1SCAPY(1) General Commands Manual SCAPY(1)
2
3
4
6 scapy - Interactive packet manipulation tool
7
9 scapy [options]
10
12 This manual page documents briefly the Scapy tool.
13
14 Scapy is a powerful interactive packet manipulation tool, packet gener‐
15 ator, network scanner, network discovery, packet sniffer, etc. It can
16 for the moment replace hping, parts of nmap, arpspoof, arp-sk, arping,
17 tcpdump, tshark, p0f, ...
18
19 Scapy uses the Python interpreter as a command board. That means that
20 you can use directly Python language (assign variables, use loops,
21 define functions, etc.) If you give a file a parameter when you run
22 Scapy, your session (variables, functions, instances, ...) will be
23 saved when you leave the interpreter and restored the next time you
24 launch Scapy.
25
26 The idea is simple. Those kinds of tools do two things : sending pack‐
27 ets and receiving answers. That's what Scapy does : you define a set of
28 packets, it sends them, receives answers, matches requests with answers
29 and returns a list of packet couples (request, answer) and a list of
30 unmatched packets. This has the big advantage over tools like nmap or
31 hping that an answer is not reduced to (open/closed/filtered), but is
32 the whole packet.
33
34 On top of this can be used to build more high-level functions, for
35 example, one that does traceroutes and give as a result only the start
36 TTL of the request and the source IP of the answer. One that pings a
37 whole network and gives the list of machines answering. One that does a
38 portscan and returns a LaTeX report.
39
40
42 Options for Scapy are:
43
44 -h display usage
45
46 -d increase log verbosity. Can be used many times.
47
48 -s FILE
49 use FILE to save/load session values (variables, functions,
50 instances, ...)
51
52 -p PRESTART_FILE
53 use PRESTART_FILE instead of $HOME/.scapy_prestart.py as pre-
54 startup file
55
56 -P do not run prestart file
57
58 -c STARTUP_FILE
59 use STARTUP_FILE instead of $HOME/.scapy_startup.py as startup
60 file
61
62 -C do not run startup file
63
64
66 Only the vital commands to begin are listed here for the moment.
67
68 ls() lists supported protocol layers. If a protocol layer is given
69 as parameter, lists its fields and types of fields. If a string
70 is given as parameter, it is used to filter the layers.
71
72 explore()
73 explores available protocols. Allows to look for a layer or
74 protocol through an interactive GUI. If a Scapy module is given
75 as parameter, explore this specific module.
76
77 lsc() lists scapy's main user commands.
78
79 conf this object contains the configuration.
80
81
83 $HOME/.scapy_prestart.py This file is run before Scapy core is loaded.
84 Only the conf object is available. This file can be used to manipulate
85 conf.load_layers list to choose which layers will be loaded:
86
87 conf.load_layers.remove("bluetooth")
88 conf.load_layers.append("new_layer")
89
90 $HOME/.scapy_startup.py This file is run after Scapy is loaded. It can
91 be used to configure some of the Scapy behaviors:
92
93 conf.prog.pdfreader = "xpdf"
94 split_layers(UDP,DNS)
95
96
98 More verbose examples are available in the documentation
99 https://scapy.readthedocs.io/ Just run scapy and try the following com‐
100 mands in the interpreter.
101
102
103 Test the robustness of a network stack with invalid packets:
104 sr(IP(dst="172.16.1.1", ihl=2, options=["verb$2"], version=3)/ICMP(), timeout=2)
105
106
107 Packet sniffing and dissection (with a bpf filter or tshark-like out‐
108 put):
109 a=sniff(filter="tcp port 110")
110 a=sniff(prn = lambda x: x.display)
111
112
113 Sniffed packet re-emission:
114 a=sniff(filter="tcp port 110")
115 sendp(a)
116
117
118 Pcap file packet re-emission:
119 sendp(rdpcap("file.cap"))
120
121
122 Manual TCP traceroute:
123 sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
124
125
126 Protocol scan:
127 sr(IP(dst="172.16.1.28", proto=(1,254)))
128
129
130 ARP ping:
131 srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
132
133
134 ACK scan:
135 sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
136
137
138 Passive OS fingerprinting:
139 sniff(prn=prnp0f)
140
141
142 Active OS fingerprinting:
143 nmap_fp("172.16.1.232")
144
145
146
147 ARP cache poisoning:
148 sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
149
150
151 Reporting:
152 report_ports("192.168.2.34", (20,30))
153
154
156 The official website: https://scapy.net/
157 The GitHub Development repository: https://github.com/secdev/scapy/
158 The official documentation: https://scapy.readthedocs.io/en/latest/
159
160
162 Does not give the right source IP for routes that use interface
163 aliases.
164
165 May miss packets under heavy load. This is a restriction from python
166 itself
167
168 Session saving is limited by Python ability to marshal objects. As a
169 consequence, lambda functions and generators can't be saved, which
170 seriously reduce the usefulness of this feature.
171
172 BPF filters don't work on Point-to-point interfaces.
173
174
175
177 Philippe Biondi <phil@secdev.org>
178
179 This manual page was written by Alberto Gonzalez Iniesta <agi@agi.as>
180 and Philippe Biondi.
181
182
183
184 May 8, 2018 SCAPY(1)