Scapy

Warnings

• breaking The behavior of `StreamSocket` has changed. `TCPSession(app=True)` should no longer be used with `StreamSocket` as custom sessions are now marked unstable. This affects TCP reassembly and other stream-related functionalities.
  Fix: Review code using `StreamSocket` with `TCPSession(app=True)`. Consider refactoring or consulting Scapy's documentation for updated session management patterns, or using alternative methods for TCP reassembly.
• breaking The Scapy CLI configuration file location moved from `~/.scapy_startup.py` to `~/.config/scapy/startup.py` to align with XDG variables. Older configuration files in the old location are no longer functional.
  Fix: Migrate any custom CLI configuration from `~/.scapy_startup.py` to `~/.config/scapy/startup.py`.
• deprecated Using the `iface=` argument with Layer 3 functions (`send`, `sr`, `sr1`) is deprecated due to undefined behavior. It remains valid for Layer 2 functions (`sendp`, `srp`, `srp1`).
  Fix: Avoid using `iface=` with Layer 3 functions. For specific interface binding, configure routing tables or use Layer 2 functions where appropriate. For multicast/link-local addresses, use RFC6874-like scope identifiers (e.g., `dst="ff02::1%eth0"`).
• breaking Scapy 2.6.x dropped support for Python 2.7. Additionally, Scapy 2.7.0 is announced as the last version to support Python 3.7 and 3.8.
  Fix: Ensure your environment uses Python 3.9 or newer for future compatibility, especially if relying on Scapy's latest features and maintenance.
• gotcha Scapy often requires root or administrator privileges to send and sniff raw packets, as it interacts directly with network interfaces at a low level.
  Fix: Run Scapy scripts or the interactive shell with `sudo` on Linux/macOS or as an administrator on Windows. Be mindful of the security implications when running with elevated privileges.
• gotcha Scapy might eagerly send real packets to resolve names or perform other network interactions, even when intended for offline analysis. This can lead to unintended network activity.
  Fix: When performing offline analysis or working in sensitive environments, be aware of Scapy's default behaviors. Explicitly configure `conf.verb = 0` to suppress verbose output and potentially limit active network interactions, and carefully review documentation for functions that may trigger live traffic.

Install

• pip install scapy Install Scapy

Imports

• *

  from scapy.all import *

  Using `from scapy import *` may not import all necessary modules and functions, especially if there's a name collision with a local 'scapy.py' file. `from scapy.all import *` ensures all Scapy features are loaded.

Quickstart

This quickstart demonstrates how to import Scapy, craft a basic IP/ICMP packet, send it, and process the response. It also includes a commented-out example for sniffing packets. Sending and sniffing raw packets with Scapy typically requires root or administrator privileges. The `sr1` function sends one packet and waits for a single response, while `sniff` can capture multiple packets, using a callback function for processing.

from scapy.all import *

# Craft an IP packet with an ICMP payload
packet = IP(dst="8.8.8.8")/ICMP()

# Send the packet and receive a response
# Note: Requires root/admin privileges to send/receive raw packets
# Use os.environ.get('SCAPY_IFACE', 'eth0') to specify an interface if needed
# For simple testing, can often run as sudo python your_script.py

# sr1 sends one packet and waits for one answer
# timeout is crucial for non-blocking execution in scripts
resp = sr1(packet, timeout=1, verbose=0)

if resp:
    print(f"Received response from: {resp.src}")
    resp.show()
else:
    print("No response received.")

# Example of sniffing packets (run for 2 packets or 5 seconds)
# Sniffing often requires elevated privileges
def print_packet_summary(pkt):
    print(pkt.summary())

# sniff(prn=print_packet_summary, count=2, timeout=5)
# print("Sniffing complete.")