scapy-issues/doc/scapy.1 at 48600f3dffc9fb027e541df31e08bcf2d2171dba · guedou/scapy-issues · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
\" SPDX-License-Identifier: GPL-2.0-only
.TH SCAPY 1 "March 24, 2024"
.SH NAME
scapy \- Interactive packet manipulation tool
.SH SYNOPSIS
.B scapy
.RI [ options ]
.SH DESCRIPTION
This manual page documents briefly the
.B Scapy
tool.
.PP
\fBScapy\fP is a powerful interactive packet manipulation tool,
packet generator, network scanner, network discovery, packet sniffer,
etc. It can for the moment replace hping, parts of nmap, arpspoof, arp-sk,
arping, tcpdump, tshark, p0f, ...
.PP
\fBScapy\fP uses the Python interpreter as a command board. That means that
you can use directly Python language (assign variables, use loops,
define functions, etc.)
.PP
The idea is simple. Those kinds of tools do two things : sending packets
and receiving answers. That's what \fBScapy\fP does : you define a set of
packets, it sends them, receives answers, matches requests with answers
and returns a list of packet couples (request, answer) and a list of
unmatched packets. This has the big advantage over tools like nmap or
hping that an answer is not reduced to (open/closed/filtered), but is
the whole packet.
.PP
On top of this can be used to build more high-level functions, for example, one
that does traceroutes and give as a result only the start TTL of the
request and the source IP of the answer. One that pings a whole network
and gives the list of machines answering. One that does a portscan and
returns a LaTeX report.

.SH OPTIONS
Options for Scapy are:
.TP
\fB\-h\fR
display usage
.TP
\fB\-H\fR
header-less mode, also reduces verbosity.
.TP
\fB\-d\fR
increase log verbosity. Can be used many times.
.TP
\fB\-p\fR PRESTART_FILE
use PRESTART_FILE instead of $HOME/.config/scapy/prestart.py as pre-startup file
.TP
\fB\-P\fR
do not run prestart file
.TP
\fB\-c\fR STARTUP_FILE
use STARTUP_FILE instead of $HOME/.config/scapy/startup.py as startup file
.TP
\fB\-C\fR
do not run startup file

.SH COMMANDS
Only the vital commands to begin are listed here for the moment.
.TP
\fBls()\fR
lists supported protocol layers.
If a protocol layer is given as parameter, lists its fields and types of fields.
If a string is given as parameter, it is used to filter the layers.
.TP
\fBlsc()\fR
lists scapy's main user commands.
.TP
\fBconf\fR
this object contains the configuration.

.SH FILES
\fB$HOME/.config/scapy/prestart.py\fR
This file is run before Scapy core is loaded. Only the \fBconf\fP object
is available. This file can be used to configure the CLI, configure
parameters such as the \fBconf.load_layers\fP  list to choose which layers
will be loaded, or change the logging level (for instance):

.nf
conf.interactive_shell = "bpython"
log_loading.setLevel(logging.WARNING)
conf.load_layers.remove("bluetooth")
conf.load_layers.append("new_layer")
.fi

\fB$HOME/.config/scapy/startup.py\fR
This file is run after Scapy is loaded. It can be used to configure
more of Scapy behaviors, like un-registering layers:

.nf
conf.prog.pdfreader = "xpdf"
split_layers(UDP,DNS)
.fi

.SH EXAMPLES

More verbose examples are available in the documentation at
\fIhttps://scapy.readthedocs.io/\fP.
Just run \fBscapy\fP and try the following commands in the interpreter.

.LP
Test the robustness of a network stack with invalid packets:
.nf
sr(IP(dst="172.16.1.1", ihl=2, options=["verb$2"], version=3)/ICMP(), timeout=2)
.fi

.LP
Packet sniffing and dissection (with a bpf filter or tshark-like output):
.nf
a=sniff(filter="tcp port 110")
a=sniff(prn = lambda x: x.show)
.fi

.LP
Sniffed packet re-emission:
.nf
a=sniff(filter="tcp port 110")
sendp(a)
.fi

.LP
Pcap file packet re-emission:
.nf
sendp(rdpcap("file.cap"))
.fi

.LP
Manual TCP traceroute:
.nf
sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
.fi

.LP
Protocol scan:
.nf
sr(IP(dst="172.16.1.28", proto=(1,254)))
.fi

.LP
ARP ping:
.nf
srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
.fi

.LP
ACK scan:
.nf
sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
.fi

.LP
Passive OS fingerprinting:
.nf
sniff(prn=prnp0f)
.fi

.LP
Active OS fingerprinting:
.nf
nmap_fp("172.16.1.232")
.fi


.LP
ARP cache poisoning:
.nf
sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
.fi

.LP
Reporting:
.nf
report_ports("192.168.2.34", (20,30))
.fi

.SH SEE ALSO

.nf
The official website: \fIhttps://scapy.net/\fP
The GitHub Development repository: \fIhttps://github.com/secdev/scapy/\fP
The official documentation: \fIhttps://scapy.readthedocs.io/en/latest/\fP
.fi

.SH BUGS
Does not give the right source IP for routes that use interface aliases.

May miss packets under heavy load. This is a restriction from python itself

Session saving is limited by Python ability to marshal objects. As a
consequence, lambda functions and generators can't be saved, which seriously
reduce the usefulness of this feature.

BPF filters don't work on Point-to-point interfaces.


.SH AUTHOR
Philippe Biondi and the Scapy community.