Ready to Start Your Career?

Forge and Sniff Packets Using scapy for Python

prometheus s profile image
By: prometheus
October 14, 2016
tech-blockHello, and welcome again!Scapy is one of the powerful packet manipulator and decoder libraries for Python.  Scapy is used for forging and manipulating packets through python and can also be used as an alternative to carrying out a few functionalities provided by popular Wireshark and Nmap.In this article lets see how to use few basic functionalities of scapy and also to sniff traffic on the network interface by writing a simple python script.Install scapy module for Python:   easy_install scapySo lets see few basic functions provided by scapy library.Let's start scapy first -Once you install scapy, go to your terminal and type "sudo scapy"Note: SCAPY should be run as root.menoe@menoetius:~$ sudo scapyWARNING: No route found for IPv6 destination :: (no default route?)Welcome to Scapy (2.3.2)>>>Now, lets create a packet using scapy:>>> ip=IP(dst="")>>>ip.dstNet('')This created a simple ip packet consisting of destination parameter which points to "", OR you can specify ip address of the destination.Now, let's add a src parameter to the ip packet we just created.>>> ip.src=""now lets see all available parameters for the ip layer function.>>>[ IP ]###version= 4ihl= Nonetos= 0x0len= Noneid= 1flags=frag= 0ttl= 64proto= hopoptchksum= Nonesrc= Net('')optionsNote: we can set all the parameters if we require to set the parameters.Next let's add a TCP layer to the already existing do that,we make use of "/" operator to append layers to the existing packet.>>> packet=ip/TCP(sport=1020,dport=80)Look at the packet attributes and layers it contains.>>>[ IP ]###version= 4ihl= Nonetos= 0x0len= Noneid= 1flags=frag= 0ttl= 64proto= tcpchksum= Nonesrc= Net('')options###[ TCP ]###sport= 1020dport= httpseq= 0ack= 0dataofs= Nonereserved= 0flags= Swindow= 8192chksum= Noneurgptr= 0options= {}Note: we can add Ethernet protocol layer to the packet by using Ether function. usage: Ether()/IP()/TCP()if Ether() function is used without parameters, it takes your default machine address as source mac address.Now, let's send the IP packet we just created.we make use of send function to do the required operation.count parameter is used to specify the number of times to send the packet.>>>send(packet,count=20)....................Sent 20 packets.Note: we need to use "sendp" function for sending ethernet packets.Now, lets craft a layer 3 ICMP request packet using function helps us to send a layer 3 packet and also receive a number of response packet from the destination consisting of answered and unanswered packets.sr1() function is used to send packet and returns the first answer packet answered by the destination for collection of packets sent.>>>result,unans= sr(IP(dst="")/ICMP()).Finished to send 1 packets.*Received 2 packets, got 1 answers, remaining 0 packets>>> result.summary()IP / ICMP > echo-request 0 ==> IP / ICMP > echo-reply 0Here, as we can see,we have received a echo response for our request to address we know few basic operations that can be performed using scapy. If you observe clearly we can spoof the packets we are sending with the help of scapy by editing the src parameter.which can be leveraged for Denial of service types of attack.Now lets create a simple python script to sniff traffic on your local machine network interface .from scapy.all import *   #import scapy module to pythondef sniffPackets(packet):          # custom custom packet sniffer action methodif packet.haslayer(IP):pckt_src=packet[IP].srcpckt_dst=packet[IP].dstpckt_ttl=packet[IP].ttlprint "IP Packet: %s is going to %s and has ttl value %s" % (pckt_src,pckt_dst,pckt_ttl)def main():print "custom packet sniffer"sniff(filter="ip",iface="wlan0",prn=sniffPackets)  #call scapy's inbuilt sniff methodif __name__ == '__main__':main()Here in this simple script, we are leveraging the scapy modules method called "sniff" .it takes parameter as interface you wish to sniff packets on. In this case,  I wanted to sniff packets on interface "wlan0". and filter parameter is used to specify what packets have to be filtered.prn parameter specifies what function to call and send the sniffed packet as parameter to the our custom function is "sniffPackets".Inside sniffPackets function we are checking, if the sniffed packet has an  IP layer,if it has IP layer then we store source, destination and ttl values of the sniffed packet and print it out.To run the script:Save the script  and run it as root through Python interpreter.>This makes the script listen to traffic on a specified interface.Run through any web browser and start browsing, then switch back to the terminal to see sniffed packets.Sample Output:>>sudo python scapy_sniff.pyWARNING: No route found for IPv6 destination :: (no default route?)custom packet snifferPacket: is going to and has ttl value 64Packet: is going to and has ttl value 64Packet: is going to and has ttl value 64Packet: is going to and has ttl value 64Packet: is going to and has ttl value 64Packet: is going to and has ttl value 64........Formatted paste bin code: is just a few of the basic things we could achieve with scapy.Hope you enjoyed this article. Thank you.
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry