# Sniff() function; Sending and Receiving Packets
- equivalent to tcpdump and wireshark


In [1]:
from scapy.all import *
help(sniff)



Help on function sniff in module scapy.sendrecv:

sniff(count=0, store=1, offline=None, prn=None, lfilter=None, L2socket=None, timeout=None, opened_socket=None, stop_filter=None, exceptions=False, *arg, **karg)
    Sniff packets
    sniff([count=0,] [prn=None,] [store=1,] [offline=None,] [lfilter=None,] + L2ListenSocket args) -> list of packets
    
      count: number of packets to capture. 0 means infinity
      store: wether to store sniffed packets or discard them
        prn: function to apply to each packet. If something is returned,
             it is displayed. Ex:
             ex: prn = lambda x: x.summary()
    lfilter: python function applied to each packet to determine
             if further action may be done
             ex: lfilter = lambda x: x.haslayer(Padding)
    offline: pcap file to read packets from, instead of sniffing them
    timeout: stop sniffing after a given time (default: None)
    L2socket: use the provided L2socket
    opened_socket: provide an object r

In [2]:
# note: run ping google.com ob=n a terminal to generate icmp packets
pkts = sniff(count=2, filter="icmp")

In [3]:
pkts

<Sniffed: TCP:0 UDP:0 ICMP:2 Other:0>

In [4]:
pkts.summary()

Ether / IP / ICMP 192.168.231.131 > 216.58.217.46 echo-request 0 / Raw
Ether / IP / ICMP 216.58.217.46 > 192.168.231.131 echo-reply 0 / Raw


In [5]:
pkts.show()

0000 Ether / IP / ICMP 192.168.231.131 > 216.58.217.46 echo-request 0 / Raw
0001 Ether / IP / ICMP 216.58.217.46 > 192.168.231.131 echo-reply 0 / Raw


In [6]:
pkts[0].show()

###[ Ethernet ]###
  dst       = 00:50:56:f9:21:6d
  src       = 00:0c:29:ac:ad:53
  type      = 0x800
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 84
     id        = 54735
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = icmp
     chksum    = 0xb44
     src       = 192.168.231.131
     dst       = 216.58.217.46
     \options   \
###[ ICMP ]###
        type      = echo-request
        code      = 0
        chksum    = 0x7a87
        id        = 0x1034
        seq       = 0x6
###[ Raw ]###
           load      = b'\xc3\x01\xb7Y\x00\x00\x00\x00\'\x10\r\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'


In [7]:
hexdump(pkts[0])

0000   00 50 56 F9 21 6D 00 0C  29 AC AD 53 08 00 45 00   .PV.!m..)..S..E.
0010   00 54 D5 CF 40 00 40 01  0B 44 C0 A8 E7 83 D8 3A   .T..@.@..D.....:
0020   D9 2E 08 00 7A 87 10 34  00 06 C3 01 B7 59 00 00   ....z..4.....Y..
0030   00 00 27 10 0D 00 00 00  00 00 10 11 12 13 14 15   ..'.............
0040   16 17 18 19 1A 1B 1C 1D  1E 1F 20 21 22 23 24 25   .......... !"#$%
0050   26 27 28 29 2A 2B 2C 2D  2E 2F 30 31 32 33 34 35   &'()*+,-./012345
0060   36 37                                              67


In [8]:
pkts[0].command()

'Ether(dst=\'00:50:56:f9:21:6d\', src=\'00:0c:29:ac:ad:53\', type=2048)/IP(version=4, ihl=5, tos=0, len=84, id=54735, flags=2, frag=0, ttl=64, proto=1, chksum=2884, src=\'192.168.231.131\', dst=\'216.58.217.46\', options=[])/ICMP(type=8, code=0, chksum=31367, id=4148, seq=6, ts_ori=None, ts_rx=None, ts_tx=None, gw=None, ptr=None, reserved=None, addr_mask=None, unused=None)/Raw(load=b\'\\xc3\\x01\\xb7Y\\x00\\x00\\x00\\x00\\\'\\x10\\r\\x00\\x00\\x00\\x00\\x00\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f !"#$%&\\\'()*+,-./01234567\')'

In [9]:
pkts = sniff(count=5, filter="arp")
pkts

<Sniffed: TCP:0 UDP:0 ICMP:0 Other:5>

## Generate ARP packets using arping
1. open a terminal and run $ arping [ip of another vm/gateway]
2. sniff the packets using scapy

In [10]:
pkts.summary()

Ether / ARP who has 192.168.231.2 says 192.168.231.131
Ether / ARP is at 00:50:56:f9:21:6d says 192.168.231.2 / Padding
Ether / ARP who has 192.168.231.2 says 192.168.231.131
Ether / ARP is at 00:50:56:f9:21:6d says 192.168.231.2 / Padding
Ether / ARP who has 192.168.231.2 says 192.168.231.131


In [11]:
pkts[0].show()

###[ Ethernet ]###
  dst       = 00:50:56:f9:21:6d
  src       = 00:0c:29:ac:ad:53
  type      = 0x806
###[ ARP ]###
     hwtype    = 0x1
     ptype     = 0x800
     hwlen     = 6
     plen      = 4
     op        = who-has
     hwsrc     = 00:0c:29:ac:ad:53
     psrc      = 192.168.231.131
     hwdst     = 00:50:56:f9:21:6d
     pdst      = 192.168.231.2


In [None]:
pkts[0].command()

## Building a Packet
- build ARP packet which has two layers - Ether and ARP

In [12]:
ls(Ether)

dst        : DestMACField         = (None)
src        : SourceMACField       = (None)
type       : XShortEnumField      = (36864)


In [13]:
ls(ARP)

hwtype     : XShortField          = (1)
ptype      : XShortEnumField      = (2048)
hwlen      : ByteField            = (6)
plen       : ByteField            = (4)
op         : ShortEnumField       = (1)
hwsrc      : ARPSourceMACField    = (None)
psrc       : SourceIPField        = (None)
hwdst      : MACField             = ('00:00:00:00:00:00')
pdst       : IPField              = ('0.0.0.0')


## Stacking Layers to build packets

In [14]:
arpPkt = Ether()/ARP()

In [15]:
arpPkt.show()

###[ Ethernet ]###
  dst       = 00:50:56:f9:21:6d
  src       = 00:0c:29:ac:ad:53
  type      = 0x806
###[ ARP ]###
     hwtype    = 0x1
     ptype     = 0x800
     hwlen     = 6
     plen      = 4
     op        = who-has
     hwsrc     = 00:0c:29:ac:ad:53
     psrc      = 192.168.231.131
     hwdst     = 00:00:00:00:00:00
     pdst      = 0.0.0.0


In [16]:
# Change Ethernet protocol's destination field to broadcase MAC address
arpPkt['Ethernet'].dst= 'FF:FF:FF:FF:FF:FF'

In [17]:
arpPkt.show()

###[ Ethernet ]###
  dst       = FF:FF:FF:FF:FF:FF
  src       = 00:0c:29:ac:ad:53
  type      = 0x806
###[ ARP ]###
     hwtype    = 0x1
     ptype     = 0x800
     hwlen     = 6
     plen      = 4
     op        = who-has
     hwsrc     = 00:0c:29:ac:ad:53
     psrc      = 192.168.231.131
     hwdst     = 00:00:00:00:00:00
     pdst      = 0.0.0.0


In [18]:
# change ARP protocol's hwdst to broadcast MAC address
#arpPkt['Ethernet']['ARP'].hwdst = 'FF:FF:FF:FF:FF:FF'
arpPkt['ARP'].hwdst = 'FF:FF:FF:FF:FF:FF'

In [19]:
arpPkt.show()

###[ Ethernet ]###
  dst       = FF:FF:FF:FF:FF:FF
  src       = 00:0c:29:ac:ad:53
  type      = 0x806
###[ ARP ]###
     hwtype    = 0x1
     ptype     = 0x800
     hwlen     = 6
     plen      = 4
     op        = who-has
     hwsrc     = 00:0c:29:ac:ad:53
     psrc      = 192.168.231.131
     hwdst     = FF:FF:FF:FF:FF:FF
     pdst      = 0.0.0.0


## Capture packet using wireshark
- ARP packet is ready to be sent
- Open Wireshark and start capturing traffic

## Send Packets
- two functions to send packets: sendp() and send()
- **sendp()** for sending L2 packets
- **send()** for sending L3 packets (IPv4 or IPv6)

In [None]:
help(send)

In [None]:
help(sendp)

In [22]:
# send the arpPkt - use send or sendp function()
sendp(arpPkt)


Sent 1 packets.


In [None]:
# one liner
sendp(Ether(dst="ff:ff:ff:ff:ff:ff",src="00:11:22:aa:bb:cc")/ARP(hwsrc="00:11:22:aa:bb:cc",pdst="192.168.231.2"))

## Sending HTTP request

In [None]:
httpPkt = Ether()/IP(dst="www.coloradomesa.edu")/TCP()/"GET /index.html HTTP/1.0\n\n"

In [None]:
bytes(httpPkt)

In [None]:
hexdump(httpPkt)

In [None]:
httpPkt.show()

In [None]:
# response = sr(httpPkt) # doesn't work
# send(httpPkt)

## Send and Receive Packets
- Send and receive functions are the heart of Scapy
- ** sr() ** send L3 packets and receive answers; returns answered and unanswered packets
- ** sr1() ** returns only one packet that answered the sent packet
- sr() and sr1() functions can only send layer 3 L3 packets (IP, HTTP, etc.)
- ** srp() ** send and receive L2 packets (ARP, Ehternet, 802.3, etc)
- ** srp1() ** send and receive one layer 2 packet

## Three-way handshake


In [None]:
# Create syn packet
syn = IP(dst='www.google.com')/TCP(dport=80, flags='S')

In [None]:
syn

In [None]:
# Receive SYN-ACK packet from google.com
syn_ack = sr1(syn)

In [None]:
syn_ack

In [None]:
# Send Get request
getStr = 'GET / HTTP1.1\r\nHost:www.google.com\r\n\r\n'
request = IP(dst='www.google.com') / TCP(dport=80, sport=syn_ack[TCP].dport, 
                                        seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1, 
                                        flags='A') / getStr
reply = sr1(request)

In [None]:
reply

In [None]:
reply.summary()

In [None]:
reply.show()

## Stacking Layers
The / operator has been used as a composition operator between two layers. When doing so, the lower layer can have one or more of its defaults fields overloaded according to the upper layer. (You still can give the value you want). A string can be used as a raw layer.
<img src="http://scapy.readthedocs.io/en/latest/_images/fieldsmanagement.png" />

In [23]:
IP()

<IP  |>

In [None]:
IP()/TCP()

In [None]:
Ether()/IP()/TCP()

In [None]:
IP()/TCP()/"GET / HTTP/1.0\r\n\r\n"

In [None]:
Ehter()/IP()/IP()/UDP()

In [24]:
IP(proto=55)/TCP(dport=22)

<IP  frag=0 proto=55 |<TCP  dport=ssh |>>

In [None]:
tcpip = IP(dst="dstIP") / TCP(dport=22) # tcp packet needs dest port
reply = sr(tcpip)
reply

In [None]:
ans, unans = _ 
ans.summary()

## Create ping request
- IP packet with ICMP echo request and "Hello World" payload
- send the packet and capture it with wireshark

In [None]:
ping = IP(dst="dstIP") / ICMP() / "Hello World!"

In [None]:
ping.show()

In [None]:
send(ping)

In [None]:
reply = sr1(ping)
reply.show()

## Exercise
- Spoof src IP and ping some IP in ACM or CSC network
- 