
70
71       lsc()  lists  some  user  commands. If a command is given as parameter,
72              its documentation is displayed.
73
74       conf   this object contains the configuration.
75
76

FILES

78       $HOME/.scapy_prestart.py This file is run before scapy core is  loaded.
79       Only   the   is   available.  This  file  can  be  used  to  manipulate
80       conf.load_layers list to choose which layers will be loaded:
81
82       conf.load_layers.remove("bluetooth")
83       conf.load_layers.append("new_layer")
84
85       $HOME/.scapy_startup.py This file is run after scapy is loaded. It  can
86       be used to configure some of the scapy behaviors:
87
88       conf.prog.pdfreader="xpdf"
89       split_layers(UDP,DNS)
90
91

EXAMPLES

93       More        verbose        examples        are       available       at
94       http://www.secdev.org/projects/scapy/demo.html Just run scapy  and  try
95       the following commands in the interpreter.
96
97
98       Test the robustness of a network stack with invalid packets:
99       sr(IP(dst="172.16.1.1", ihl=2, options="b$2$", version=3)/ICMP())
100
101
102       Packet  sniffing  and  dissection  (with a bpf filter or thetereal-like
103       output):
104       a=sniff(filter="tcp port 110")
105       a=sniff(prn = lambda x: x.display)
106
107
108       Sniffed packet reemission:
109       a=sniff(filter="tcp port 110")
110       sendp(a)
111
112
113       Pcap file packet reemission:
114       sendp(rdpcap("file.cap"))
115
116
117       Manual TCP traceroute:
118       sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
119
120
121       Protocol scan:
122       sr(IP(dst="172.16.1.28", proto=(1,254)))
123
124
125       ARP ping:
126       srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
127
128
129       ACK scan:
130       sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
131
132
133       Passive OS fingerprinting:
134       sniff(prn=prnp0f)
135
136
137       Active OS fingerprinting:
138       nmap_fp("172.16.1.232")
139
140
141
142       ARP cache poisonning:
143       sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
144
145
146       Reporting:
147       report_ports("192.168.2.34", (20,30))
148
149

SEE ALSO

151       https://github.com/secdev/scapy
152       https://scapy.readthedocs.io/en/latest/
153
154

BUGS

156       Does not give the  right  source  IP  for  routes  that  use  interface
157       aliases.
158
159       May miss packets under heavy load.
160
161       Session  saving  is  limited by Python ability to marshal objects. As a
162       consequence, lambda functions and  generators  can't  be  saved,  which
163       seriously reduce usefulness of this feature.
164
165       BPF filters don't work on Point-to-point interfaces.
166
167
168

AUTHOR

170       Philippe Biondi <phil@secdev.org>
171
172       This  manual  page was written by Alberto Gonzalez Iniesta <agi@agi.as>
173       and Philippe Biondi.
174
175
176
177                                 May 12, 2003                         SCAPY(1)
Impressum