wiki:FAQ
Last modified 3 months ago

  1. Frequently Asked Questions on Scapy
      1. import does not work, scapy functions/objects are not found, old scripts …
      2. How can I do TCP with Scapy
      3. My TCP connections are reset by Scapy or by my kernel
      4. I can't ping 127.0.0.1. Scapy does not work with 127.0.0.1 or on the …
      5. BPF filters do not work. I'm on a ppp link
      6. traceroute() does not work. I'm on a ppp link
      7. Graphs are ugly/fonts are too big/image is truncated

Frequently Asked Questions on Scapy

import does not work, scapy functions/objects are not found, old scripts do not work

In scapy 1.x versions, importing all functions and objects were done with 

from scapy import *

With scapy 2.x versions, everything has been exploded in many files, but you can still have the same behavior with 

from scapy.all import *

How can I do TCP with Scapy

See this specific page on TCP and Scapy

My TCP connections are reset by Scapy or by my kernel

Scapy works at the link level, i.e. it completely bypass the kernel IP stack. Hence, the kernel IP stack is not aware of what Scapy is doing behind its back. If Scapy sends a SYN, the kernel does not see it. However, the remote target does see it and replies with a SYN-ACK. Your kernel sees the remote target reply. Because it does not know a SYN was sent, it will reply with a RST. To prevent this, use local firewall rules to have your kernel IP stack blind to answers too (e.g. NetFilter for Linux: iptables -A INPUT -s <target> -j DROP). This will not be a problem for Scapy because it works at the link layer and it is not impacted by your local firewall rules.

I can't ping 127.0.0.1. Scapy does not work with 127.0.0.1 or on the loopback interface

The loopback interface is a very special interface. Packets going through it are not really assembled and dissassembled. The kernel routes the packet to its destination while it is still stored an internal structure. What you see with tcpdump -i lo is only a fake to make you think everything is normal. The kernel is not aware of what Scapy is doing behind his back, so what you see on the loopback interface is also a fake. Except this one did not come from a local structure. Thus the kernel will never receive it.

In order to speak to local applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems than Linux) : 

>>> conf.L3socket
<class __main__.L3PacketSocket at 0xb7bdf5fc>
>>> conf.L3socket=L3RawSocket
>>> sr1(IP(dst="127.0.0.1")/ICMP())
<IP  version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>

This is a known bug. BPF filters must compiled with different offsets on ppp links. It may work if you use libpcap (which will be used to compile the BPF filter) instead of using native linux support (PF_PACKET sockets).

This is a known bug. See : BPF filters do not work. I'm on a ppp link

To work arround this, use nofilter=1: 

>>> traceroute("target", nofilter=1)

Graphs are ugly/fonts are too big/image is truncated

  • Quick fix: use png format: 
    >>> x.graph(format="png")
  • Upgrade to latest version of GraphViz.
  • Try providing different DPI options (50,70,75,96,101,125, for instance) 
    >>> x.graph(options="-Gdpi=70")
    If it works, you can make it permanenent: 
    >>> conf.prog.dot = "dot -Gdpi=70"
    You can also put this line in your ~/.scapy_startup.py file