Sniffing with Scapy
Created On 06. Apr 2020
Updated: 2022-05-01 23:26:54.494957000 +0000
Created By: acidghost
Scapy is an object oriented scripting tool that allows to perform different network sniffing tasks.
On a Linux VM head over to terminal and fire Scapy by typing its name. You will get into the Scapy console.
Let's make a quick tour. Type:
$ IP() $ ip = IP()
check characteristics with
You will see predefined characteristics with that object. Assign an IP of a target machine like this:
$ ip.dst = 192.168.130.160
I am using an IP of a local Windows target machine from my lab. Check the changes after with
Create an ICMP object with a variable ping
$ ping = ICMP()
then check the characteristics:
Send a packet to a windows machine:
$ windows = sr1(ip/ping)
then check with
windows.display(). Send to a Linux machine:
$ ping.display() $ ip.dst= "192.168.130.120" $ linux = sr1(ip/ping) $ linux.display()
Remember: TTL value for windows is 128 and for linux is 64.
Let's identify target's operational system based on the TTL value. Write down this script:
#! /usr/bin/env/python from scapy.all import * ans = raw_input("enter the target Ip: ") ip = IP() ping = IMCP() ip.dst = ans reply = sr1(ip/ping) if reply.ttl < 65: os = "linux" else os = "windows" print "Operating system is: " + os
Run in terminal
chmod 777 scapyscript.py to change the file to an executable.
Now run the script, type the IP address and see the OS.
And it was that easy!
Getting more technical
some basic commands for interactive usage:
ls(): Displays all the protocols supported by Scapy
lsc(): Displays the list of commands supported by Scapy
conf: Displays all configurations options
help(): Display help on a specific command, for example,
show(): Display the details about a specific packet, for example:
You can simply sniff packets with scapy with the sniff method. Run this command to sniff the 3 packets on eth0 interface.
>>>packet = sniff(iface="eth0", count=3)
The arguments for the sniff() method are as follows:
count: Number of packets to capture, but 0 means infinity
iface: Interface to sniff; sniff for packets only on this interface
prn: Function to run on each packet
store: Whether to store or discard the sniffed packets; set to 0 when we only need to monitor
timeout: Stops sniffing after a given time; the default value is none
filter: Takes BPF syntax filters to filter sniffing
To see the sniffed packets in real time, we have to use the lambda function, along with the
>>> packet=sniff(filter="icmp", iface="eth0″, count=3, prn=lambda x:x.summary())
Also, it is possible to write the packets to a pcap file with Scapy. To write the packets to a pcap file, we can use the
>>> wrpcap("pkt-output.cap" packets)
This will write the packets to a pkt-output.cap file. We can read from the pcap file with
>>> packets = rdpcap("pkt-output.cap")
We will get back to Scapy with many more examples later. Packet Injection and ARP Cache Poisoning are a few tasks worth mentioning. Nevertheless, you must have a basic grip of what it can do.
Remember, it's always more fun to sniff with a friend than just alone
Check out more on Scapy here http://www.secdev.org/projects/scapy/doc/usage.html