Scapy is a tool for manipulating computer network packets written in Python. It allows, among other things, the forging or decoding of packets, as well as tasks such as scanning, tracerouting, and unit testing. Discover everything you need to know: advantages, operation, training, and more.
In the field of computer security, network scanning and attack simulations are essential activities. There are many tools such as Wireshark or Nmap, but each of them is designed for a specific use case, such as packet sniffing or scanning.
Therefore, it is necessary to use a different tool for each task, and this can quickly become cumbersome. To address this issue, Philippe Biondi created Scapy: a network packet manipulation tool based on Python that allows you to create new features according to your needs.
What is Scapy?
Created in 2003, Scapy is a Python program that allows you to send, sniff, dissect, and forge network packets. This enables the creation of tools for probing, scanning, or attacking a network.
It is a powerful interactive packet manipulation program. It is used to forge or decode packets of a wide variety of protocols, send them, capture them, associate requests and responses, and much more.
Common tasks like scanning, tracerouting, probing, unit testing, attacking, or network discovery can be accomplished with ease. This tool can replace hping, arpspoof, arp-sk, arping, pof, and some parts of Nmap, tcpdump, and tshark.
Furthermore, Scapy can be used for specific tasks that most tools do not support. This includes sending invalid frames, injecting 802.11 frames, combining techniques like VLAN hopping and ARP cache poisoning.
In essence, Scapy’s two main functionalities are sending packets and receiving responses. After defining a packet set, the tool sends them, receives responses, matches queries with responses, and returns a list of query/response packet pairs and a list of unmatched packets.
The advantage over Nmap or hping is that a response is not reduced to “open,” “closed,” or “filtered.” It includes the complete packet.
Higher-level functions can be added, such as tracerouting and obtaining the initial TTL of the request and the source IP of the response as the result. Another example is a function that pings an entire network and provides a list of responding machines, or a function that performs a port scan to generate a LaTeX report.
Scapy can be used interactively through its command-line interface (CLI) or as a library by importing it into Python programs. It can be run on Linux, macOS, or Windows.
Even though it is a tool without a graphical interface, it can be integrated with other visualization programs like Wireshark, GnuPlot, Graphviz, or VPython.
What are the main shortcomings of networking tools?
To understand the advantages of Scapy, it is simplest to list the main problems with most networking tools. These different programs do not allow you to build something the author did not imagine. They are designed for a specific purpose and cannot deviate from it.
For example, an ARP cache poisoning tool cannot use double encapsulation 802.1q. Therefore, it is usually necessary to create a new program for each new requirement.
Furthermore, many tools are limited to a paradigm of being executed from a system interface shell. This results in complex syntax to describe a packet. The chosen solution uses a higher and less powerful description in the form of scenarios imagined by the tool’s creator.
In addition, these tools often confuse decoding and interpretation. While machines excel at decoding, they are not able to interpret. This task is reserved for humans.
Some programs try to mimic this behavior, for example, by saying “this port is open” instead of “I received a SYN-ACK.” However, they frequently make mistakes.
Such assistance can be invaluable for beginners, but experienced users know that they will spend a lot of time trying to deduce what actually happened from the program’s interpretation.
A significant amount of information is lost along the way. Often, it is necessary to use tcpdump -xX to decode and interpret everything that escaped the program.
Even programs that only decode do not provide all the information they received. They only offer the network view that their creator deems sufficient. Therefore, it is incomplete.
Writing network tools in 2 lines of Python with ScaPy
On the other hand, Scapy attempts to overcome these various weaknesses. It allows you to build any packets you want and adopts a flexible model that avoids arbitrary limits. Users can place any value in a field and assemble them as they see fit.
Regarding packet description, Scapy offers a dedicated language known as Domain Specific Language (DSL), which allows for powerful and rapid descriptions for any type.
The use of Python syntax and a Python interpreter for this DSL brings multiple benefits. There is no need to write a separate interpreter, users do not have to learn an additional language, and they benefit from a complete, concise, and powerful language.
It is possible to describe a packet or a set of packets as stacked layers on top of each other. The fields of each layer have useful default values that can be overridden. Users are not obliged to use predefined methods or templates.
This eliminates the need to write a new tool every time a different scenario is required. Instead of using about sixty lines to describe a packet in C, it only takes one line with Scapy and another line to print the result. Thus, 90% of the lines in network probing tools can be rewritten in just two lines.
A single survey for multiple interpretations
During network probing, many stimuli are sent, and only a few of them receive a response. Choosing the right stimuli allows obtaining information from the responses or the absence of responses. Thus, network discovery is a black-box testing practice.
Unlike many tools, Scapy provides all the information such as the stimuli sent and the responses received. It is by examining the data that the user obtains the desired information.
If the dataset is small, the user can explore it. In other cases, the interpretation of the data depends on the perspective taken.
Most tools choose a perspective and eliminate all data not related to it. This is not the case with Scapy, which provides all the raw data.
This allows using the data many times, and the perspective can evolve during the analysis. It is possible to perform a single probe, such as a scan or a traceroute, and interpret it multiple times.
ScaPy decodes without trying to interpret
Unlike these tools, Scapy does not attempt to interpret responses after network probing. It simply decodes them and presents facts.
This helps avoid interpretation errors made by the tool. For example, after receiving an ICMP destination unreachable packet, some scanners report a TCP port as filtered by the firewall. However, it can also mean that there was no host to forward the packet to. Tool interpretation of results can therefore do more harm than good by introducing biases into the results. Scapy avoids this problem, and it is a significant advantage, sparing advanced users from having to reverse-engineer the interpretation to derive facts.
Conclusion: Scapy, one of the best package manipulation tools in Python
Compared to other networking tools, Scapy offers several advantages. Its packet description paradigm is efficient and flexible, allowing for multiple interpretations from a single probe, and the probe results are decoded without being interpreted.
As a command table, Scapy uses the Python interpreter. Therefore, it is possible to use the Python language directly to assign variables, use loops, or define functions.
To learn how to use Python and Scapy, you can choose DataScientest. Our various Data Science training programs include a module dedicated entirely to this programming language.
Depending on the chosen career path, the various modules cover databases, Machine Learning, Data Visualization, or Business Intelligence.
All our programs are fully available online via the web, and our organization is eligible for state funding. Discover DataScientest today!