scapy

With Scapy , when I create a packet and write it to a pcap file, it sets the timestamp of the packet to the current time. This is my current usage. 1335494712.991895 being the time I created the packet: >>> a = Ether()/IP(src='1.1.1.1',dst='2.2.2.2')/TCP(sport=1337,dport=31337) >>> wrpcap('single-tcp-packet.pcap', a) # tcpdump -tt -r single-tcp-packet.pcap reading from file single-tcp-packet.pcap, link-type EN10MB (Ethernet) 1335494712.991895 IP 1.1.1.1.menandmice-dns > arennes-651-1-107-2.w2-2.abo.wanadoo.fr.31337: Flags [S], seq 0, win 8192, length 0 How can I specify my own timestamp per

I'm trying to run a python script that involves scapy but I can't seem to get it to run. I keep getting this error ImportError: No module named pcapy The script I'm trying to run is: from scapy.all import * def arp_display(pkt): if pkt[ARP].op == 1: #who-has (request) if pkt[ARP].psrc == '0.0.0.0': # ARP Probe print "ARP Probe from: " + pkt[ARP].hwsrc print sniff(prn=arp_display, filter="arp", store=0, count=10) I've installed XCode, XQuartz, Python, and Scapy using macports Please let me know what I'm missing! #noob Yoel Try installing libpcap and its Python wrapper from source, as listed

This question already has answers here : Difference between __str__ and __repr__? (22 answers) Closed 3 years ago . I want to craft packets using scapy. When looking through the IP() class members I came across the following code idiom: 'fieldtype': { 'frag': <Field (IP,IPerror).frag>, 'src': <Field (IP,IPerror).src>, 'proto': <Field (IP,IPerror).proto>, 'tos': <Field (IP,IPerror).tos>, 'dst': <Field (IP,IPerror).dst>, 'chksum': <Field (IP,IPerror).chksum>, 'len': <Field (IP,IPerror).len>, 'options': <Field (IP,IPerror).options>, 'version': <Field (IP,IPerror).version>, 'flags': <Field (IP

The following code: sniff(filter = "dst aa:bb:cc:dd:ee" ) throws an error because sniff is expecting an IP, not a MAC. So how are you supposed to filter by MAC? what about specyfing a lfilter for sniff ? zzz = sniff(lfilter=lambda d: d.src == 'aa:bb:cc:dd:ee:ff') dst and src are attributes of sniffed message. previously i have posted an answer where stop_filter was specified. i suppose that it wouldn't work for you, since scapy would stop after receving first packet that match the mac address from stop_filter . lfilter should do the job. from sendrecv.py : lfilter: python function applied to

In Scapy, I want to manually match packets with their corresponding ICMP time-exceeded messages. I need to match: IP-in-ICMP field of ICMP packet IP header and first 8 bytes of my data packet The ICMP packet isn't a problem: icmpPayload = str(icmpPacket[ICMP].payload) As for the first 8 bytes of the data packet, I just need to do: str(myPacket[IP].payload)[:8] I don't know how to get only the IP header of myPacket . All I do now is replace the payload in the whole packet with its first 8 bytes. This search and replace, if applied to thousands of packets, might take too long, I'm afraid:

Can we use the srp() function for a Layer 3 ICMP packet? I see that when we craft an ICMP echo-request packet and use the sr() to send/receive, we do NOT see it getting sent out of the interface , hence no response from the destination. But the same packet if we use the srp() function we see the response. When should we use sr() and when srp()? In the documentation it states sr() is to be used for L3 packet and srp() to be used for L2? But in my case I am not sure why sr() is not working for an ICMP packet? Can some experts please help me understand? Also can someone let me know if "iface"

I'm using rdpcap function of Scapy to read a PCAP file. I also use the module described in a link to HTTP support in Scapy which is needed in my case, as I have to retrieve all the HTTP requests and responses and their related packets. I noticed that parsing a large PCAP file the rdpcap function takes too much time to read it. Is there a solution to read a pcap file faster? wonder Scapy has another method sniff which you can use to read the pcap files too: def method_filter_HTTP(pkt): #Your processing sniff(offline="your_file.pcap",prn=method_filter_HTTP,store=0) rdpcap loads the entire pcap