Scapy – Packet Manipulation & Sniffing

Scapy: Packet Manipulation

If you happen to meet a sword fighter and observe his care for his sword, you will find that he is customizing his dear weapon according to his preference of grip, sharpness, size, why they do so? If you customize your weapon according to your skills and comfort then you will hit the opponent hard with less effort, for an ethical hacker a packet is like a weapon, if he/she can manipulate the packet according to the target, then obviously the result will be more positive.

Here comes the tool scapy into the picture, it’s a great tool to manipulate your packet according to your requirement, it has a lot of other features that are unique and pretty rare to be found in a single tool

What is scapy?

Scapy is a Python script that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks. In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark).

Scapy Features

Craft your packet

Scapy enables the user to describe a packet or set of packets as layers that are stacked one upon another. Fields of each layer have useful default values that can be overloaded. Scapy does not oblige the user to use predetermined methods or templates. This alleviates the requirement of writing a new tool each time a different scenario is required. In C, it may take an average of 60 lines to describe a packet. With Scapy, the packets to be sent may be described in only a single line with another line to print the result. 90% of the network probing tools can be rewritten in 2 lines of Scapy.

Interpret many with single probe

When probing a network, many stimuli are sent while only a few of them are answered. If the right stimuli are chosen, the desired information may be obtained by the responses or the lack of responses. Unlike many tools, Scapy gives all the information, i.e. all the stimuli sent and all the responses received. Examination of this data will give the user the desired information.

Scapy decode

A common problem with network probing tools is they try to interpret the answers received instead of only decoding and giving facts. Reporting something like Received a TCP Reset on port 80 is not subject to interpretation errors. Reporting Port 80 is closed is an interpretation that may be right most of the time but wrong in some specific contexts the tool’s author did not imagine. For instance, some scanners tend to report a filtered TCP port when they receive an ICMP destination unreachable packet. This may be right, but in some cases, it means the packet was not filtered by the firewall but rather there was no host to forward the packet to. Interpreting results can help users that don’t know what a port scan is but it can also make more harm than good, as it injects bias into the results. What can tend to happen is that so that they can do the interpretation themselves, knowledgeable users will try to reverse engineer the tool’s interpretation to derive the facts that triggered that interpretation. Unfortunately, much information is lost in this operation.

You must refer to the video above for practical demonstration, In the video above scapy is being running in a kali machine, with Wireshark to see what actually is happening in the network,

To run scapy just type scapy in the terminal, you will enter into scapy command line interface, in the video above some functions of scapy have been demonstrated:

Spoofing ip and sending packets


send(IP(src=”false ip address”, dst = “target addresss”) /ICMP()/”any message”)

You can filter target address in Wireshark to visualize more clearly what is happening

Sniffing network traffic


sniff(iface= “eth0”, prn= lambda x : x. summary)

Dos attack


send(IP(src=”false source address”,dst = “target address”)/TCP(sport =source port , dport= target port), count = no of packets)

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Please Login to comment
Notify of