Python and Scapy - Packet Inspection and Manipulation
by Phillip Watts
July 14, 2009
|
Learn to use Scapy for complex inspection of your Python code.
It's very useful for evaluating, packet inspection, mangling,
and encapsulation.
|
Introduction
Scapy is a Python module downloadable from http://www
.secdev.org/projects/scapy/. It is a very useful tool
for packet inspection, mangling, and encapsulation. Anyone
familiar with Python who is involved in network security or
performance would be benefit from learning about Scapy.
While tools like Ethereal and Wireshark are good for visual
inspection, Scapy gives you the programming ability for
complex inspection.
Scapy creates an instance of a class for every layer in a
packet which give you maximum flexibility at the sacrifice
of speed. If speed is what you need you might be better off
with pcapy, which is closer to libpcap. When using Scapy it
is better to capture a pcap file using tcpdump then work on
the pcap file. For example:
Capture 100 packets from eth0 and save as sample.pcap
(sudo assuming linux). Sudo will be omitted from all
subsequent examples
now let us see what we captured:
Click here for larger Code Segment
We imported Scapy, read the pcap file into a list, and
using the Scapy summary() method, showed the contents of the
list. I only showed you the first five packets. It looks like
we have the beginning of an SMTP under TCP session, with syn,
syn ack, ack, then data. Lets look more closely at the 1st
packet:
Click here for larger Code Segment
Woah! We now know everything there is to know about the
packet in a form much more easily parsed than tcpdump
output, with every field nicely labeled. And sure enough, a
syn packet, destination port SMTP.
The following is the output for the 1st packet from a
program I wrote called ScapyDump.py, to give an even more
easily parseable text. The code for this is at the end of
the article.
Click here for larger Code Segment
Python and Scapy - Packet Inspection and Manipulation
Python and Scapy - Cont.
|
