1SCAPY(1) General Commands Manual SCAPY(1)
2
3
4
6 scapy - Interactive packet manipulation tool
7
9 scapy [options]
10
12 This manual page documents briefly the scapy tool.
13
14 scapy is a powerful interactive packet manipulation tool, packet gener‐
15 ator, network scanner, network discovery, packet sniffer, etc. It can
16 for the moment replace hping, parts of nmap, arpspoof, arp-sk, arping,
17 tcpdump, tshark, p0f, ...
18
19 scapy uses the python interpreter as a command board. That means that
20 you can use directly python language (assign variables, use loops,
21 define functions, etc.) If you give a file as parameter when you run
22 scapy, your session (variables, functions, intances, ...) will be saved
23 when you leave the interpretor, and restored the next time you launch
24 scapy.
25
26 The idea is simple. Those kind of tools do two things : sending packets
27 and receiving answers. That's what scapy does : you define a set of
28 packets, it sends them, receives answers, matches requests with answers
29 and returns a list of packet couples (request, answer) and a list of
30 unmatched packets. This has the big advantage over tools like nmap or
31 hping that an answer is not reduced to (open/closed/filtered), but is
32 the whole packet.
33
34 On top of this can be build more high level functions, for example one
35 that does traceroutes and give as a result only the start TTL of the
36 request and the source IP of the answer. One that pings a whole network
37 and gives the list of machines answering. One that does a portscan and
38 returns a LaTeX report.
39
40
42 Options for scapy are:
43
44 -h display usage
45
46 -d increase log verbosity. Can be used many times.
47
48 -s FILE
49 use FILE to save/load session values (variables, functions,
50 intances, ...)
51
52 -p PRESTART_FILE
53 use PRESTART_FILE instead of $HOME/.scapy_prestart.py as pre-
54 startup file
55
56 -P do not run prestart file
57
58 -c STARTUP_FILE
59 use STARTUP_FILE instead of $HOME/.scapy_startup.py as startup
60 file
61
62 -C do not run startup file
63
64
66 Only the vital commands to begin are listed here for the moment.
67
68 ls() lists supported protocol layers. If a protocol layer is given as
69 parameter, lists its fields and types of fields.
70
71 lsc() lists some user commands. If a command is given as parameter,
72 its documentation is displayed.
73
74 conf this object contains the configuration.
75
76
78 $HOME/.scapy_prestart.py This file is run before scapy core is loaded.
79 Only the is available. This file can be used to manipulate
80 conf.load_layers list to choose which layers will be loaded:
81
82 conf.load_layers.remove("bluetooth")
83 conf.load_layers.append("new_layer")
84
85 $HOME/.scapy_startup.py This file is run after scapy is loaded. It can
86 be used to configure some of the scapy behaviors:
87
88 conf.prog.pdfreader="xpdf"
89 split_layers(UDP,DNS)
90
91
93 More verbose examples are available at
94 http://www.secdev.org/projects/scapy/demo.html Just run scapy and try
95 the following commands in the interpreter.
96
97
98 Test the robustness of a network stack with invalid packets:
99 sr(IP(dst="172.16.1.1", ihl=2, options="b$2$", version=3)/ICMP())
100
101
102 Packet sniffing and dissection (with a bpf filter or thetereal-like
103 output):
104 a=sniff(filter="tcp port 110")
105 a=sniff(prn = lambda x: x.display)
106
107
108 Sniffed packet reemission:
109 a=sniff(filter="tcp port 110")
110 sendp(a)
111
112
113 Pcap file packet reemission:
114 sendp(rdpcap("file.cap"))
115
116
117 Manual TCP traceroute:
118 sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
119
120
121 Protocol scan:
122 sr(IP(dst="172.16.1.28", proto=(1,254)))
123
124
125 ARP ping:
126 srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
127
128
129 ACK scan:
130 sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
131
132
133 Passive OS fingerprinting:
134 sniff(prn=prnp0f)
135
136
137 Active OS fingerprinting:
138 nmap_fp("172.16.1.232")
139
140
141
142 ARP cache poisonning:
143 sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
144
145
146 Reporting:
147 report_ports("192.168.2.34", (20,30))
148
149
151 http://www.secdev.org/projects/scapy
152 http://trac.secdev.org/scapy
153
154
156 Does not give the right source IP for routes that use interface
157 aliases.
158
159 May miss packets under heavy load.
160
161 Session saving is limited by Python ability to marshal objects. As a
162 consequence, lambda functions and generators can't be saved, which
163 seriously reduce usefulness of this feature.
164
165 BPF filters don't work on Point-to-point interfaces.
166
167
168
170 Philippe Biondi <phil@secdev.org>
171
172 This manual page was written by Alberto Gonzalez Iniesta <agi@agi.as>
173 and Philippe Biondi.
174
175
176
177 May 12, 2003 SCAPY(1)