SCAPY- A powerful interactive packet

manipulation program
Rohith Raj S Rohith R Minal Moharir
Computer Science and Engineering Computer Science and Engineering Computer Science and Engineering
Department Department Department
R.V College of Engineering R.V College of Engineering R.V College of Engineering
Bangalore, India Bangalore, India Bangalore, India
[email protected] [email protected] [email protected]
Shobha G
Computer Science and Engineering
Department
R.V College of Engineering
Bangalore, India
[email protected]

Abstract— This research paper looks into a state of the art
tool for interactive packet manipulation named Scapy which is
written in Python language; detail out some vital commands,
strengths and weakness, protocols supported, usage explained
with snapshots, tracking packets being sent and received using
wireshark and scope of future integration with newer protocols.
The research paper, tries to give a brief introduction and
readable usage and applications using the Scapy tool.
A brief working of Scapy as interactive packet manipulation
tool is as follows and the same is given in Fig. 1
1. Create packets by taking into account the data type,
source MAC address and destination MAC address.
2. Send the created packets to the destination by
specifying the parameters.
3. Or sniff for packets by specifying the parameters.

Keywords—capture, packet, protocol, python, scapy, tool

I. INTRODUCTION
Scapy is a Python program written to manipulate network
packets. It was developed by Philippe Biondi. Network
packets can be sent, sniffed, dissected and forged [1]. Scapy
can be used to construct or decrypt packets of a variety of
protocols, to send them, capture them, match requests and
replies, and a lot more. Many long-established tasks can be
handled by it such as tracerouting, scanning, unit testing,
probing, attacking and discovery of networks.

Scapy comes as an interpreter and not as a shell command

program. It uses Python interpreter evaluation loop to let the
users manipulate classes, instances, and functions.
The materialization of packets in Scapy is done in the
form of class instances. When an object is instantiated it
means that a packet is created and modifying the attributes or
calling the methods of the instance object refers to
manipulating a packet. By implementing packets as objects; Fig. 1: Brief working of scapy as interactive packet manipulation tool
creating a packet is only done with one line of code while it
would have definitely taken many lines of code in C even Strengths and weakness of Scapy tool are as follows:
with the best libraries. The basic building block of a packet is
a layer and an entire packet is built by putting layers on top A. Strengths
of one another. Layering allows for natural representation and ● Interactive language
code implementation. The user can define a group of packets ● No complex syntax to remember
in Scapy, now these packets are sent and answers are received ● High-level functions already implemented
[1,2]. The way in which packets are sent, sniffed, the process ● Multi-tasking
of demonstrating tables and couples is the same always and ● Modularity
is given by scapy in three simple steps [2]: ● Extensibility
● Constructing our own set of packets ● Simple packets forging and analyzing
● Using the Scapy’s logic to send the packets, collect ● Bypass local firewall
replies, dissect them, and finally match the stimuli
and answers. B. Weakness
● Presenting the result ● Link layer not managed well

978-1-5386-7949-4/18/$31.00 ©2018 IEEE

 ● The DNS packets received/sent are not III. WORKING WITH SCAPY
reassembled exactly as the original To send the packets in scapy, Root privileges are needed, so
● Can’t handle a large number of packets sudo command should be used. A snapshot of this feature is
simultaneously shown in Fig. 2
● Partial support for certain complex protocols

Scapy supports the following protocols:

● Ethernet
● TCP/IP, UDP
● IPv4 and IPv6
● ARP
● ICMP and ICMPv6 types and codes.
● IGMP Fig.2:Starting Scapy
● Text based protocols (HTTP, HTTPS).
● STP The basic commands that are used in scapy are:
● DNS
● FTP and TFTP and many more

II. IMPORTANT OPERATIONS

TABLE 1: Operations supported by Scapy

After opening a scapy session, the user can build and play
with packets as shown in Fig. 3

Fig. 3: Building a packet and playing with it

The user can stack layers in scapy. For composition between

two layers, / operator is used. The default fields of the lower
layers can be overloaded according to the upper layers when
performing composition of two layers. [2,3] A snapshot of
this feature is shown in Fig. 4

Fig. 4: Stacking layers

Packets are sent using the send() or sendp() fuctions. The

network layers in which these functions work are:
 ● send() function works at layer 3 and therefore,
layer 2 and routing is taken care
● sendp() function sends packets at layer 2 [4]
The user can choose the right link layer protocol and the
interface for the send() and sendp() function.
Fig. 5: Sending packets
To send packets and receive answers sr() function is used. A
couple of packets, answers and unanswered packets are
returned by this function. A variant of sr() function is sr1()
which returns a single packet that answered the sent packet.
Only layer 3 packets such as ARP, IP, etc. are used as packets
for sr() function. Whereas, only layer 2 packets such as
Ethernet, 802.3, etc. are used as packets for srp() function.
3o
Fig. 6: Send and receive packets(sr)
The send and receive functions return a couple of two lists.
These two functions are considered as heart of scapy as they
are very important. The two elements returned is shown in
Table 2. The two elements are lists; so to present them in a
better way, they are wrapped by an object.
TABLE 2: The two elements returned by send and receive functions
Element List of
First Couples (packet sent, answer)
Second Unanswered packets
The process in which we read the interfaces and scan the ports
is called sniffing. It allows us to capture packets as it’s
transmitted over a network. Some packets can be easily
captured or can be even cloned using tshark or tcpdump. For
sniffing, one or more interfaces can be provided as input.
Suppose, if no interface is given as an input, conf.iface will
be the interface to be sniffed on. A snapshot of sniffing
feature is shown in Fig. 7
Fig. 7: Sniffing an interface
TCP three-way handshake is a three message handshake
(SYN-SYN-ACK) which is used to establish an internet
connection over an IP network. This is the method which
allows two computers to communicate over a network. The
code to establish a three way handshake between a client
having IP-address 192.168.80.128 and a server having IP-
address 192.168.0.103 is shown in the Fig. 8 .
Fig. 8: handshake.py
Before sending the packets the iptables have to be set to
suppress the RST packets as Scapy tool doesn’t make use of
the kernel services and it creates a raw socket and RST
packets come from the kernel as there is no port listening on
the source port. [5] Fig. 9 illustrates the process of setting IP
tables for a proper three-way handshake.
Fig. 9: Setting IP tables
On executing the handshake.py file shown in Fig.8 from the
terminal the working of the three-way handshake can be
captured in wireshark as shown in Fig. 10. Three way
handshake happens in client-server connections established
over a TCP/IP Network.
 Adding a new protocol in Scapy is a simple task. The fields
do all the magic.

Fig. 10: Wireshark trace for three way handshake
The layer class inherits the layer manipulation logic from the
Packet class. A list of fields will compound a simple layer.
This will be either concatenated while the layer is assembled
or, while disassembling a string it’s dissected layer by layer.
fields_desc attribute stores the list of fields. By instantiating
field class, fields are obtained.

IV. VIEWING PACKETS WITH WIRESHARK

The advanced ability of Wireshark to dissect packets is the

major driving force for using it to view the packets generated
Fig. 13: Adding a new protocol called Plant()
or sniffed with scapy. In the terminal, by executing the
wireshark() function, Wireshark software opens in the In the example given in Fig. 13, our layer consists of three
background and allows users to view the required packets. A fields as follows:
snapshot of this feature is shown in Fig. 11 and Fig. 12
TABLE 3: Fields description of the layer created in Fig. 13

Field Name Integer type Default

value

First Marigold 2 byte 5

Second Cactus 1 byte 3

Third Rose 4 byte --

Fig. 11: Using wireshark( ) function
Vanilla ByteField and XByteField are different only in the
aspect of the field’s value which is represented in
hexadecimal format. Literate representations are assigned to
some of the values of the third field. Suppose if the worth is
given as 3, Pink value will be displayed. Similarly, if value is
assigned as ‘orange’ then it will display the value 2.

The protocol developed by the user is ready to be used with

the above given details. A snapshot of this is shown in Fig.
14

Fig. 12: Wireshark trace for Fig.11

The user uses the wireshark() function available in Scapy

whose function is to produce a pcap-file which is temporary,
Fig. 14: Operating on the Plant() protocol
and this file is read by Wireshark which starts in the
background environment. One more important thing to be
noted is that we have stacked Layer 3(ICMP and IP) packets VI. CONCLUSION
over an Ethernet header(Layer 2), this is done because
Wireshark synergizes with frames and passing just Layer 3
packets will lead to unusual results. Scapy is very robust and it is very simple in terms of usage.
Scapy is very convenient for doing a quick security analysis,
sometimes though, when we would like to examine and make
conclusions by ourselves we can take raw outputs, without
V. SUPPORT FOR ADDING NEW PROTOCOLS needing any real explanation.
Scapy has many user and developer methods which are very
useful for packet manipulation. When programmers need to
make use of custom packets for obtaining any result like,
testing how a firewall or an Intrusion Detection System(IDS)
reacts to custom packets then Scapy is very helpful. One
really good thing about Scapy is, it can be used as a Python
Library which permits us to write programs and create
applications very hastily without really diving deep into
specifics of constructing raw packets from scratch which
helps in reducing the size of the code by a fair amount. In
short it gives us the freedom to try anything that we can
visualize over a network.

The compiler of python is located at runtime. It is not needed

to recompile all the changes in the source code. Hence all the
tasks done in Scapy are swift, speedy and flexible.

REFERENCES

[1] P. Biondi, Scapy, [online] Available:

http://www.secdev.org/projects/scapy.
[2] Bansal S, Bansal N (2015) Scapy – A Python Tool For Security
Testing. J Comput Sci Syst Biol 8:140-159. doi: 10.4172/jcsb.1000182.
[3] Kiel Gordon, Matthew Davis, Zachary Birnbaum, Andrey Dolgikh.
"ACE", Proceedings of the 2018 Workshop on Cyber-Physical
Systems Security and PrivaCy - CPS-SPC '18,2018
[4] Mahalakshmi, A. Soumya et al. “A study of tools to develop a traffic
generator for L4 – L7 layers.” 2016 International Conference on
Wireless Communications, Signal Processing and Networking
(WiSPNET) (2016): 114-118.
[5] Samad S. Kolahi, Shaneel Narayan, Du. D. T. Nguyen, Yonathan
Sunarto "Performance monitoring of various traffic generators" IEEE
Conference on Modeling and Simulation, pg.501-506, March 2011.