# What is Scapy?

Scapy is a powerful Python-based interactive packet manipulation library. It allows you to:

- **Craft custom packets.**
- **Decode packets from raw data.**
- **Sniff network traffic.**
- **Perform network scanning and discovery.**
- **Build tools for network penetration testing and analysis.**

Scapy supports various networking protocols such as **Ethernet**, **ARP**, **IP**, **TCP**, **UDP**, **ICMP**, **DNS**, and many others, making it a versatile tool for network engineers and security professionals.

---

## How Scapy Works

Scapy operates at the **packet level**, meaning it can craft, send, receive, and manipulate packets in real time. It works with **raw sockets**, allowing interaction directly with network packets, bypassing the operating system's typical networking stack.

---

## Key Features of Scapy

- **Packet Crafting**: Create custom packets with various protocols and layers.
- **Packet Sniffing**: Capture and analyze packets in real time.
- **Network Scanning**: Discover hosts and services on a network.
- **Protocol Analysis**: Inspect packets for protocol-specific details.


# Basic Functions in Scapy

## 1. Creating a Packet

Scapy makes it easy to create and manipulate packets by stacking layers. Here’s an example:


## Purpose of the Code

### Crafting Custom Packets

- This code demonstrates creating a custom packet with specific IP and TCP configurations.
- It allows users to define specific behaviors for network traffic, such as targeting a specific server or service.

### Network Testing

- Used for testing firewalls, intrusion detection systems, or network configurations.
- For example, sending this packet to a server can help test whether the server responds to requests on port 80.

### Security and Penetration Testing

- Useful in crafting packets to simulate different attacks or detect vulnerabilities in network devices.

### Learning Network Protocols

- This code is excellent for understanding how the TCP/IP stack works by allowing users to manually craft and manipulate packets.
___________________________________________________________________________________________________

## How It Works

### Encapsulation

- Each layer of the TCP/IP model adds specific information to the packet (e.g., IP layer adds routing information, TCP adds transport information).
- Using Scapy, layers are stacked together in the order: IP → TCP.

### Packet Creation

- By defining specific fields (e.g., `dst` in the IP layer, `dport` in the TCP layer), you specify the target device and service.

### Packet Display

- `show()` provides a snapshot of the packet's structure, showing how the layers are combined and their respective fields.
___________________________________________________________________________________________________________________

## Where It Can Be Used

### Network Discovery

- Craft packets to ping specific hosts or services to check if they are active.

### Penetration Testing

- Create custom packets for testing server responses to unusual or malformed traffic.

### Firewall Testing

- Ensure firewalls block or allow traffic based on defined rules.

### Custom Protocol Development

- Simulate and test custom network protocols or modifications to existing ones.
____________________________________________________________________________________________________________________

In [1]:
from scapy.all import IP, TCP

# Create an IP packet with a destination address
ip_layer = IP(dst="192.168.1.1")

# Add a TCP layer with a destination port
tcp_layer = TCP(dport=80)

# Combine layers
packet = ip_layer / tcp_layer

# Display the packet details
packet.show()


###[ IP ]###
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = tcp
  chksum    = None
  src       = 192.168.1.2
  dst       = 192.168.1.1
  \options   \
###[ TCP ]###
     sport     = ftp_data
     dport     = http
     seq       = 0
     ack       = 0
     dataofs   = None
     reserved  = 0
     flags     = S
     window    = 8192
     chksum    = None
     urgptr    = 0
     options   = []



# Ouput Explanation

### IP Layer (IP)

The IP layer is part of the Internet Protocol, which handles addressing and routing packets between devices on a network.

- **version**: 4  
  Indicates that this is an IPv4 packet.
  
- **ihl**: None  
  The Internet Header Length (IHL) in 32-bit words. None means Scapy will calculate and set this automatically.
  
- **tos**: 0x0  
  Type of Service (ToS), a field for setting packet priorities. 0x0 means default priority.
  
- **len**: None  
  Total length of the IP packet. None means it will be calculated automatically.
  
- **id**: 1  
  Identification number for the packet. Useful for reassembling fragmented packets.
  
- **flags**: (empty)  
  IP fragmentation flags. No flags are set here.
  
- **frag**: 0  
  Fragment offset. 0 indicates this is not a fragment.
  
- **ttl**: 64  
  Time-to-Live (TTL), a hop limit for the packet to prevent it from circulating indefinitely in the network. A value of 64 is typical for many systems.
  
- **proto**: tcp  
  Protocol used in the transport layer. tcp indicates this packet carries a TCP segment.
  
- **chksum**: None  
  Checksum for the IP header. None means Scapy will calculate it automatically.
  
- **src**: 192.168.1.2  
  Source IP address of the packet.
  
- **dst**: 192.168.1.1  
  Destination IP address of the packet.
  
- **options**: (empty)  
  Any additional options for the IP header. None are set here.
______________________________________________________________________________________________________________

### TCP Layer (TCP)

The TCP layer specifies details of the Transmission Control Protocol, which manages connections and data exchange.

- **sport**: ftp_data  
  Source port for the packet. ftp_data is a symbolic name for port 20, typically used for FTP data transfer.
  
- **dport**: http  
  Destination port for the packet. http is a symbolic name for port 80, used for web traffic.
  
- **seq**: 0  
  Sequence number for the packet. Used to order segments in the TCP connection.
  
- **ack**: 0  
  Acknowledgment number. This is 0, meaning no acknowledgment is being sent.
  
- **dataofs**: None  
  Data offset (TCP header length) in 32-bit words. None means Scapy will calculate it automatically.
  
- **reserved**: 0  
  Reserved field for future use. Always set to 0.
  
- **flags**: S  
  TCP flags. S indicates a SYN (synchronize) flag, used to initiate a TCP handshake.
  
- **window**: 8192  
  Window size, which specifies the amount of data the sender can receive without acknowledgment.
  
- **chksum**: None  
  Checksum for the TCP header and payload. None means Scapy will calculate it automatically.
  
- **urgptr**: 0  
  Urgent pointer, used to mark urgent data in the payload. Set to 0, indicating no urgent data.
  
- **options**: []  
  Additional options for the TCP header. No options are set here.
____________________________________________________________________________________________________________________________

### Explanation of the Packet

This packet is a SYN packet, commonly used to initiate a TCP handshake. Here's what this packet does:

- **Source and Destination**:  
  It originates from 192.168.1.2 and targets 192.168.1.1.
  
- **Ports**:  
  It uses FTP data port (20) as the source and HTTP port (80) as the destination, indicating a request to establish a connection to a web server.
  
- **Purpose**:  
  The SYN flag signals the start of a connection. It is part of the TCP handshake process:  
  `SYN → SYN-ACK → ACK`.
________________________________________________________________________________________________________

### Where This Output Can Be Used

1. **Network Testing**:  
   You can use this output to verify the TCP handshake initiation process. By observing the SYN packet and analyzing the sequence and acknowledgment numbers, you can confirm that the connection establishment process is functioning correctly.

2. **Security Analysis**:  
   This output can be used to simulate traffic for penetration testing or firewall testing. By understanding how SYN packets are used in establishing TCP connections, security analysts can test firewall rules, detect vulnerabilities, and assess how security mechanisms respond to SYN flood attacks and other network security scenarios.

3. **Protocol Learning**:  
   Analyzing this output helps understand how TCP/IP headers are structured and operate. It provides insight into the process of initiating connections, packet sequencing, acknowledgment, and the overall behavior of TCP connections across a network.
___________________________________________________________________________________________________________________________

### 2. Sending Packets

You can send packets using different methods, such as:

- **send()**: For sending packets at the network layer (e.g., IP).


In [2]:
from scapy.all import send

# Send a crafted IP packet
send(IP(dst="192.168.1.1") / TCP(dport=80, flags="S"))





Sent 1 packets.


In [3]:
from scapy.all import sendp, Ether, IP, TCP

# Send a crafted Ethernet frame with an IP packet inside
sendp(Ether(dst="00:11:22:33:44:55") / IP(dst="192.168.1.1") / TCP(dport=80, flags="S"))


Sent 1 packets.


- **Ether(dst="00:11:22:33:44:55")**: This specifies the Ethernet layer, where `dst="00:11:22:33:44:55"` defines the destination MAC address.
- **IP(dst="192.168.1.1")**: This adds the IP layer, specifying the destination IP address.
- **TCP(dport=80, flags="S")**: This adds the TCP layer with the destination port 80 and SYN flag.
- **sendp()**: This sends the Ethernet frame directly at the data link layer.


### 3. Sniffing Packets
Sniffing lets you capture and inspect packets on the network interface.

In [6]:
from scapy.all import sniff

# Sniff 10 packets and print a summary of each
sniff(count=10, prn=lambda packet: packet.summary())


802.3 ec:cd:6d:94:fe:19 > 01:80:c2:00:00:00 / LLC / STP / Raw / Padding
Ether / fe80::3c57:f5e:96c6:3d47 > ff02::16 (0) / IPv6ExtHdrHopByHop / ICMPv6MLReport2 / Padding
Ether / 10.0.0.41 > 224.0.0.252 2 / Raw / Padding
Ether / IP / UDP / NBNSHeader / NBNSQueryRequest who has '\\WORKGROUP'
Ether / IP / UDP / BOOTP / DHCP Discover
Ether / IP / UDP / BOOTP / DHCP Discover
Ether / IP / UDP / mDNS Qry b'HPA9C984.local.'
Ether / IP / UDP / mDNS Ans / Padding
Ether / IPv6 / UDP / mDNS Qry b'HPA9C984.local.'
Ether / IP / UDP / mDNS Ans / Padding


<Sniffed: TCP:0 UDP:7 ICMP:0 Other:3>

### 4. Scanning a Network
Discover active hosts using ARP requests.

In [None]:
from scapy.all import ARP, Ether, srp

# Create an ARP request
arp_request = ARP(pdst="172.16.10.1/24")
ethernet_frame = Ether(dst="ff:ff:ff:ff:ff:ff") / arp_request

# Send the request and capture responses
answered, _ = srp(ethernet_frame, timeout=2, verbose=0)

# Print the list of discovered hosts
for sent, received in answered:
    print(f"Host: {received.psrc}, MAC: {received.hwsrc}")


Host: 192.168.1.1, MAC: d0:0f:6d:fd:e8:d0
Host: 192.168.1.5, MAC: 00:22:0c:18:de:40


In [8]:
from scapy.all import IP

# Create an IP packet
packet = IP()

# Modify fields
packet.src = "10.0.0.1"
packet.dst = "10.0.0.2"
packet.ttl = 64

# Display modified packet
packet.show()


###[ IP ]###
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = ip
  chksum    = None
  src       = 10.0.0.1
  dst       = 10.0.0.2
  \options   \



In [3]:
from scapy.all import traceroute

# Perform traceroute to a target
traceroute(["www.google.com"])



Received 47 packets, got 29 answers, remaining 1 packets
   142.250.181.100:tcp80 
1  172.16.10.1     11    
2  192.168.1.1     11    
4  10.0.0.81       11    
5  10.253.12.18    11    
6  10.253.4.38     11    
7  10.253.4.6      11    
8  72.14.211.72    11    
9  216.239.41.109  11    
10 192.178.105.70  11    
11 142.251.77.204  11    
12 192.178.98.163  11    
13 172.253.66.41   11    
14 142.250.181.100 SA    
15 142.250.181.100 SA    
16 142.250.181.100 SA    
17 142.250.181.100 SA    
18 142.250.181.100 SA    
19 142.250.181.100 SA    
20 142.250.181.100 SA    
21 142.250.181.100 SA    
22 142.250.181.100 SA    
23 142.250.181.100 SA    
24 142.250.181.100 SA    
25 142.250.181.100 SA    
26 142.250.181.100 SA    
27 142.250.181.100 SA    
28 142.250.181.100 SA    
29 142.250.181.100 SA    
30 142.250.181.100 SA    


(<Traceroute: TCP:17 UDP:0 ICMP:12 Other:0>,
 <Unanswered: TCP:1 UDP:0 ICMP:0 Other:0>)

In [2]:
!pip install scapy

Collecting scapy
  Downloading scapy-2.6.1-py3-none-any.whl.metadata (5.6 kB)
Downloading scapy-2.6.1-py3-none-any.whl (2.4 MB)
   ---------------------------------------- 0.0/2.4 MB ? eta -:--:--
   -------- ------------------------------- 0.5/2.4 MB 5.6 MB/s eta 0:00:01
   ------------------------- -------------- 1.6/2.4 MB 4.2 MB/s eta 0:00:01
   ---------------------------------------- 2.4/2.4 MB 4.8 MB/s eta 0:00:00
Installing collected packages: scapy
Successfully installed scapy-2.6.1
