patrick.battistello | 21 Apr 10:51 2015

Diameter layer support v1.0

Hi all,


I added to the contrib directory the new file which supports Diameter protocol decoding and generation. It currently supports more than 40 Diameter commands and 550 AVPs. This file can be fetched here or from the secdev/scapy pull-request .


Most of this file has been built automatically by parsing through IETF and ETSI/3GPP standards, so please report any bug you may find in commands/AVPs support.


Next step will be to provide a ‘uts’ file. Then I will try to extend the AVPs support while not increasing too much the number of classes (currently each AVP is mapped to a class and the same holds for commands). Any suggestion or comment is welcome.


Many thanks to Guillaume Valadon for his help in setting my BitBucket/Mercurial configuration.




_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Marcel Patzlaff | 8 Apr 12:09 2015

Fwd: Re: ISIS in SCAPY and Jumbo frames

Forwarded emails regarding Jumbo LLC:

-------- Weitergeleitete Nachricht --------
Betreff: Re: ISIS in SCAPY and Jumbo frames
Datum: Wed, 08 Apr 2015 10:45:12 +0200
Von: Marcel Patzlaff <mpatzlaff <at>>
An: Adam Kułagowski <fidor <at>>

Hi Adam,

great to hear, that the extension is of use for you. Currently, we are
also experimenting with some Cisco routers and have seen those Jumbo LLC 

It think a fix like yours is quite easy to apply. But I also see a
problem because Jumbo LLC is still not really a standard. So I don't
know if a patch like this will get accepted.

I suggest that you create a ticket for this at as this is not directly an IS-IS
issue. Nevertheless, I will also have a look into scapy but I'm pretty
sure, that you already found what needs to be added to

   bind_layers(Ether, LLC, type=34928)

Kind regards,

Am 07.04.2015 um 21:54 schrieb Adam Kułagowski:
> Hi,
> First of all - thank you for ISIS extension for Scapy - it's a life
> saver :)
> However I've found that Scapy does not dissect properly ISIS packets
> from Cisco ASR9k router. The only difference is that Cisco is using
> Ethertype 0x8870 (Jumbo frames). Such packet is seen by Scapy as an
> unknown one.
> I'm far from being a programmer but the following addition to
> scapy/layers/ :
> ----
> bind_layers( Ether,         LLC,           dst='09:00:2b:00:00:05',
> type=34928)
> ----
> ...get things going again.
> I'm attaching the PCAP with such packet if you would like to take a
> closer look.
> If it's possible to add support for ISIS+Jumbo frames in your next
> release - it would be great :)
> Maye this effect can be achieved in different way - I'm afraid my Scapy
> knowledge is severely limited. If this the case - please say so.
> Best regards,
> Adam

To unsubscribe, send a mail to <at>

David Smith | 25 Mar 22:48 2015

igmpv3 module question

having some issues figuring out the proper configuration of various packets; 

for example this one, the dest address gets sent to loopback instead of the sending interface IP (which has the ether src="" mac as defined)

any help is appreciated.



import scapy.contrib.igmpv3


a=Ether(dst = "01:00:5e:00:01:01", src="00:1e:c9:5a:6b:ae")



c.srcaddrs = ['', '']

c.srcaddrs += ['']

c=scapy.contrib.igmpv3.IGMPv3(type=0x22, gaddr="")

print "Joining IP " + c.gaddr + " MAC " + a.dst

sendp(a/b/c, iface="em2")





[root <at> qa-05 ~]# tshark -V -i p8p1

Running as user "root" and group "root". This could be dangerous.

Capturing on 'p8p1'

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

    Interface id: 0

    Encapsulation type: Ethernet (1)

    Arrival Time: Mar 24, 2015 14:23:42.398555000 PDT

    [Time shift for this packet: 0.000000000 seconds]

    Epoch Time: 1427232222.398555000 seconds

    [Time delta from previous captured frame: 0.000000000 seconds]

    [Time delta from previous displayed frame: 0.000000000 seconds]

    [Time since reference or first frame: 0.000000000 seconds]

    Frame Number: 1

    Frame Length: 60 bytes (480 bits)

    Capture Length: 60 bytes (480 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:igmp]

Ethernet II, Src: 2wire_5a:6b:ae (00:1e:c9:5a:6b:ae), Dst: IPv4mcast_00:01:01 (01:00:5e:00:01:01)

    Destination: IPv4mcast_00:01:01 (01:00:5e:00:01:01)

        Address: IPv4mcast_00:01:01 (01:00:5e:00:01:01)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

    Source: 2wire_5a:6b:ae (00:1e:c9:5a:6b:ae)

        Address: 2wire_5a:6b:ae (00:1e:c9:5a:6b:ae)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

    Type: IP (0x0800)

    Padding: 000000000000000000000000000000000000

Internet Protocol Version 4, Src: (, Dst: (

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

    Total Length: 28

    Identification: 0x0001 (1)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 1

        [Expert Info (Note/Sequence): "Time To Live" only 1]

            [Message: "Time To Live" only 1]

            [Severity level: Note]

            [Group: Sequence]

    Protocol: IGMP (2)

    Header checksum: 0x7876 [correct]

        [Good: True]

        [Bad: False]

    Source: (

    Destination: (

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

Internet Group Management Protocol

    [IGMP Version: 3]

    Type: Membership Report (0x22)

    Header checksum: 0xfcfd [correct]

    Num Group Records: 257

[Malformed Packet: IGMP]

    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]

        [Message: Malformed Packet (Exception occurred)]

        [Severity level: Error]

        [Group: Malformed]


mahdieh Shahverdi | 17 Mar 07:19 2015

Re: split a url into multiple packets using scapy

Thanks but I means as below:
suppose this long url :,user_religion_politics,user_relationships,user_relationship_details,user_hometown,user_location,user_likes,user_activities,user_interests,user_education_history,user_work_history,user_online_presence,user_website,user_groups,user_events,user_photos,user_videos,user_photo_video_tags,user_notes,user_about_me,user_status,friends_birthday,friends_religion_politics,friends_relationships,friends_relationship_details,friends_hometown,friends_location,friends_likes,friends_activities,friends_interests,friends_education_history,friends_work_history,friends_online_presence,friends_website,friends_groups,friends_events,friends_photos,friends_videos,friends_photo_video_tags,friends_notes,friends_about_me,friends_status&fb_sig_country=bg&fb_sig_api_key=9f7ea9498aabcd12728f8e13369a0528&fb_sig_app_id=177509235268&fb_sig=1a5c6100fa19c1c9b983e2d6ccfc05ef

I want to split this url into three tcp segment and send each tcp segment as a separate packet.
How should I do it?

On Monday, February 16, 2015 4:37 PM, Marco Zunino <eng.marco.zunino <at>> wrote:

I think a good article on the topic is the following

There are 3 post in total, first two address the theory behind fragmentation and checksum, the third one shows you the concrete example in Scapy. To be honest with you, I did not read fully the article, but at first impression looks like good information, worst case this should be at least a good starting point.

Let us know if have luck, I will check further the topic and play with the code later

On Mon, Feb 16, 2015 at 12:44 PM, mahdieh Shahverdi <m.shahverdi <at>> wrote:
I means a long URL as application data that may be store in multiple TCP segments each of them makes a IP packet.

On Monday, February 16, 2015 2:59 PM, Tobias Mueller <muelli <at>> wrote:

On Mon, Feb 16, 2015 at 11:11:43AM +0000, mahdieh Shahverdi wrote:

> Hi,How to split a url into multiple IP packets using scapy?

I'm confused. What does it even mean to have a URL in IP packets?


To unsubscribe, send a mail to <at>

newlog | 10 Mar 12:00 2015

Error injecting traffic from Windows (libdnet / scapy issue)

Hi all,

I've been trying to inject traffic from pcap files to the network. I've
been lucky on some environments, but I haven't in many others. I usually
get the following error:

> WARNING: No match between your pcap and dnet network interfaces found.
> You probably won't be able to send packets. Deactivating unneeded
> interfaces and restarting Scapy might help.

My code is as simple as:

> packets = sniff(offline=self.PCAPFileName)
> sendp(packets)

I think I've read all the information available for this issue. A
overview of the topic by Dirk here:

I know that the problem happens in scapy/arch/windows/

> def load_from_dnet(self):
>         """Populate interface table via dnet"""
>         for i in pcapdnet.dnet.intf():
>             try:
>                 # comment...
>                 if i["name"].startswith("eth") and "addr" in i:
>           [i["name"]] = NetworkInterface(i)
>             except (KeyError, PcapNameNotFoundError):
>                 pass
>         if len( == 0:
>             log_loading.warning("error")

So I don't have a clue why intf() returns an empty object in the
problematic systems. I've have all IPs setted statically. It's really
weird because it doesn't work in Windows 7 x64, but works correctly on
Windows 2012 R2 x64, so it's not because the 32 vs 64 bits.

I know that this is a libdnet bug, but given that libdnet code seems to
be abandoned and scapy relies on it for such critical things as getting
OS NICs, how's that in 5 years no workarounds have been looked? Don't
want to sound as an asshole (my english deficiencies here!)! It's just
one thing that bugs me. Is it because lack of time/resources? Because
really few people is affected by this issue? Is it really hard to solve?

I've also read that previous tries to move away from libdnet and use
WinPcap have been done (from 2009):

I guess that this didn't get to mainstream, isn't it? It would be
awesome given that WinPcap is an active project not as libdnet.

Finally, if there's no solution for this issue and, therefore, for
injecting pcap traffic from a Windows box using scapy, which are the
remaining approaches (using python)? I've been trying to look for any
other solutions, but it seems that everything boils down to libdnet or
Unix platforms (that aren't an option for me).
Does this mean that no one reliably injects traffic on windows machines
using python scripts? :)

Thanks for your great work with scapy. It really is an amazin tool.

P.S.: I've just read this:

Compiling lidbnet is a nightmare! I've tried it and I ended up using the
packages from this repo (for py2.7 and x64):

I guess I'll have to try harder to compile libdnet!

To unsubscribe, send a mail to <at>

Darren McDonald | 4 Mar 11:52 2015


Does scapy support MPLS? I want to generate sendp(Ether()/IP()/ICMP()) 
packets, but include one or more MPLS shim labels between layers 2 and 
3. I've had a look around on google and the answer seems to be no. If 
not, id appreciate any tips or guidance on how I might go about 
implementing this myself.

Best regards,


To unsubscribe, send a mail to <at>

Todd Bezenek | 17 Feb 23:21 2015

How to receive packets through netfilter/iptables into scapy?

I'm debugging a DNS firewall which uses netfilter/iptables.

I can send DNS requests which are processed by the firewall by setting:

However, when scapy gets a reply from the DNS (server), netfilter/iptables 
does not see the traffic.

Is there a way to do this?  Having scapy NOT listen would work fine as a 

Thank you for any help,

bezenek <at>

To unsubscribe, send a mail to <at>

mahdieh Shahverdi | 16 Feb 12:11 2015

split a url into multiple packets using scapy

How to split a url into multiple IP packets using scapy?
Guillaume Valadon | 15 Feb 18:32 2015

[announce] Two Scapy related dojos at CanSecWest

Hi guys,

I will be giving two Scapy related dojos at CanSecWest on Monday March
16th and Tuesday March 17th.

The first one focuses on IPv6 network security and uses Scapy to provide
examples of link local attacks (
The second one is an advanced tutorial dedicated to Scapy.  (


To unsubscribe, send a mail to <at>

Bug processing packets with TCP options in scapy 2.3

Hi folks,

I’m enhancing the support of BGP-4 in scapy. To that avail, I have forked scapy2.3. My repo is at if someone is interested.

In the process, I have found a strange bug when processing packets with TCP options:

When there are no TCP Options, the BGP payload is detected correctly:

###[ Ethernet ]###
  dst       = c2:02:0b:7e:00:00
  src       = c2:01:0b:7e:00:00
  type      = 0x86dd
###[ IPv6 ]###
     version   = 6L
     tc        = 192L
     fl        = 0L
     plen      = 39
     nh        = TCP
     hlim      = 64
     src       = 2001:db8::1
     dst       = 2001:db8::2
###[ TCP ]###
        sport     = 42037
        dport     = bgp
        seq       = 3288183041
        ack       = 2355868711
        dataofs   = 5L
        reserved  = 0L
        flags     = PA
        window    = 16339
        chksum    = 0xb5e3
        urgptr    = 0
        options   = []
###[ BGPHeader ]###
           marker    = 0xffffffffffffffffffffffffffffffffL
           len       = 19
           type      = KEEP_ALIVE

With TCP Options, the BGP payload is shown as Raw:

###[ Ethernet ]###
  dst       = c2:01:0b:7e:00:00
  src       = c2:02:0b:7e:00:00
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0xc0
     len       = 120
     id        = 53218
     flags     =
     frag      = 0L
     ttl       = 255
     proto     = tcp
     chksum    = 0xd6da
     src       =
     dst       =
     \options   \
###[ TCP ]###
        sport     = bgp
        dport     = 15110
        seq       = 2081661860
        ack       = 1098840934
        dataofs   = 10L
        reserved  = 0L
        flags     = PA
        window    = 16320
        chksum    = 0xca16
        urgptr    = 0
        options   = [('MD5SumOld', 'H\xea\xc8)O\x15N\xaa\xe3\x10\x0e\xea\xfe\xf9\x10,'), ('EOL', None)]
###[ Raw ]###
           load      = '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00<\x02\x00\x00\x00\x19 <at> \x01\x01\x00 <at> \x02\x04\x02\x01\xfd\xea <at> \x03\x04\n\x00\x00\x02\x80\x04\x04\x00\x00\x00\x00\x18\xac\x11\x02\x18\xac\x11\x01\x18\xac\x11\x00’

I have started by adding the missing option in the TCPOptions field, but that hasn’t helped and I’m lost.

The capture I’m working on comes from and I used Wireshark to store it as PCAP for scapy. 

Thanks for any help,
Dr. Pedro A. Aranda Gutiérrez

Technology Exploration -
Network Innovation & Virtualisation
email: pedroa d0t aranda At telefonica d0t com
Telefónica, Investigación y Desarrollo
C/ D. Ramón de la Cruz,84
28006 Madrid, Spain

Fragen sind nicht da, um beantwortet zu werden.
Fragen sind da, um gestellt zu werden.
Georg Kreisler

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Martin | 3 Feb 00:01 2015

Question about timestamp imput form in NTP packet


At end of Scapy documentation 2.1.0 i found your email where it says that i
can ask a question if something is needed.

I am trying to forge NTP packet and things stopped at Timestamp value input.
There should be something like "Feb 2, 2015 21:46:55.000000000 UTC"

In which format i need to enter this behind "=" (mypacket.ref = ___) so it
would be recognised corectly?

Thank you for your help!
Have a nice day!

Regards Martin

To unsubscribe, send a mail to <at>