Forge and Sniff Packets Using scapy for Python

October 14, 2016 | Views: 16440

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello, and welcome again!

Scapy is one of the powerful packet manipulator and decoder libraries for Python.  Scapy is used for forging and manipulating packets through python and can also be used as an alternative to carrying out a few functionalities provided by popular Wireshark and Nmap.

In this article lets see how to use few basic functionalities of scapy and also to sniff traffic on the network interface by writing a simple python script.
Install scapy module for Python:
   easy_install scapy

So lets see few basic functions provided by scapy library.
Let’s start scapy first –
Once you install scapy, go to your terminal and type “sudo scapy
Note: SCAPY should be run as root.

menoe@menoetius:~$ sudo scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.3.2)

Now, lets create a packet using scapy:

>>> ip=IP(dst=””)

This created a simple ip packet consisting of destination parameter which points to “”, OR you can specify ip address of the destination.

Now, let’s add a src parameter to the ip packet we just created.
>>> ip.src=”″

now lets see all available parameters for the ip layer function.

###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
frag= 0
ttl= 64
proto= hopopt
chksum= None
dst= Net(‘’)

Note: we can set all the parameters if we require to set the parameters.
Next let’s add a TCP layer to the already existing do that,we make use of “/” operator to append layers to the existing packet.

>>> packet=ip/TCP(sport=1020,dport=80)

Look at the packet attributes and layers it contains.
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
frag= 0
ttl= 64
proto= tcp
chksum= None
dst= Net(‘’)
###[ TCP ]###
sport= 1020
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}

Note: we can add Ethernet protocol layer to the packet by using Ether function. usage: Ether()/IP()/TCP()
if Ether() function is used without parameters, it takes your default machine address as source mac address.

Now, let’s send the IP packet we just created.we make use of send function to do the required operation.count parameter is used to specify the number of times to send the packet.

Sent 20 packets.

Note: we need to use “sendp” function for sending ethernet packets.

Now, lets craft a layer 3 ICMP request packet using function helps us to send a layer 3 packet and also receive a number of response packet from the destination consisting of answered and unanswered packets.sr1() function is used to send packet and returns the first answer packet answered by the destination for collection of packets sent.

>>>result,unans= sr(IP(dst=””)/ICMP())

.Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets

>>> result.summary()

IP / ICMP > echo-request 0 ==> IP / ICMP > echo-reply 0

Here, as we can see,we have received a echo response for our request to address

Now we know few basic operations that can be performed using scapy. If you observe clearly we can spoof the packets we are sending with the help of scapy by editing the src parameter.which can be leveraged for Denial of service types of attack.

Now lets create a simple python script to sniff traffic on your local machine network interface .

from scapy.all import *    #import scapy module to python

def sniffPackets(packet):           # custom custom packet sniffer action method
if packet.haslayer(IP):
print “IP Packet: %s is going to %s and has ttl value %s” % (pckt_src,pckt_dst,pckt_ttl)

def main():
print “custom packet sniffer”
sniff(filter=”ip”,iface=”wlan0″,prn=sniffPackets)   #call scapy’s inbuilt sniff method
if __name__ == ‘__main__’:

Here in this simple script, we are leveraging the scapy modules method called “sniff” .it takes parameter as interface you wish to sniff packets on. In this case,  I wanted to sniff packets on interface “wlan0”. and filter parameter is used to specify what packets have to be filtered.prn parameter specifies what function to call and send the sniffed packet as parameter to the our custom function is “sniffPackets”.

Inside sniffPackets function we are checking, if the sniffed packet has an  IP layer,if it has IP layer then we store source, destination and ttl values of the sniffed packet and print it out.
To run the script:
Save the script  and run it as root through Python interpreter.
>This makes the script listen to traffic on a specified interface.
Run through any web browser and start browsing, then switch back to the terminal to see sniffed packets.

Sample Output:
>>sudo python
WARNING: No route found for IPv6 destination :: (no default route?)
custom packet sniffer
Packet: is going to and has ttl value 64
Packet: is going to and has ttl value 64
Packet: is going to and has ttl value 64
Packet: is going to and has ttl value 64
Packet: is going to and has ttl value 64
Packet: is going to and has ttl value 64

Formatted paste bin code:
This is just a few of the basic things we could achieve with scapy.
Hope you enjoyed this article. Thank you.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?