Let us start scapy as root. My reference is [1].
[1]
https://thepacketgeek.com/series/building-network-tools-with-scapy/
# scapy
I list of basic scapy commands can be got from lsc()
>>> lsc()
arpcachepoison : Poison target's cache with (your MAC,victim's IP) couple
arping : Send ARP who-has requests to determine which hosts are up
bind_layers : Bind 2 layers on some specific fields' values
Now let us see about sniff() real quick.
>>> pkt=sniff(count=1)
>>> pkt[0].summary()
'Ether / IP / TCP 192.168.1.2:59845 > 216.58.196.110:https PA / Raw'
>>>
Here we sniffed one packet. We can type in ls() to see a plethora of all protocols which scapy can support.
>>> ls()
ARP : ARP
ASN1_Packet : None
BOOTP : BOOTP
CookedLinux : cooked linux
DHCP : DHCP options
We can also list individual values inside the protocol by using them inside ls() function.
>>> ls(Ether)
dst : DestMACField = (None)
src : SourceMACField = (None)
type : XShortEnumField = (0)
>>> ls(IP)
version : BitField = (4)
ihl : BitField = (None)
tos : XByteField = (0)
len : ShortField = (None)
id : ShortField = (1)
flags : FlagsField = (0)
frag : BitField = (0)
ttl : ByteField = (64)
proto : ByteEnumField = (0)
chksum : XShortField = (None)
src : Emph = (None)
dst : Emph = ('127.0.0.1')
options : PacketListField = ([])
>>> ls(UDP)
sport : ShortEnumField = (53)
dport : ShortEnumField = (53)
len : ShortField = (None)
chksum : XShortField = (None)
>>>
Now we will see about summary() and show() methods. show() will detail down in to every fields.
>>> pkt[0].summary()
'Ether / IP / TCP 192.168.1.2:59845 > 216.58.196.110:https PA / Raw'
>>> pkt[0].show()
###[ Ethernet ]###
dst= c8:d3:a3:c9:72:3c
src= 00:1e:4f:9e:c0:5f
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 86
id= 48928
flags= DF
frag= 0L
ttl= 64
proto= tcp
chksum= 0x1d2e
src= 192.168.1.2
dst= 216.58.196.110
\options\
###[ TCP ]###
sport= 59845
dport= https
seq= 719414178
ack= 1834884410
dataofs= 5L
reserved= 0L
flags= PA
window= 23925
chksum= 0x5e9c
urgptr= 0
options= []
###[ Raw ]###
load= '\x17\x0e\x0e\x0e)\x0e\x00\x00\x00\x00\x00\x00\r\xb8On\x1a\xaf\xddG\x9a\xdc\xd4\x1e\xf2qb\x11\x83\x15\xbe\xdc\xcd\xf9\xb5\xd4s\xb2\xbaOp\xb2\xa9\x17\xb5'
>>>
We can also increase the number of packets which we sniff.
>>> pkts=sniff(count=10)
>>> pkts
>>> pkts.summary()
Ether / IP / TCP 192.168.1.2:57123 > 216.58.220.40:http A
Ether / IP / TCP 216.58.220.40:http > 192.168.1.2:57123 A / Padding
Ether / IP / TCP 74.125.68.189:https > 192.168.1.2:38372 PA / Raw
Ether / IP / TCP 192.168.1.2:38372 > 74.125.68.189:https A
Ether / IP / TCP 216.58.220.37:https > 192.168.1.2:43278 PA / Raw
Ether / IP / TCP 192.168.1.2:43278 > 216.58.220.37:https A
Ether / IP / TCP 216.58.220.37:https > 192.168.1.2:43278 PA / Raw
Ether / IP / TCP 192.168.1.2:43278 > 216.58.220.37:https A
Ether / IP / TCP 216.58.220.37:https > 192.168.1.2:43278 PA / Raw
Ether / IP / TCP 192.168.1.2:43278 > 216.58.220.37:https A
>>> pkts[3]
>>
>>> pkts[3].show()
###[ Ethernet ]###
dst= c8:d3:a3:c9:72:3c
src= 00:1e:4f:9e:c0:5f
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 40
id= 54634
flags= DF
frag= 0L
ttl= 64
proto= tcp
chksum= 0x1481
src= 192.168.1.2
dst= 74.125.68.189
\options\
###[ TCP ]###
sport= 38372
dport= https
seq= 759983015
ack= 3718818381
dataofs= 5L
reserved= 0L
flags= A
window= 60060
chksum= 0x50ff
urgptr= 0
options= {}
>>>
We can also dig into an individual protocol as shown below.
>>> pkts[0]
>>
>>> pkts[0][TCP].summary()
'TCP 192.168.1.2:57123 > 216.58.220.40:http A'
>>>
We can use command() method to see how we can recreate that very same packet.
>>> pkts[0].command()
"Ether(src='00:1e:4f:9e:c0:5f', dst='c8:d3:a3:c9:72:3c', type=2048)/IP(frag=0L, src='192.168.1.2', proto=6, tos=0, dst='216.58.220.40', chksum=36062, len=40, options=[], version=4L, flags=2L, ihl=5L, ttl=64, id=14308)/TCP(reserved=0L, seq=3914251183, ack=433779807, dataofs=5L, urgptr=0, window=15544, flags=16L, chksum=30248, dport=80, sport=57123)"
>>>
We can assign an individual packet to a new packet using the eval() command or by just assigning the array value.
>>> newpkt = eval(pkt[0].command())
>>> newpkt
>>>
>>> newpkt = pkt[0]
>>> newpkt
>>>
>>>
Now let us work on creating ARP packets
>>> pkts=sniff(count=5,filter="arp")
>>> pkts
>>> pkts.summary()
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
Ether / ARP who has 192.168.1.100 says 192.168.1.2
>>> pkts[0].show()
###[ Ethernet ]###
dst= ff:ff:ff:ff:ff:ff
src= 00:1e:4f:9e:c0:5f
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:1e:4f:9e:c0:5f
psrc= 192.168.1.2
hwdst= 00:00:00:00:00:00
pdst= 192.168.1.100
>>> pkts[0].command()
"Ether(src='00:1e:4f:9e:c0:5f', dst='ff:ff:ff:ff:ff:ff', type=2054)/ARP(hwdst='00:00:00:00:00:00', ptype=2048, hwtype=1, psrc='192.168.1.2', hwlen=6, plen=4, pdst='192.168.1.100', hwsrc='00:1e:4f:9e:c0:5f', op=1)"
>>> ls(Ether)
dst : DestMACField = (None)
src : SourceMACField = (None)
type : XShortEnumField = (0)
>>> ls(ARP)
hwtype : XShortField = (1)
ptype : XShortEnumField = (2048)
hwlen : ByteField = (6)
plen : ByteField = (4)
op : ShortEnumField = (1)
hwsrc : ARPSourceMACField = (None)
psrc : SourceIPField = (None)
hwdst : MACField = ('00:00:00:00:00:00')
pdst : IPField = ('0.0.0.0')
>>>
Now let us create our own packet with the help of eval() function.