# scapy安装简介

# scapy案例

准备环境

In [1]:
from scapy.all import *

## 嗅探报文

In [2]:
packets = sniff(timeout=5)  # 5秒内在"外一个终端窗口"命令行运行 wget http://baidu.com
print(len(packets))

15


## 存储报文至文件

In [3]:
wrpcap("tutorial.pcap", packets)

## 从文件读取报文

In [4]:
packets = rdpcap("tutorial.pcap")

## 显示报文（自动解析结果）

In [5]:
for pkt in packets[-2:]:
    pkt.show()

###[ Ethernet ]###
  dst       = 08:00:27:ac:0a:b1
  src       = 52:55:0a:00:02:02
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x8
     len       = 40
     id        = 52471
     flags     = 
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x381c
     src       = 39.156.66.10
     dst       = 10.0.2.15
     \options   \
###[ TCP ]###
        sport     = http
        dport     = 36320
        seq       = 329600388
        ack       = 3776571191
        dataofs   = 5
        reserved  = 0
        flags     = FA
        window    = 65535
        chksum    = 0x8273
        urgptr    = 0
        options   = []
###[ Padding ]###
           load      = b'\x00\x00\x00\x00\x00\x00'

###[ Ethernet ]###
  dst       = 52:55:0a:00:02:02
  src       = 08:00:27:ac:0a:b1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 40
     id        = 0
     flags     = DF
     frag   

## 查看报文类的成员

In [6]:
p1 = packets[-1]
print(p1)

Ether / IP / TCP 10.0.2.15:36320 > 39.156.66.10:http A


## 逐层解析报文

In [7]:
print(p1.type)

2048


2048是0x800，因此是IP分组

In [8]:
p2 = p1.payload
print(p2)

IP / TCP 10.0.2.15:36320 > 39.156.66.10:http A


In [9]:
print(p2.proto)

6


6表示TCP，17表示UDP

In [10]:
p3=p2.payload
print(p3)

TCP 10.0.2.15:36320 > 39.156.66.10:http A


## 可视化报文

生成一个可视化的pdf文件。下面命令可能失败，缺少依赖包。如果运行失败，跳过本步。

In [11]:
p1.pdfdump('pkt.pdf')




## 其他解析报文的方法

IP、TCP、UDP、Ether是scapy内部定义的协议类型

In [12]:
print('IP' in p1)
print('TCP' in p1)
print('UDP' in p1)
print('Ether' in p1)

True
True
False
True


使用haslayer方法

In [13]:
print(p1.haslayer(Ether))
print(p1.haslayer(IP))
print(p1.haslayer(TCP))
print(p1.haslayer(UDP))

True
True
True
0


## 帮助：Python交互式界面查询API的方法

python中使用help显示一个类或者实例的所有方法和成员，以及接口定义和规范

In [14]:
help(p1)

Help on Ether in module scapy.layers.l2 object:

class Ether(scapy.packet.Packet)
 |  Ether(_pkt, /, *, dst=None, src=None, type=36864)
 |  
 |  Method resolution order:
 |      Ether
 |      scapy.packet.Packet
 |      scapy.base_classes.BasePacket
 |      scapy.base_classes.Gen
 |      typing.Generic
 |      scapy.base_classes._CanvasDumpExtended
 |      builtins.object
 |  
 |  Methods defined here:
 |  
 |  answers(self, other)
 |      DEV: true if self is an answer from other
 |  
 |  hashret(self)
 |      DEV: returns a string that has the same value for a request
 |      and its answer.
 |  
 |  mysummary(self)
 |      DEV: can be overloaded to return a string that summarizes the layer.
 |      Only one mysummary() is used in a whole packet summary: the one of the upper layer,  # noqa: E501
 |      except if a mysummary() also returns (as a couple) a list of layers whose  # noqa: E501
 |      mysummary() must be called if they are present.
 |  
 |  ------------------------------

继续查看fields

In [15]:
p1.fields

{'dst': '52:55:0a:00:02:02', 'src': '08:00:27:ac:0a:b1', 'type': 2048}

使用dir列举一个类或者实例的所有方法和成员

In [16]:
dir(p1)

['_PickleType',
 '__all_slots__',
 '__annotations__',
 '__bool__',
 '__bytes__',
 '__class__',
 '__class_getitem__',
 '__contains__',
 '__deepcopy__',
 '__delattr__',
 '__delitem__',
 '__dict__',
 '__dir__',
 '__div__',
 '__doc__',
 '__eq__',
 '__format__',
 '__ge__',
 '__getattr__',
 '__getattribute__',
 '__getitem__',
 '__gt__',
 '__hash__',
 '__init__',
 '__init_subclass__',
 '__iter__',
 '__iterlen__',
 '__le__',
 '__len__',
 '__lt__',
 '__module__',
 '__mul__',
 '__ne__',
 '__new__',
 '__nonzero__',
 '__orig_bases__',
 '__parameters__',
 '__rdiv__',
 '__reduce__',
 '__reduce_ex__',
 '__repr__',
 '__rmul__',
 '__rtruediv__',
 '__setattr__',
 '__setitem__',
 '__setstate__',
 '__signature__',
 '__sizeof__',
 '__slots__',
 '__str__',
 '__subclasshook__',
 '__truediv__',
 '__weakref__',
 '_answered',
 '_command',
 '_defrag_pos',
 '_do_summary',
 '_is_protocol',
 '_name',
 '_overload_fields',
 '_pkt',
 '_raw_packet_cache_field_value',
 '_resolve_alias',
 '_show_or_dump',
 '_superdir',
 

In [17]:
print(p1.time)

1739722310.085370


In [18]:
print(p1.payload.fields)

{'version': 4, 'ihl': 5, 'tos': 0, 'len': 40, 'id': 0, 'flags': <Flag 2 (DF)>, 'frag': 0, 'ttl': 64, 'proto': 6, 'chksum': 50459, 'src': '10.0.2.15', 'dst': '39.156.66.10', 'options': []}
