1SCAPY(1)                    General Commands Manual                   SCAPY(1)
2
3
4

NAME

6       scapy - Interactive packet manipulation tool
7

SYNOPSIS

9       scapy [-h] [-s file]
10

DESCRIPTION

12       This manual page documents briefly the Scapy tool.
13
14       Scapy is a powerful interactive packet manipulation program. It is able
15       to forge or decode packets of a wide number of protocols, send them  on
16       the  wire,  capture them, match requests and replies, and much more. It
17       can easily handle most classical  tasks  like  scanning,  tracerouting,
18       probing,  unit  tests,  attacks  or  network  discovery (it can replace
19       hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal,  p0f,
20       etc.). It also performs very well at a lot of other specific tasks that
21       most other tools can't handle, like sending invalid  frames,  injecting
22       your own 802.11 frames, combining technics (VLAN hopping+ARP cache poi‐
23       soning, VOIP decoding on WEP encrypted channel, ...), etc.
24
25

PHILOSOPHY

27       What makes Scapy different from most other networking tools ?
28
29       First, with most other tools, you won't build someting the  author  did
30       not  imagine. These tools have been built for a specific goal and can't
31       deviate much from it. For example, an ARP cache poisoning program won't
32       let  you use double 802.1q encapsulation. Or try to find a program that
33       can send, say, an ICMP packet with padding (I said  padding,  not  pay‐
34       load,  see?). In fact, each time you have a new need, you have to build
35       a new tool.
36
37       Second, they usually confuse decoding and  interpreting.  Machines  are
38       good at decoding and can help human beings with that. Interpretation is
39       reserved to human beings. Some programs try to  mimic  this  behaviour.
40       For instance they say "this port is open" instead of "I received a SYN-
41       ACK". Sometimes they are right. Sometimes not. It's easier  for  begin‐
42       ners, but when you know what you're doing, you keep on trying to deduce
43       what really happened from the program's  interpretation  to  make  your
44       own,  which  is  hard because you lost a big amount of information. And
45       you often end up using tcpdump -xX to decode  and  interpret  what  the
46       tool missed.
47
48       Third, even programs which only decode do not give you all the informa‐
49       tion they received. The network's vision they give you is the one their
50       author  thought  was sufficient. But it is not complete, and you have a
51       bias. For instance, do you know a tool that reports the padding ?
52
53       Scapy tries to overcome those problems. It enables you to build exactly
54       the packets you want. Even if I think stacking a 802.1q layer on top of
55       TCP has no sense, it may have some for somebody else  working  on  some
56       product  I  don't  know. Scapy has a flexible model that tries to avoid
57       such arbitrary limits. You're free to put any value  you  want  in  any
58       field  you  want,  and  stack them like you want. You're an adult after
59       all.
60
61       In fact, it's like building a new tool each time, but instead of  deal‐
62       ing with a hundred line C program, you only write 2 lines of Scapy.
63
64       After  a probe (scan, traceroute, etc.) Scapy always gives you the full
65       decoded packets from the probe, before any interpretation.  That  means
66       that  you can probe once and interpret many times, ask for a traceroute
67       and look at the padding for instance.
68
69

HOW IT WORKS

71       Scapy uses the python interpreter as a command board. That  means  that
72       you  can  use  directly  python  language (assign variables, use loops,
73       define functions, etc.)
74
75       The idea is simple. Scapy mainly does two things : sending packets  and
76       receiving answers. You define a set of packets, it sends them, receives
77       answers, matches requests with answers and returns  a  list  of  packet
78       couples (request, answer) and a list of unmatched packets. This has the
79       big advantage over tools like nmap or  hping  that  an  answer  is  not
80       reduced to (open/closed/filtered), but is the whole packet.
81
82       On  top of this can be build more high level functions, for example one
83       that does traceroutes and give as a result only the start  TTL  of  the
84       request and the source IP of the answer. One that pings a whole network
85       and gives the list of machines answering. One that does a portscan  and
86       returns a LaTeX report.
87
88

OPTIONS

90       Options for scapy are:
91
92       -h     display help screen and exit
93
94       -s FILE
95              use  FILE  to  save/load  session  values (variables, functions,
96              intances, ...)
97
98

COMMANDS

100       Only the vital commands to begin are listed here for the moment.
101
102       ls()   lists supported protocol layers. If a protocol layer is given as
103              parameter, lists its fields and types of fields.
104
105       lsc()  lists  some  user  commands. If a command is given as parameter,
106              its documentation is displayed.
107
108       conf   this object contains the configuration.
109
110
111

EXAMPLES

113       More       verbose       examples        are        available        at
114       http://www.secdev.org/projects/scapy/  Just  run scapy and try the fol‐
115       lowing commands in the interpreter.
116
117
118       Test the robustness of a network stack with invalid packets:
119       sr(IP(dst="172.16.1.1", ihl=2, options="b$2$", version=3)/ICMP())
120
121
122       Packet sniffing and dissection (with a  bpf  filter  or  thetereal-like
123       output):
124       a=sniff(filter="tcp port 110")
125       a=sniff(prn = lambda x: x.display)
126
127
128       Sniffed packet reemission:
129       a=sniff(filter="tcp port 110")
130       sendp(a)
131
132
133       Pcap file packet reemission:
134       sendp(rdpcap("file.cap"))
135
136
137       Manual TCP traceroute:
138       sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
139
140
141       Protocol scan:
142       sr(IP(dst="172.16.1.28", proto=(1,254)))
143
144
145       ARP ping:
146       srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
147
148
149       ACK scan:
150       sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
151
152
153       Passive OS fingerprinting:
154       sniff(prn=prnp0f)
155
156
157       Active OS fingerprinting:
158       nmap_fp("172.16.1.232")
159
160
161
162       ARP cache poisonning:
163       sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
164
165
166       Reporting:
167       report_ports("192.168.2.34", (20,30))
168
169
170

BUGS

172       Does  not  give  the  right  source  IP  for  routes that use interface
173       aliases.
174
175       May miss packets under heavy load.
176
177

AUTHOR

179       Philippe Biondi <phil@secdev.org>
180
181       This manual page was written by Alberto Gonzalez  Iniesta  <agi@agi.as>
182       and Philippe Biondi for the Debian GNU/Linux system (but may be used by
183       others).
184
185
186
187                                 May 12, 2003                         SCAPY(1)
Impressum