
Scapy: a powerful interactive packet manipulation program - ColinWright
http://www.secdev.org/projects/scapy/doc/introduction.html
======
kmdent
I recently used this to create a tethering program. It works well, but there
is a large bug. In particular, in the sniff function. When you sniff UDP
packets, Scapy miscalculates the length of the IP and UDP packets. What is
happening is that Scapy uses the UDP length as the IP length, and then
subtracts the size of the UDP header for the UDP header. If you then try and
send it to another computer, the packet is "malformed" because the length is
incorrect. To prove this, when you sniff a udp packet and then do
packet.show(), the packet looks totally correct. If you use packet.show2(),
the packet cuts off the end. This is because the show2 function uses the
length and recalculates the checksum. To solve this, delete the packet[IP].len
and the packet[UDP].len and then show2(). This correctly recalculates the
length and shows the full packet.

~~~
drivebyacct2
Did you submit a bug report or a patch? You seem to have diagnosed it quite
sufficiently.

~~~
kmdent
I did.

------
NelsonMinar
See also pcapy/Impacket:
[http://corelabs.coresecurity.com/index.php?module=Wiki&a...](http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket)

Scapy and Impacket are basically Python scriptable versions of tcpdump /
wireshark. Very useful tools, particularly for measuring a server's behavior
without having to modify it for logging, etc. I once used pcapy to log several
years of an NTP pool server to make this graph: <http://imgur.com/IvRdU>

------
osiemens
This appears to be somewhat outdated. There's more recent information here:
<http://trac.secdev.org/scapy/wiki>

Includes a FAQ and a great guide for capturing rogue DHCP servers on your
network:
[http://trac.secdev.org/scapy/wiki/IdentifyingRogueDHCPServer...](http://trac.secdev.org/scapy/wiki/IdentifyingRogueDHCPServers)

I've had to use it a few times. It is also (or used to?) be in MacPorts.

------
rsync
This appears to be a newfangled version of:

<http://packetfactory.openwall.net/projects/libnet/>

which route created / maintained.

------
SageRaven
Can scapy or any other util modify packets on the fly?

I've always wanted an "nsed" -- to mimic the "ngrep" idea. A quick and dirty
way to, for example, modify HTTP headers on the fly.

~~~
spydum
I can't say I have tried, perhaps I will later, but how about netcat piped to
sed? Also, check out burpsuite for most of that functionality.. just not cli
based.

------
windexh8er
Guess I'm not sure how/why this hit HN's front page? Scapy has been around for
years. Nothing new to see here and, well, I'm not sure Scapy has a very
vibrant development anymore... o_O

------
derleth
When I type in 'modules' at the help prompt, the program hangs. Same with
'modules spam'.

