Scapy

Stephen Thorne

NetBox Blue Pty Ltd

About Scapy

- what is scapy? Scapy is a tool for the capturing, altering and transmitting of arbitary packets on the network. You can use scapy to generate and transmit data on what you would know as 'Layer 2' and 'Layer 3' of the network. This means you can trivially fuck around with arp caches. - why would you use it? You could use it in situations where there is a misbehaving host on the network. Or if you want to misbehave on the network. Transmit and receive raw packets. Screw with mac addresses and arp tables, kill small mammals with your tcp/ip beams.

Simple usage

Composing Packets

Viewing Packets

Modifying Packets

Sending Packets

Arp Poisoning.

Wake On Lan

Analysis of tcpdump data

Analysis of tcpdump data ------------------------ Every packet from a http request tcp stream that contains an 'Encoding' header'::
        >>> packets = sniff(count=100, filter='tcp port 80')
        >>> for p in packets:
        ...     if 'Set-Cookie' in getattr(p, 'load', None):
        ...         p.show()

Advanced Analysis

Data Correlation

Portscan, Traceroute

Connection Tracking Tables

Cisco connection tracking table anecdote.

Source Port Blocking

Which source ports are being blocked by the isp?

Where Do You Get It?

Debian: python-scapy Ubuntu: python-scapy FreeBSD: unknown. OSX: Royal pain. Need to install libpcap and stuff.

Conclusion

Conclusion: Yay tools. It is now trivial for you to sniff and retransmit packets, screw with stuff on layer2 and layer3. Portscan, muck with arp tables and do tcp traceroutes. Also easier to understand how the interwebbernets work.

Questions