# <p style="color: red;"> install libcap for Ubuntu and npcap for Windows</p>


**Scapy is a powerful and flexible Python library for packet manipulation, network scanning, and network discovery. It allows users to create, send, capture, and analyze network packets, making it a versatile tool for network-related tasks such as packet crafting, network testing, and protocol development. Scapy supports a wide range of protocols and can be used for tasks like sniffing, forging, and decoding network packets at various layers of the OSI model.**

# Documentation for Scapy
## https://scapy.readthedocs.io/en/latest/introduction.html

# A function to output all the connected networks

<b>scapy.get_if_list()------</b>The get_if_list() function in Scapy is used to retrieve a list of available network interfaces on the system. Each network interface represents a network connection or device on the computer, such as Ethernet, Wi-Fi, or loopback interfaces.

In [1]:
import scapy.all as scapy

def get_all_interfaces():
    interfaces = scapy.get_if_list()
    print("Interfaces:", interfaces)
    return interfaces

print(get_all_interfaces())

Interfaces: ['{EF5F5E1C-7A87-4DD4-B6E4-1BD91ADB977D}', '{499304C3-44A3-4450-A94F-17319A044A6F}', '{E9180E80-5E66-4190-B355-0FFFDE772F2F}', '{611BD608-8C30-41FE-977C-9C6560B27792}', '{9F0DA7AC-8C69-4060-B6EA-67E5574FB4C6}', '{BB673480-F05F-4FFC-B713-41F254E77690}', '{ACB519CD-28B0-4D03-B936-F6E88F185B4F}', '{6389DA15-19B0-4A77-95AD-8CEA738C5A9B}', '{3ED4454F-3BD1-4658-9FD6-9BE77121568A}', '\\Device\\NPF_Loopback']
['{EF5F5E1C-7A87-4DD4-B6E4-1BD91ADB977D}', '{499304C3-44A3-4450-A94F-17319A044A6F}', '{E9180E80-5E66-4190-B355-0FFFDE772F2F}', '{611BD608-8C30-41FE-977C-9C6560B27792}', '{9F0DA7AC-8C69-4060-B6EA-67E5574FB4C6}', '{BB673480-F05F-4FFC-B713-41F254E77690}', '{ACB519CD-28B0-4D03-B936-F6E88F185B4F}', '{6389DA15-19B0-4A77-95AD-8CEA738C5A9B}', '{3ED4454F-3BD1-4658-9FD6-9BE77121568A}', '\\Device\\NPF_Loopback']


<b>IP (Internet Protocol):</b>

This module is part of Scapy and represents the IP (Internet Protocol) layer. It allows you to create, manipulate, and work with IP packets. In this context, it is used to construct IP packets.

<b>ICMP (Internet Control Message Protocol):</b>

Another module from Scapy, ICMP represents the ICMP layer. ICMP is used for network-related control and error messages. The ICMP module in Scapy allows you to work with ICMP packets.

<b>  send function:
</b>

The send function is a general-purpose sending function in Scapy. It is used to send packets over the network. In this case, it is likely used to send the constructed IP and ICMP packets created using the IP and ICMP modules.

In [2]:
from scapy.all import IP, ICMP, send

# creating a new packet on ip protocol

In [3]:
packet = IP(dst="www.google.com") / ICMP()

In [4]:
packet.summary()

'IP / ICMP 172.18.9.104 > Net("www.google.com/32") echo-request 0'

# showing the information about the created packet

In [5]:
packet.show()

###[ IP ]### 
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = icmp
  chksum    = None
  src       = 172.18.9.104
  dst       = Net("www.google.com/32")
  \options   \
###[ ICMP ]### 
     type      = echo-request
     code      = 0
     chksum    = None
     id        = 0x0
     seq       = 0x0
     unused    = ''



In [6]:
send(packet)



Sent 1 packets.


### use the sr1 which stands for send requet 1 for responses

# Using the sniff function to sniff packets

**Docstring:**
*Sniff packets and return a list of packets.*

**Args:**
- `count`: *number of packets to capture. 0 means infinity.*
- `store`: *whether to store sniffed packets or discard them*
- `prn`: *function to apply to each packet. If something is returned, it is displayed.*
  - *Ex: `prn = lambda x: x.summary()`*
- `session`: *a session = a flow decoder used to handle the stream of packets.*
  - *Ex: `session=TCPSession`*
  - *See below for more details.*
- `filter`: *BPF filter to apply.*
- `lfilter`: *Python function applied to each packet to determine if further action may be done.*
  - *Ex: `lfilter = lambda x: x.haslayer(Padding)`*
- `offline`: *PCAP file (or list of PCAP files) to read packets from, instead of sniffing them*
- `quiet`: *when set to True, the process stderr is discarded (default: False).*
- `timeout`: *stop sniffing after a given time (default: None).*
- `L2socket`: *use the provided L2socket (default: use `conf.L2listen`).*
- `opened_socket`: *provide an object (or a list of objects) ready to use `.recv()` on.*
- `stop_filter`: *Python function applied to each packet to determine if we have to stop the capture after this packet.*
  - *Ex: `stop_filter = lambda x: x.haslayer(TCP)`*
- `iface`: *interface or list of interfaces (default: None for sniffing on all interfaces).*
- `monitor`: *use monitor mode. May not be available on all OS*
- `started_callback`: *called as soon as the sniffer starts sniffing (default: None).*

**Examples: synchronous**
- `sniff(filter="arp")`
- `sniff(filter="tcp", session=IPSession, prn=lambda x: x.summary())`
- `sniff(lfilter=lambda pkt: ARP in pkt)`
- `sniff(iface="eth0", prn=Packet.summary)`
- `sniff(iface=["eth0", "mon0"], prn=lambda pkt: "%s: %s" % (pkt.sniffed_on, pkt.summary()))`
- `sniff(iface={"eth0": "Ethernet", "mon0": "Wifi"}, prn=lambda pkt: "%s: %s" % (pkt.sniffed_on, pkt.summary()))`

**Examples: asynchronous**
- `t = AsyncSniffer(iface="enp0s3")`
- `t.start()`
- `time.sleep(1)`
- `print("nice weather today")`
- `t.stop()`


In [7]:
from scapy.all import sniff

captured_packets = sniff(count=5)  # Capture 5 packets


In [8]:
captured_packets.show()

0000 Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
0001 Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
0002 Ether / IP / ICMP 216.58.221.36 > 172.18.9.104 echo-reply 0
0003 Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
0004 Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw


## Communication Events Overview

So, what is all that? Here, each entry describes a communication event between different IP addresses and ports using either IPv4 or IPv6. Let's break down what each line signifies:

- **Loopback:**
  - Indicates that the communication is happening within the same machine, often referred to as the loopback interface (127.0.0.1 for IPv4 or ::1 for IPv6). The loopback interface is used for internal testing and communication within the local device.

- **IP:**
  - Refers to the Internet Protocol, either IPv4 or IPv6, specifying the version of the IP protocol being used.

- **TCP:**
  - Indicates that the communication is using the Transmission Control Protocol (TCP), a connection-oriented protocol that provides reliable and ordered delivery of data.

- **Source and Destination Addresses and Ports:**
  - The IP addresses and port numbers indicate the source and destination of the communication.
  - For example, `127.0.0.1:54207 > 127.0.0.1:54183` means that data is being sent from port 54207 on the loopback interface to port 54183 on the same loopback interface.

- **Flags (e.g., A, PA):**
  - Flags represent the status or characteristics of the TCP packets. Common flags include:
    - A (Ack): Acknowledgment flag, indicating that the receiving party has successfully received a packet.
    - PA (Push Ack): Indicates both acknowledgment and a request to push the data to the application.

- **Raw Data:**
  - Some entries include "Raw" to indicate that the payload or data of the TCP packet is included in the capture.

- **Direction (e.g., >):**
  - The direction arrow (>) indicates the flow of communication from the source to the destination.


# filter Keyword
### This expression filters the packets at the operating system's level before Scapy processes them. It allows you to capture only the packets that match the specified criteria.

# sniffing only the tcp packet using filters

In [9]:
tcp_packets=sniff(count=5, filter='tcp')

In [10]:
tcp_packets

<Sniffed: TCP:5 UDP:0 ICMP:0 Other:0>

In [11]:
tcp_packets.show()

0000 Ether / IP / TCP 172.18.9.104:56468 > 91.108.23.100:https S
0001 Ether / IP / TCP 172.18.9.104:56469 > 91.108.23.100:http S
0002 Ether / IP / TCP 172.18.9.104:54326 > 142.250.194.174:https A / Raw
0003 Ether / IP / TCP 172.18.9.104:54326 > 142.250.194.174:https PA / Raw
0004 Ether / IP / TCP 172.18.9.104:54326 > 142.250.194.174:https PA / Raw


# Sniffing on the udp packets

In [12]:
udp_packets=sniff(count=5, filter='udp')

In [13]:
udp_packets

<Sniffed: TCP:0 UDP:5 ICMP:0 Other:0>

In [14]:
udp_packets.show()

0000 Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
0001 Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
0002 Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
0003 Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:64361 / Raw
0004 Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw


# using the prn function

In [15]:
captured_packets1=sniff(count=5, prn= lambda x: x.show())

###[ Ethernet ]### 
  dst       = 30:86:2d:ae:85:a1
  src       = 04:33:c2:5a:eb:4b
  type      = IPv4
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 1030
     id        = 43656
     flags     = 
     frag      = 0
     ttl       = 128
     proto     = udp
     chksum    = 0xf554
     src       = 172.18.9.104
     dst       = 142.250.82.149
     \options   \
###[ UDP ]### 
        sport     = 64361
        dport     = 3478
        len       = 1010
        chksum    = 0x23fd
###[ Raw ]### 
           load      = '\\x90\\xe0)\\xe3Q\\xf8\\x9c\\xa5\\xdf\\xc0/\x05\x10\x00\x00\x04\x02\x03\x14\\xfd\\xae\x03\x020`\x0f\x03\\xc2J\\xeb\x00\x00\\xacu\\xd9ߤ\ng\x03}\x06\\xec\\xaak\\xbb\\x8e/\\xea|\\x9d\\x81ƗBT\\xac\\xb3\\xad\\xbc\x14/z\\x82p\\xdeh\\xf3\\xdf\\xc8-X\\xe0\\xb1i\x0c\\xe7\\x99 I\\xf2\\xdf\x153\\xc8\x0c\\xbf\\x84\\xbeL\\x9cz\\xaaE%\\xe6\\x9dX\\xd9%#\\xfd\\xf0\x06\\x9c${\\xf8\\xb2\\xd3+\\xc9~\\x98Z<\\xb0\\xb8\x18\\xd5\\xfc\\x81\\xab4\\x89Դr\\xb5\\




In [16]:
def work_on_packets(packet):
    print("this is a new packet")
    print(packet.summary())

In [17]:
sniff(count=5,prn=work_on_packets)

this is a new packet
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
this is a new packet
Ether / IP / TCP 142.250.194.174:https > 172.18.9.104:54326 PA / Raw
this is a new packet
Ether / IP / TCP 142.250.194.174:https > 172.18.9.104:54326 PA / Raw
this is a new packet
Ether / IP / TCP 142.250.194.174:https > 172.18.9.104:54326 PA / Raw
this is a new packet
Ether / IP / TCP 142.250.194.174:https > 172.18.9.104:54326 PA / Raw


<Sniffed: TCP:4 UDP:1 ICMP:0 Other:0>

# using the iface keyword to determine the interface for sniffing

### psutil.net_if_addrs() is used to retrieve network interface addresses on the system. It returns a dictionary where keys are the names of network interfaces, and values are lists of namedtuples representing the addresses associated with each interface.

In [37]:
import psutil

def get_interface_names():
    # Get a list of network interfaces using psutil
    network_interfaces = psutil.net_if_addrs()
    for i in network_interfaces:
        print(i,":",network_interfaces[i])
    # Extract names from the network interfaces list
    interface_names = list(network_interfaces.keys())

    # Print the list of interface names
    print("\n\nInterface Names:", interface_names)

get_interface_names()


vEthernet (Default Switch) : [snicaddr(family=<AddressFamily.AF_LINK: -1>, address='00-15-5D-85-DF-A1', netmask=None, broadcast=None, ptp=None), snicaddr(family=<AddressFamily.AF_INET: 2>, address='172.19.192.1', netmask='255.255.240.0', broadcast=None, ptp=None), snicaddr(family=<AddressFamily.AF_INET6: 23>, address='fe80::cadd:1f0d:6e53:c278', netmask=None, broadcast=None, ptp=None)]
Hamachi : [snicaddr(family=<AddressFamily.AF_LINK: -1>, address='7A-79-19-07-9C-0B', netmask=None, broadcast=None, ptp=None), snicaddr(family=<AddressFamily.AF_INET: 2>, address='25.7.156.11', netmask='255.0.0.0', broadcast=None, ptp=None), snicaddr(family=<AddressFamily.AF_INET6: 23>, address='2620:9b::1907:9c0b', netmask=None, broadcast=None, ptp=None), snicaddr(family=<AddressFamily.AF_INET6: 23>, address='fe80::e91e:f841:e6c9:5577', netmask=None, broadcast=None, ptp=None)]
Local Area Connection* 1 : [snicaddr(family=<AddressFamily.AF_LINK: -1>, address='04-33-C2-5A-EB-4C', netmask=None, broadcast=Non

In [19]:
captured_packets2=sniff(count=3,iface='Wi-Fi')

In [20]:
captured_packets2.show()

0000 Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
0001 Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
0002 Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw


# Apply Layer Filters: 
The <b>lfilter</b> parameter allows you to apply a Python function to each packet, determining if further action should be taken.

### Allows you to specify a Python function that is applied to each packet after it has been captured by Scapy but before it is processed or displayed. The function should return True if the packet should be processed, and False if it should be ignored.

In [21]:
from scapy.all import ARP

In [22]:
arp_packets=sniff(lfilter=lambda x: x.haslayer(ARP), count=5, prn=lambda x: x.summary())


Ether / ARP who has 172.18.13.167 says 172.18.0.1
Ether / ARP who has 172.18.13.167 says 172.18.0.1
Ether / ARP who has 172.18.13.167 says 172.18.0.1
Ether / ARP who has 172.18.13.167 says 172.18.0.1
Ether / ARP who has 172.18.13.167 says 172.18.0.1


# using stop_filter
### Python function applied to each packet to determine if we have to stop the capture after this packet.

In [25]:
from scapy.all import TCP

In [26]:
sniff(stop_filter = lambda x: x.haslayer(TCP), timeout=5)

<Sniffed: TCP:1 UDP:3 ICMP:0 Other:0>

# Saving the packets in pcap file using wrcap

In [27]:
capture_packet_3=sniff(timeout=2)

In [28]:
from scapy.all import wrpcap

In [29]:
wrpcap("captured_packets.pcap", capture_packet_3)

# Reading data from a pcap file
### The sniff function in Scapy can be used in offline mode by providing a file path to the offline parameter. This allows you to read and analyze packets from a previously captured pcap file.

In [30]:
offline_file="captured_packets.pcap"

In [31]:
file=sniff(offline=offline_file)

In [32]:
file.summary()

Ether / ARP who has 172.18.13.167 says 172.18.0.1
Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:64361 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:64361 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3

Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:64361 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:65306 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 172.18.9.104:64361 > 142.250.82.149:3478 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:64361 / Raw
Ether / IP / UDP 142.250.82.149:3478 > 172.18.9.104:65306 / Raw
Ether / IP / UDP 172.18.9.104:65306 > 14