Scapy Interactive packet manipulation tool

Yesterday we were working together to debug one embedded device, thanks to my fried Vinicius Tinti I were introduced to this cool tool, scapy.

Scapy allows to assemble network packages in a very intuitive way, nice tool to use and learn network concepts.

To avoid some issues like

“INFO: Can’t import python gnuplot wrapper . Won’t be able to plot.
INFO: Can’t import PyX. Won’t be able to use psdump() or pdfdump().”

, install these packages before the main package;

cd /usr/local/src
wget http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.2.tar.gz
tar xfz pylibpcap-0.6.2.tar.gz
cd pylibpcap-0.6.2
python setup.py install

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xfz libdnet-1.12.tgz
./configure
make
sudo make install
cd python
python setup.py install

apt-get install scapy

root@springfield:/usr/local/src#
root@springfield:/usr/local/src# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> ls()
ARP : ARP
ASN1_Packet : None
BOOTP : BOOTP
CookedLinux : cooked linux
DHCP : DHCP options
DHCP6 : DHCPv6 Generic Message)
DHCP6OptAuth : DHCP6 Option – Authentication
DHCP6OptBCMCSDomains : DHCP6 Option – BCMCS Domain Name List
DHCP6OptBCMCSServers : DHCP6 Option – BCMCS Addresses List
DHCP6OptClientFQDN : DHCP6 Option – Client FQDN
DHCP6OptClientId : DHCP6 Client Identifier Option
DHCP6OptDNSDomains : DHCP6 Option – Domain Search List option
DHCP6OptDNSServers : DHCP6 Option – DNS Recursive Name Server
DHCP6OptElapsedTime : DHCP6 Elapsed Time Option
DHCP6OptGeoConf :
DHCP6OptIAAddress : DHCP6 IA Address Option (IA_TA or IA_NA suboption)
DHCP6OptIAPrefix : DHCP6 Option – IA_PD Prefix option
DHCP6OptIA_NA : DHCP6 Identity Association for Non-temporary Addresses Option
DHCP6OptIA_PD : DHCP6 Option – Identity Association for Prefix Delegation
DHCP6OptIA_TA : DHCP6 Identity Association for Temporary Addresses Option
DHCP6OptIfaceId : DHCP6 Interface-Id Option
DHCP6OptInfoRefreshTime : DHCP6 Option – Information Refresh Time
DHCP6OptNISDomain : DHCP6 Option – NIS Domain Name
DHCP6OptNISPDomain : DHCP6 Option – NIS+ Domain Name
DHCP6OptNISPServers : DHCP6 Option – NIS+ Servers
DHCP6OptNISServers : DHCP6 Option – NIS Servers
DHCP6OptOptReq : DHCP6 Option Request Option
DHCP6OptPref : DHCP6 Preference Option
DHCP6OptRapidCommit : DHCP6 Rapid Commit Option
DHCP6OptReconfAccept : DHCP6 Reconfigure Accept Option
DHCP6OptReconfMsg : DHCP6 Reconfigure Message Option
DHCP6OptRelayAgentERO : DHCP6 Option – RelayRequest Option
DHCP6OptRelayMsg : DHCP6 Relay Message Option
DHCP6OptRemoteID : DHCP6 Option – Relay Agent Remote-ID
DHCP6OptSIPDomains : DHCP6 Option – SIP Servers Domain Name List
DHCP6OptSIPServers : DHCP6 Option – SIP Servers IPv6 Address List
DHCP6OptSNTPServers : DHCP6 option – SNTP Servers
DHCP6OptServerId : DHCP6 Server Identifier Option
DHCP6OptServerUnicast : DHCP6 Server Unicast Option
DHCP6OptStatusCode : DHCP6 Status Code Option
DHCP6OptSubscriberID : DHCP6 Option – Subscriber ID
DHCP6OptUnknown : Unknown DHCPv6 OPtion
DHCP6OptUserClass : DHCP6 User Class Option
DHCP6OptVendorClass : DHCP6 Vendor Class Option
DHCP6OptVendorSpecificInfo : DHCP6 Vendor-specific Information Option
DHCP6_Advertise : DHCPv6 Advertise Message
DHCP6_Confirm : DHCPv6 Confirm Message
DHCP6_Decline : DHCPv6 Decline Message
DHCP6_InfoRequest : DHCPv6 Information Request Message
DHCP6_Rebind : DHCPv6 Rebind Message
DHCP6_Reconf : DHCPv6 Reconfigure Message
DHCP6_RelayForward : DHCPv6 Relay Forward Message (Relay Agent/Server Message)
DHCP6_RelayReply : DHCPv6 Relay Reply Message (Relay Agent/Server Message)
DHCP6_Release : DHCPv6 Release Message
DHCP6_Renew : DHCPv6 Renew Message
DHCP6_Reply : DHCPv6 Reply Message
DHCP6_Request : DHCPv6 Request Message
DHCP6_Solicit : DHCPv6 Solicit Message
DNS : DNS
DNSQR : DNS Question Record
DNSRR : DNS Resource Record
DUID_EN : DUID – Assigned by Vendor Based on Enterprise Number
DUID_LL : DUID – Based on Link-layer Address
DUID_LLT : DUID – Link-layer address plus time
Dot11 : 802.11
Dot11ATIM : 802.11 ATIM
Dot11AssoReq : 802.11 Association Request
Dot11AssoResp : 802.11 Association Response
Dot11Auth : 802.11 Authentication
Dot11Beacon : 802.11 Beacon
Dot11Deauth : 802.11 Deauthentication
Dot11Disas : 802.11 Disassociation
Dot11Elt : 802.11 Information Element
Dot11ProbeReq : 802.11 Probe Request
Dot11ProbeResp : 802.11 Probe Response
Dot11QoS : 802.11 QoS
Dot11ReassoReq : 802.11 Reassociation Request
Dot11ReassoResp : 802.11 Reassociation Response
Dot11WEP : 802.11 WEP packet
Dot1Q : 802.1Q
Dot3 : 802.3
EAP : EAP
EAPOL : EAPOL
Ether : Ethernet
GPRS : GPRSdummy
GRE : GRE
GRErouting : GRE routing informations
HAO : Home Address Option
HBHOptUnknown : Scapy6 Unknown Option
HCI_ACL_Hdr : HCI ACL header
HCI_Hdr : HCI header
HDLC : None
HSRP : HSRP
ICMP : ICMP
ICMPerror : ICMP in ICMP
ICMPv6DestUnreach : ICMPv6 Destination Unreachable
ICMPv6EchoReply : ICMPv6 Echo Reply
ICMPv6EchoRequest : ICMPv6 Echo Request
ICMPv6HAADReply : ICMPv6 Home Agent Address Discovery Reply
ICMPv6HAADRequest : ICMPv6 Home Agent Address Discovery Request
ICMPv6MLDone : MLD – Multicast Listener Done
ICMPv6MLQuery : MLD – Multicast Listener Query
ICMPv6MLReport : MLD – Multicast Listener Report
ICMPv6MPAdv : ICMPv6 Mobile Prefix Advertisement
ICMPv6MPSol : ICMPv6 Mobile Prefix Solicitation
ICMPv6MRD_Advertisement : ICMPv6 Multicast Router Discovery Advertisement
ICMPv6MRD_Solicitation : ICMPv6 Multicast Router Discovery Solicitation
ICMPv6MRD_Termination : ICMPv6 Multicast Router Discovery Termination
ICMPv6NDOptAdvInterval : ICMPv6 Neighbor Discovery – Interval Advertisement
ICMPv6NDOptDstLLAddr : ICMPv6 Neighbor Discovery Option – Destination Link-Layer Address
ICMPv6NDOptEFA : ICMPv6 Neighbor Discovery Option – Expanded Flags Option
ICMPv6NDOptHAInfo : ICMPv6 Neighbor Discovery – Home Agent Information
ICMPv6NDOptIPAddr : ICMPv6 Neighbor Discovery – IP Address Option (FH for MIPv6)
ICMPv6NDOptLLA : ICMPv6 Neighbor Discovery – Link-Layer Address (LLA) Option (FH for MIPv6)
ICMPv6NDOptMAP : ICMPv6 Neighbor Discovery – MAP Option
ICMPv6NDOptMTU : ICMPv6 Neighbor Discovery Option – MTU
ICMPv6NDOptNewRtrPrefix : ICMPv6 Neighbor Discovery – New Router Prefix Information Option (FH for MIPv6)
ICMPv6NDOptPrefixInfo : ICMPv6 Neighbor Discovery Option – Prefix Information
ICMPv6NDOptRDNSS : ICMPv6 Neighbor Discovery Option – Recursive DNS Server Option
ICMPv6NDOptRedirectedHdr : ICMPv6 Neighbor Discovery Option – Redirected Header
ICMPv6NDOptRouteInfo : ICMPv6 Neighbor Discovery Option – Route Information Option
ICMPv6NDOptShortcutLimit : ICMPv6 Neighbor Discovery Option – NBMA Shortcut Limit
ICMPv6NDOptSrcAddrList : ICMPv6 Inverse Neighbor Discovery Option – Source Address List
ICMPv6NDOptSrcLLAddr : ICMPv6 Neighbor Discovery Option – Source Link-Layer Address
ICMPv6NDOptTgtAddrList : ICMPv6 Inverse Neighbor Discovery Option – Target Address List
ICMPv6NDOptUnknown : ICMPv6 Neighbor Discovery Option – Scapy Unimplemented
ICMPv6ND_INDAdv : ICMPv6 Inverse Neighbor Discovery Advertisement
ICMPv6ND_INDSol : ICMPv6 Inverse Neighbor Discovery Solicitation
ICMPv6ND_NA : ICMPv6 Neighbor Discovery – Neighbor Advertisement
ICMPv6ND_NS : ICMPv6 Neighbor Discovery – Neighbor Solicitation
ICMPv6ND_RA : ICMPv6 Neighbor Discovery – Router Advertisement
ICMPv6ND_RS : ICMPv6 Neighbor Discovery – Router Solicitation
ICMPv6ND_Redirect : ICMPv6 Neighbor Discovery – Redirect
ICMPv6NIQueryIPv4 : ICMPv6 Node Information Query – IPv4 Address Query
ICMPv6NIQueryIPv6 : ICMPv6 Node Information Query – IPv6 Address Query
ICMPv6NIQueryNOOP : ICMPv6 Node Information Query – NOOP Query
ICMPv6NIQueryName : ICMPv6 Node Information Query – IPv6 Name Query
ICMPv6NIReplyIPv4 : ICMPv6 Node Information Reply – IPv4 addresses
ICMPv6NIReplyIPv6 : ICMPv6 Node Information Reply – IPv6 addresses
ICMPv6NIReplyNOOP : ICMPv6 Node Information Reply – NOOP Reply
ICMPv6NIReplyName : ICMPv6 Node Information Reply – Node Names
ICMPv6NIReplyRefuse : ICMPv6 Node Information Reply – Responder refuses to supply answer
ICMPv6NIReplyUnknown : ICMPv6 Node Information Reply – Qtype unknown to the responder
ICMPv6PacketTooBig : ICMPv6 Packet Too Big
ICMPv6ParamProblem : ICMPv6 Parameter Problem
ICMPv6TimeExceeded : ICMPv6 Time Exceeded
ICMPv6Unknown : Scapy6 ICMPv6 fallback class
IP : IP
IPOption : None
IPOption_Address_Extension : IP Option Address Extension
IPOption_EOL : None
IPOption_LSRR : IP Option Loose Source and Record Route
IPOption_MTU_Probe : IP Option MTU Probe
IPOption_MTU_Reply : IP Option MTU Reply
IPOption_NOP : None
IPOption_RR : IP Option Record Route
IPOption_Router_Alert : IP Option Router Alert
IPOption_SDBM : IP Option Selective Directed Broadcast Mode
IPOption_SSRR : IP Option Strict Source and Record Route
IPOption_Security : None
IPOption_Stream_Id : IP Option Stream ID
IPOption_Traceroute : None
IPerror : IP in ICMP
IPerror6 : IPv6 in ICMPv6
IPv6 : IPv6
IPv6ExtHdrDestOpt : IPv6 Extension Header – Destination Options Header
IPv6ExtHdrFragment : IPv6 Extension Header – Fragmentation header
IPv6ExtHdrHopByHop : IPv6 Extension Header – Hop-by-Hop Options Header
IPv6ExtHdrRouting : IPv6 Option Header Routing
ISAKMP : ISAKMP
ISAKMP_class : None
ISAKMP_payload : ISAKMP payload
ISAKMP_payload_Hash : ISAKMP Hash
ISAKMP_payload_ID : ISAKMP Identification
ISAKMP_payload_KE : ISAKMP Key Exchange
ISAKMP_payload_Nonce : ISAKMP Nonce
ISAKMP_payload_Proposal : IKE proposal
ISAKMP_payload_SA : ISAKMP SA
ISAKMP_payload_Transform : IKE Transform
ISAKMP_payload_VendorID : ISAKMP Vendor ID
IrLAPCommand : IrDA Link Access Protocol Command
IrLAPHead : IrDA Link Access Protocol Header
IrLMP : IrDA Link Management Protocol
Jumbo : Jumbo Payload
L2CAP_CmdHdr : L2CAP command header
L2CAP_CmdRej : L2CAP Command Rej
L2CAP_ConfReq : L2CAP Conf Req
L2CAP_ConfResp : L2CAP Conf Resp
L2CAP_ConnReq : L2CAP Conn Req
L2CAP_ConnResp : L2CAP Conn Resp
L2CAP_DisconnReq : L2CAP Disconn Req
L2CAP_DisconnResp : L2CAP Disconn Resp
L2CAP_Hdr : L2CAP header
L2CAP_InfoReq : L2CAP Info Req
L2CAP_InfoResp : L2CAP Info Resp
L2TP : None
LLC : LLC
LLMNRQuery : Link Local Multicast Node Resolution – Query
LLMNRResponse : Link Local Multicast Node Resolution – Response
MGCP : MGCP
MIP6MH_BA : IPv6 Mobility Header – Binding ACK
MIP6MH_BE : IPv6 Mobility Header – Binding Error
MIP6MH_BRR : IPv6 Mobility Header – Binding Refresh Request
MIP6MH_BU : IPv6 Mobility Header – Binding Update
MIP6MH_CoT : IPv6 Mobility Header – Care-of Test
MIP6MH_CoTI : IPv6 Mobility Header – Care-of Test Init
MIP6MH_Generic : IPv6 Mobility Header – Generic Message
MIP6MH_HoT : IPv6 Mobility Header – Home Test
MIP6MH_HoTI : IPv6 Mobility Header – Home Test Init
MIP6OptAltCoA : MIPv6 Option – Alternate Care-of Address
MIP6OptBRAdvice : Mobile IPv6 Option – Binding Refresh Advice
MIP6OptBindingAuthData : MIPv6 Option – Binding Authorization Data
MIP6OptCGAParams : MIPv6 option – CGA Parameters
MIP6OptCGAParamsReq : MIPv6 option – CGA Parameters Request
MIP6OptCareOfTest : MIPv6 option – Care-of Test
MIP6OptCareOfTestInit : MIPv6 option – Care-of Test Init
MIP6OptHomeKeygenToken : MIPv6 option – Home Keygen Token
MIP6OptLLAddr : MIPv6 Option – Link-Layer Address (MH-LLA)
MIP6OptMNID : MIPv6 Option – Mobile Node Identifier
MIP6OptMobNetPrefix : NEMO Option – Mobile Network Prefix
MIP6OptMsgAuth : MIPv6 Option – Mobility Message Authentication
MIP6OptNonceIndices : MIPv6 Option – Nonce Indices
MIP6OptReplayProtection : MIPv6 option – Replay Protection
MIP6OptSignature : MIPv6 option – Signature
MIP6OptUnknown : Scapy6 – Unknown Mobility Option
MobileIP : Mobile IP (RFC3344)
MobileIPRRP : Mobile IP Registration Reply (RFC3344)
MobileIPRRQ : Mobile IP Registration Request (RFC3344)
MobileIPTunnelData : Mobile IP Tunnel Data Message (RFC3519)
NBNSNodeStatusResponse : NBNS Node Status Response
NBNSNodeStatusResponseEnd : NBNS Node Status Response
NBNSNodeStatusResponseService : NBNS Node Status Response Service
NBNSQueryRequest : NBNS query request
NBNSQueryResponse : NBNS query response
NBNSQueryResponseNegative : NBNS query response (negative)
NBNSRequest : NBNS request
NBNSWackResponse : NBNS Wait for Acknowledgement Response
NBTDatagram : NBT Datagram Packet
NBTSession : NBT Session Packet
NTP : NTP
NetBIOS_DS : NetBIOS datagram service
NetflowHeader : Netflow Header
NetflowHeaderV1 : Netflow Header V1
NetflowRecordV1 : Netflow Record
NoPayload : None
PPI : Per-Packet Information header (partial)
PPP : PPP Link Layer
PPP_ECP : None
PPP_ECP_Option : PPP ECP Option
PPP_ECP_Option_OUI : PPP ECP Option
PPP_IPCP : None
PPP_IPCP_Option : PPP IPCP Option
PPP_IPCP_Option_DNS1 : PPP IPCP Option: DNS1 Address
PPP_IPCP_Option_DNS2 : PPP IPCP Option: DNS2 Address
PPP_IPCP_Option_IPAddress : PPP IPCP Option: IP Address
PPP_IPCP_Option_NBNS1 : PPP IPCP Option: NBNS1 Address
PPP_IPCP_Option_NBNS2 : PPP IPCP Option: NBNS2 Address
PPPoE : PPP over Ethernet
PPPoED : PPP over Ethernet Discovery
Packet : None
Pad1 : Pad1
PadN : PadN
Padding : Padding
PrismHeader : Prism header
PseudoIPv6 : Pseudo IPv6 Header
RIP : RIP header
RIPAuth : RIP authentication
RIPEntry : RIP entry
RTP : RTP
RadioTap : RadioTap dummy
Radius : Radius
Raw : Raw
RouterAlert : Router Alert
SCTP : None
SCTPChunkAbort : None
SCTPChunkCookieAck : None
SCTPChunkCookieEcho : None
SCTPChunkData : None
SCTPChunkError : None
SCTPChunkHeartbeatAck : None
SCTPChunkHeartbeatReq : None
SCTPChunkInit : None
SCTPChunkInitAck : None
SCTPChunkParamAdaptationLayer : None
SCTPChunkParamCookiePreservative : None
SCTPChunkParamECNCapable : None
SCTPChunkParamFwdTSN : None
SCTPChunkParamHearbeatInfo : None
SCTPChunkParamHostname : None
SCTPChunkParamIPv4Addr : None
SCTPChunkParamIPv6Addr : None
SCTPChunkParamStateCookie : None
SCTPChunkParamSupportedAddrTypes : None
SCTPChunkParamUnrocognizedParam : None
SCTPChunkSACK : None
SCTPChunkShutdown : None
SCTPChunkShutdownAck : None
SCTPChunkShutdownComplete : None
SMBMailSlot : None
SMBNegociate_Protocol_Request_Header : SMBNegociate Protocol Request Header
SMBNegociate_Protocol_Request_Tail : SMB Negociate Protocol Request Tail
SMBNegociate_Protocol_Response_Advanced_Security : SMBNegociate Protocol Response Advanced Security
SMBNegociate_Protocol_Response_No_Security : SMBNegociate Protocol Response No Security
SMBNegociate_Protocol_Response_No_Security_No_Key : None
SMBNetlogon_Protocol_Response_Header : SMBNetlogon Protocol Response Header
SMBNetlogon_Protocol_Response_Tail_LM20 : SMB Netlogon Protocol Response Tail LM20
SMBNetlogon_Protocol_Response_Tail_SAM : SMB Netlogon Protocol Response Tail SAM
SMBSession_Setup_AndX_Request : Session Setup AndX Request
SMBSession_Setup_AndX_Response : Session Setup AndX Response
SNAP : SNAP
SNMP : None
SNMPbulk : None
SNMPget : None
SNMPinform : None
SNMPnext : None
SNMPresponse : None
SNMPset : None
SNMPtrapv1 : None
SNMPtrapv2 : None
SNMPvarbind : None
STP : Spanning Tree Protocol
SebekHead : Sebek header
SebekV1 : Sebek v1
SebekV2 : Sebek v3
SebekV2Sock : Sebek v2 socket
SebekV3 : Sebek v3
SebekV3Sock : Sebek v2 socket
Skinny : Skinny
TCP : TCP
TCPerror : TCP in ICMP
TFTP : TFTP opcode
TFTP_ACK : TFTP Ack
TFTP_DATA : TFTP Data
TFTP_ERROR : TFTP Error
TFTP_OACK : TFTP Option Ack
TFTP_Option : None
TFTP_Options : None
TFTP_RRQ : TFTP Read Request
TFTP_WRQ : TFTP Write Request
UDP : UDP
UDPerror : UDP in ICMP
USER_CLASS_DATA : user class data
VENDOR_CLASS_DATA : vendor class data
VENDOR_SPECIFIC_OPTION : vendor specific option data
VRRP : None
X509Cert : None
X509RDN : None
X509v3Ext : None
_DHCP6GuessPayload : None
_DHCP6OptGuessPayload : None
_ICMPv6 : ICMPv6 dummy class
_ICMPv6Error : ICMPv6 errors dummy class
_ICMPv6ML : ICMPv6 dummy class
_IPOption_HDR : None
_IPv6ExtHdr : Abstract IPV6 Option Header
_MobilityHeader : Dummy IPv6 Mobility Header

 

Here is a cool site showing how to craft a package

 

http://wikihead.wordpress.com/2011/01/09/packet-crafting-using-scapy/

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: