Python scapy network sniffing

Python scapy network sniffing
1. Introduction

Scapy is a powerful third-party library for network sniffing. In terms of network sniffing, the previous blog post introduced the use of Raw Socket for network sniffing. However, Raw Socket is relatively low-layer and may not be easy to use and may differ in different systems.
In terms of network traffic sniffing, some third-party libraries are commonly used:
　　

 

Scapy

Next, I will introduce the use of scapy in detail. It provides the most powerful and flexible functions in these libraries. It has the following features:
　

Interactive Mode, used as a third-party library.

It can be used for packet sniffing and forging packet. A large number of network protocols have been implemented internally. (DNS, ARP, IP, TCP, UDP, etc.) can be used to compile very flexible and practical tools.
　　
For more details, refer to the official scapy user manual. 2. Use scapy2.1 scapy for Installation

Since it is a third-party library, it is not installed by default on the system. In Ubuntu, we can directly use the following command for installation:
　　sudo apt-get install scapy
After the installation is complete, you only need to executesudo scapyYou can enter the command line mode of scapy.

2.2 The protocol level ls () available to scapy lists the network protocols that have been implemented in scapy. Many of them are not listed. You can test them yourself.

Ls (IP) lists the formats of IP protocol header fields.

IP (). show () shows the IP address of the package.

Lsc () lists the commands or functions that can be used in scapy.

Conf scapy configuration option 2.3 scapy sniffing example

In scapy command mode, enter the following code for an exception.
　
1) sniffing traffic packets.

>>> >>> pkts = sniff(iface = eth0,count = 3 )>>> >>> pkts
  
   >>> 
  

The sniffer function sniffing traffic. iface indicates the NIC interface used, and count indicates the number of sniffing packets. The result shows that three TCP packets are sniffed. You can enter pkts [I] to view the specific content of the package.
　　

>>> pkts[0]
  
   >>>>>> >>> 
  

You can see the specific values of each field in the Ethernet frame header, as well as the subsequent protocol type. Here it is IPv4, and the values of IP fields, as well as the upper layer of the ip tcp protocol and its field values. You can usepkts[i].show()The specific values of each protocol field in packet are clearer.
　

2) write the detected packet content to the pcap file and read the pcap file.
　

>>> >>> >>> wrpcap(demo.pcap,pkts)>>> >>> >>> read_pkts = rdpcap(demo.pcap)>>> >>> read_pkts[0]
  
   >>>>>> >>> read_pkts[1]
   
    >>>>> >>> 
   
  

3) Add filter conditions for the sniffer function.
Coders who have used wireshark or tcpdump know that the network traffic is huge and complex. Sometimes we need to add specific conditions to filter the data we want to see. For examplefilter= udp.
　　

>>> >>> pkts = sniff(iface = eth0,filter = udp,count = 3 )>>> >>> pkts[1]
  
   >>>>>> pkts[2]
   
    >>>>>> >>> 
   
  

3) dynamically print the summary result.
　
Enter the command in scapy command modepkts = sniff(iface = eth0,filter = icmp,count = 30, prn = lambda x: x.summary())Here, I increase the number of sniffing packets to 30, and then filter ICMP packets. While waiting for the display result, you can start another terminal, and then ping a Web site to observe the actual result of sniffing.
　
4) mutual conversion between frames and strings
　 <喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD4NCjxwcmUgY2xhc3M9 "brush: java;"> >>> >>> >>> icmp_str = str(pkts[0])>>> >>> icmp_str@l?.ÕÄ'5BYEdÃÝ@@òøÀ¨À¨_ðuã£;©`S?Ì?+©JåÌz?½\$ÇYðµa?£7ðË¡@?,ØÅyJ_QªQõ?Õ<_qB«ÎE¨&??>>> >>> recombine = Ether(icmp_str)>>> >>> recombine >>>>>>

5) Import and Export base64 encoded data

>>>>>>>>> Export_object (str (pkts [0]) eNoBeQCG/forward + 6i3U >>>>> newPkt = import_object () # enter the exported string in the previous step, press enter, and ctrl _ + d to finish. ENoBeQCG/4ACVXJAbI8u1cQIACc1QlkIAEUAAGTD3UAAQAby + signature + 6i3U >>> newPkt @ l ?. Õ ä5byed has been written @ ò ø À râ _ u has £;©'S? Why? +©J. zookeeper z? Why \ $ çy? £7. Why ¡@?, Ø Å yJ _ Q ?q =? Alias <_ qB «alias E? >>> Ether (newPkt)
  
   
>>>>>>