Sniffing with Scapy

Created On 06. Apr 2020

Updated: 2022-05-01 23:26:54.494957000 +0000

Created By: acidghost

Scapy is an object oriented scripting tool that allows to perform different network sniffing tasks.
On a Linux VM head over to terminal and fire Scapy by typing its name. You will get into the Scapy console.
Let's make a quick tour. Type:

$ IP()
$ ip = IP()

check characteristics with ip.display().
You will see predefined characteristics with that object. Assign an IP of a target machine like this:

$ ip.dst =

I am using an IP of a local Windows target machine from my lab. Check the changes after with ip.display().

Create an ICMP object with a variable ping

$ ping = ICMP()

then check the characteristics:

$ ping.display()

Send a packet to a windows machine:

$ windows = sr1(ip/ping)

then check with windows.display(). Send to a Linux machine:

$ ping.display()
$ ip.dst= ""
$ linux = sr1(ip/ping)
$ linux.display()

Remember: TTL value for windows is 128 and for linux is 64.
Let's identify target's operational system based on the TTL value. Write down this script:

#! /usr/bin/env/python
from scapy.all import *
ans = raw_input("enter the target  Ip: ")
ip = IP()
ping = IMCP()
ip.dst = ans
reply = sr1(ip/ping)
if reply.ttl < 65:
	os = "linux"
	os = "windows"

print "Operating system is: " + os

Run in terminal chmod 777 to change the file to an executable.
Now run the script, type the IP address and see the OS.
And it was that easy! :tophat:

Getting more technical
some basic commands for interactive usage:
ls(): Displays all the protocols supported by Scapy
lsc(): Displays the list of commands supported by Scapy
conf: Displays all configurations options
help(): Display help on a specific command, for example, help(sniff)
show(): Display the details about a specific packet, for example:

You can simply sniff packets with scapy with the sniff method. Run this command to sniff the 3 packets on eth0 interface.
>>>packet = sniff(iface="eth0", count=3)
The arguments for the sniff() method are as follows:
count: Number of packets to capture, but 0 means infinity
iface: Interface to sniff; sniff for packets only on this interface
prn: Function to run on each packet
store: Whether to store or discard the sniffed packets; set to 0 when we only need to monitor
timeout: Stops sniffing after a given time; the default value is none
filter: Takes BPF syntax filters to filter sniffing

To see the sniffed packets in real time, we have to use the lambda function, along with the
summary() or show() method:
>>> packet=sniff(filter="icmp", iface="eth0″, count=3, prn=lambda x:x.summary())
Also, it is possible to write the packets to a pcap file with Scapy. To write the packets to a pcap file, we can use the wrpcap() method:
>>> wrpcap("pkt-output.cap" packets)
This will write the packets to a pkt-output.cap file. We can read from the pcap file with rdpcap():
>>> packets = rdpcap("pkt-output.cap")

We will get back to Scapy with many more examples later. Packet Injection and ARP Cache Poisoning are a few tasks worth mentioning. Nevertheless, you must have a basic grip of what it can do.
Remember, it's always more fun to sniff with a friend than just alone :wink:

Check out more on Scapy here

Section: Web