1SCAPY(1)                    General Commands Manual                   SCAPY(1)
2
3
4

NAME

6       scapy - Interactive packet manipulation tool
7

SYNOPSIS

9       scapy [options]
10

DESCRIPTION

12       This manual page documents briefly the Scapy tool.
13
14       Scapy is a powerful interactive packet manipulation tool, packet gener‐
15       ator, network scanner, network discovery, packet sniffer, etc.  It  can
16       for  the moment replace hping, parts of nmap, arpspoof, arp-sk, arping,
17       tcpdump, tshark, p0f, ...
18
19       Scapy uses the Python interpreter as a command board. That  means  that
20       you  can use directly Python language (assign variables, use loops, de‐
21       fine functions, etc.) If you give a  file  a  parameter  when  you  run
22       Scapy,  your  session  (variables,  functions,  instances, ...) will be
23       saved when you leave the interpreter and restored  the  next  time  you
24       launch Scapy.
25
26       The  idea is simple. Those kinds of tools do two things : sending pack‐
27       ets and receiving answers. That's what Scapy does : you define a set of
28       packets, it sends them, receives answers, matches requests with answers
29       and returns a list of packet couples (request, answer) and  a  list  of
30       unmatched  packets.  This has the big advantage over tools like nmap or
31       hping that an answer is not reduced to (open/closed/filtered),  but  is
32       the whole packet.
33
34       On  top of this can be used to build more high-level functions, for ex‐
35       ample, one that does traceroutes and give as a result  only  the  start
36       TTL  of  the  request and the source IP of the answer. One that pings a
37       whole network and gives the list of machines answering. One that does a
38       portscan and returns a LaTeX report.
39
40

OPTIONS

42       Options for Scapy are:
43
44       -h     display usage
45
46       -H     header-less mode, also reduces verbosity.
47
48       -d     increase log verbosity. Can be used many times.
49
50       -s FILE
51              use  FILE to save/load session values (variables, functions, in‐
52              stances, ...)
53
54       -p PRESTART_FILE
55              use PRESTART_FILE instead of  $HOME/.scapy_prestart.py  as  pre-
56              startup file
57
58       -P     do not run prestart file
59
60       -c STARTUP_FILE
61              use  STARTUP_FILE  instead of $HOME/.scapy_startup.py as startup
62              file
63
64       -C     do not run startup file
65
66

COMMANDS

68       Only the vital commands to begin are listed here for the moment.
69
70       ls()   lists supported protocol layers.  If a protocol layer  is  given
71              as parameter, lists its fields and types of fields.  If a string
72              is given as parameter, it is used to filter the layers.
73
74       explore()
75              explores available protocols.  Allows to look  for  a  layer  or
76              protocol through an interactive GUI.  If a Scapy module is given
77              as parameter, explore this specific module.
78
79       lsc()  lists scapy's main user commands.
80
81       conf   this object contains the configuration.
82
83

FILES

85       $HOME/.scapy_prestart.py This file is run before Scapy core is  loaded.
86       Only  the conf object is available. This file can be used to manipulate
87       conf.load_layers list to choose which layers will be loaded:
88
89       conf.load_layers.remove("bluetooth")
90       conf.load_layers.append("new_layer")
91
92       $HOME/.scapy_startup.py This file is run after Scapy is loaded. It  can
93       be used to configure some of the Scapy behaviors:
94
95       conf.prog.pdfreader = "xpdf"
96       split_layers(UDP,DNS)
97
98

EXAMPLES

100       More    verbose   examples   are   available   in   the   documentation
101       https://scapy.readthedocs.io/ Just run scapy and try the following com‐
102       mands in the interpreter.
103
104
105       Test the robustness of a network stack with invalid packets:
106       sr(IP(dst="172.16.1.1", ihl=2, options=["verb$2"], version=3)/ICMP(), timeout=2)
107
108
109       Packet  sniffing  and dissection (with a bpf filter or tshark-like out‐
110       put):
111       a=sniff(filter="tcp port 110")
112       a=sniff(prn = lambda x: x.display)
113
114
115       Sniffed packet re-emission:
116       a=sniff(filter="tcp port 110")
117       sendp(a)
118
119
120       Pcap file packet re-emission:
121       sendp(rdpcap("file.cap"))
122
123
124       Manual TCP traceroute:
125       sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
126
127
128       Protocol scan:
129       sr(IP(dst="172.16.1.28", proto=(1,254)))
130
131
132       ARP ping:
133       srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
134
135
136       ACK scan:
137       sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
138
139
140       Passive OS fingerprinting:
141       sniff(prn=prnp0f)
142
143
144       Active OS fingerprinting:
145       nmap_fp("172.16.1.232")
146
147
148
149       ARP cache poisoning:
150       sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
151
152
153       Reporting:
154       report_ports("192.168.2.34", (20,30))
155
156

SEE ALSO

158       The official website: https://scapy.net/
159       The GitHub Development repository: https://github.com/secdev/scapy/
160       The official documentation: https://scapy.readthedocs.io/en/latest/
161
162

BUGS

164       Does not give the  right  source  IP  for  routes  that  use  interface
165       aliases.
166
167       May  miss  packets  under heavy load. This is a restriction from python
168       itself
169
170       Session saving is limited by Python ability to marshal  objects.  As  a
171       consequence,  lambda functions and generators can't be saved, which se‐
172       riously reduce the usefulness of this feature.
173
174       BPF filters don't work on Point-to-point interfaces.
175
176
177

AUTHOR

179       Philippe Biondi <phil@secdev.org>
180
181       This manual page was written by Alberto Gonzalez  Iniesta  <agi@agi.as>
182       and Philippe Biondi.
183
184
185
186                                  May 8, 2018                         SCAPY(1)
Impressum