[HN Gopher] Scapy: Low level packet hacking toolkit for Python ___________________________________________________________________ Scapy: Low level packet hacking toolkit for Python Author : rl1987 Score : 168 points Date : 2022-05-08 14:15 UTC (8 hours ago) (HTM) web link (www.trickster.dev) (TXT) w3m dump (www.trickster.dev) | therealchiggs wrote: | Scapy is great if you want to send and receive packets onto a | network from Python. There are a few gotchas, for example it can | be eager to send real packets out in order to resolve names which | might not always be what you want if you're doing offline | analysis. | | If you are parsing packet captures or defining custom protocols | then dpkt[0] is also worth a look. It's a simpler module with | substantially higher performance. | | [0] https://dpkt.readthedocs.io/en/latest/ | m3047 wrote: | Additionally scapy is GPL and dpkt is more permissive. They | both make mistakes, it can be illuminating to try both side by | side. Scapy is more forgiving. dpkt is more performant. | ossusermivami wrote: | I have been doing a lot of Go and Rust these last few years but | always come back to Python for quick iterations and proof of | concept, scapy is a blessing for low level network programming | inspections. | NelsonMinar wrote: | Scapy's great. Another similar library is Impacket: | https://github.com/SecureAuthCorp/impacket | posnet wrote: | Scapy is great, but if you need only something simple, it's hard | to go past dpkt https://github.com/kbandla/dpkt | wildmanx wrote: | I'd join the overall praise here, but some design choices in | Scapy are quite weird and the implementations for many protocols | are just plain terrible. Granted, that's not the fault of the | original designers, since those protocols just fly around on | Github, but geez are some of them bad.. | dang wrote: | Related: | | _Scapy: a powerful interactive packet manipulation program_ - | https://news.ycombinator.com/item?id=4892380 - Dec 2012 (13 | comments) | | _Traceroute in 15 lines of code using Scapy_ - | https://news.ycombinator.com/item?id=6653644 - Nov 2013 (2 | comments) | m3047 wrote: | Protobuf as a Scapy dissector, with Farsight's SIE as an example: | https://github.com/m3047/tahoma_nmsg | Flocular wrote: | Sadly it's missing a native TCP-reassambly. Was caught by suprise | by that recently, but there's always pyshark | sanqui wrote: | Unfortunately, in my experience Wireshark sometimes fails to | reassemble TCP streams after a retransmission or out-of-order | event, despite the presence of a checkbox to do just that... | guardiangod wrote: | I wrote a pcap re-orderer (with scapy) just for this bug. | shriphani wrote: | Scapy is an exceptional library that I enjoyed using for a recent | project. However, I felt that the focus is entirely on capturing | and analyzing traffic. If you want to manipulate the packets then | the API is a little unsuited for that (for example recomputing | packet checksums requires some invocation to pretty-print the | packet which is weird). | | OTOH, really amazing project to put together quick packet-level | prototypes. Really shows the strength of the python ecosystem. | tomrod wrote: | I've been wanting to learn more about the low level networking | space. Is this a good library to use as a springboard for that? | ttyprintk wrote: | The built-in sockets library in Python tells you which | constants are already available, and has useful functions like | gethostbyaddr. | | Since you didn't mention a platform, also note that (last I | looked) WSL was inadequate for crafting raw packets. | [deleted] | fedeb95 wrote: | I've used it successfully for my ends in a personal project of | mine. Together with wireshark it's good for learning in my | experience | zamadatix wrote: | This also depends what you consider "low level networking" and | how you want to learn. Scapy can be made to work it may just be | either under or overkill depending on what you are wanting to | achieve. Implementing HTTP from the ground up? Scapy is | probably overkill, just open a TCP socket in your language of | choice and start building. Just want to understand what happens | if different fields are changed below what a standard TCP/UDP | socket call gets you access to? Scapy is a great choice to | abstract the OS specific pieces out of the way and provide you | with prebuilt blocks to base your experimentation off of. | freedomben wrote: | It really depends on how much you already know. "Practical | Packet Analysis" (No Starch Press) is a great book that I | really appreciated: https://nostarch.com/packetanalysis3 | McNutty wrote: | Does it work properly in python running in Windows? | octagons wrote: | I've used scapy for years and found it especially useful when | performing internal penetration tests. It has useful patterns for | tasks like quickly putting together a custom DNS server, UDP | source spoofing, walking all ICMP codes (or a quick and dirty | ICMP redirect tool), or couple it with matplotlib and to estimate | how many active hosts are communicating with a remote server | based on TCP sequence numbers (I believe this is part of the | scapy examples.) | | Coupled with interfaces to import and export PCAP files, it's | also a great way to learn about or explore/tamper with network | protocols. | | The fact that it's implemented in Python might scare some off, | but I personally feel that this only adds to its usefulness since | it can benefit from all of the external tooling and flexibility | that comes with the language. | truthwhisperer wrote: | unmole wrote: | Some of the choices are a bit odd but it's an absolutely | brilliant library. It's super simple to get started with and | fairly easy to extend. If you do end up adding support for a | standard protocol, please consider submitting a PR. The | developers are super responsive and helpful. ___________________________________________________________________ (page generated 2022-05-08 23:00 UTC)