Suraj Deshmukh | 30 Jul 15:20 2015

SNMP packet shows as malformed DNS packet in wireshark


When I created a SNMP packet in scapy as below

>>> a = Ether()/IP()/UDP()/SNMP()
>>> wireshark(a)
In wireshark instead of showing SNMP packet at application layer it
shows [Malformed Packet: DNS]. Is this a bug? Should this be reported
or am I doing something wrong?


- Suraj Deshmukh

To unsubscribe, send a mail to <at>

Veit Hailperin | 29 Jul 13:40 2015

Missing TCP response if also received host-redirect


Not sure if this is me doing it wrong or if it's an issue with the library.

I'm sending a very simple request:

>>> ans, unans = sr(IP(dst="")/TCP(dport=80, flags="S"))
>>> ans.summary()
IP / TCP > S ==> IP / ICMP > redirect host-redirect / IPerror / TCPerror / Raw

If I look at the traffic using tcpdump, I see the ICMP host redirect, but also the packet that I'm actually interested in, the TCP SA-flagged one. 

How come I get IPerror/TCPerror instead of the SA flagged proper TCP packet? 

Kind regards,

patrick.battistello | 24 Jul 10:24 2015

Updated Diameter support for Scapy


A couple of updates for Diameter support are available at
under 2 branches:

1) 'diameter' branch:

It provides the Diameter layer support in scapy/contrib directory; the 3 additional files are:

* the library file.

This version includes the following modifications:

- bugs correction and enhanced decoding for a couple of AVPs,

- source code shrinking from 3678 lines to 1682 lines (for an equivalent protocol coverage) by avoiding to
have a class per AVP (only the enumerated now AVPs have a corresponding class),

- support for new standards; the coverage is now: RFC 6733, RFC 7155, RFC 4004, RFC 4006, RFC 4072, RFC 4740,
RFC 5778, RFC 5447, RFC 6942, RFC 5777, TS 29.229 V12.3.0 (2014-09), TS 29.272 V13.1.0 (2015-03), TS
29.329 V12.5.0 (2014-12), TS 29.212 V13.1.0 (2015-03), TS 32.299 V13.0.0 (2015-03), TS 29.210 V6.7.0
(2006-12), TS 29.214 V13.1.0 (2015-03), TS 29.273 V12.7.0 (2015-03), TS 29.173 V12.3.0 (2015-03), TS
29.172 V12.5.0 (2015-03), TS 29.215 V13.1.0 (2015-03), TS 29.209 V6.8.0 (2011-09), TS 29.061 V13.0.0
(2015-03), TS 29.219 V13.0.0 (2014-12).

* the Diameter commands and AVPs Python dictionaries with additional information on
standards and flags. These dictionaries are generated from standards parsing and are then used to

* diameter.uts: the UTScapy test script.

2) 'sctp' branch:

This SCTP branch contains a few modifications to, to bind the SCTPChunkData layer decoding to the
next layer based on:

- the 'proto_id' field of the SCTPChunkData layer (when not null), or,
- the 'sport/dport' fields of the SCTP layer.



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne
doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur,
veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant
susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be
protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

To unsubscribe, send a mail to <at>

Suraj Deshmukh | 17 Jul 11:34 2015

Scapy sending ETHERNET frames rather than 802.11 frames on wireless iface


I have been experimenting with scapy, trying to send some packets onto
wireless card.

The code I used looked like this
def deauth(hosts):

    for dst in hosts:
        import pdb; pdb.set_trace()
        print '[+]', gw_mac, '>', dst
Here 'hosts' contain various mac addresses and 'gw_mac' contains
access point mac address.

When I run this nothing effectively happened. Then i tried capturing
them on wireshark and it seemed that all frames were sent in
'Ethernet' protocol.

But when I do this on the interpreter

>>> p = RadioTap()/Dot11(type=0, subtype=12, addr1='30:85:a9:5c:11:23',
addr2='c4:12:f5:04:1b:82', addr3='c4:12:f5:04:1b:82')/Dot11Deauth()
>>> wireshark(p)

I have my 'mon0' interface ON, and another thread is sniffing on thr
mon0 interface. Is there something I am missing? Please help me.


- Suraj Deshmukh

To unsubscribe, send a mail to <at>

Fred Martin | 16 Jul 23:44 2015

sniff() with filter on arm64

sniff(filter="something") with the filter param does not
work on arm64.

If I change the line in attach_filter() of arch/

<     if scapy.arch.X86_64:
>     # Force for AARCH64
>     if True:

on this system, it works as expected for me.  But this is
obviously not a portable fix.  I also verified the offset
for the following line:
         bpfh = struct.pack("HL", nb, id(bpf)+36)

Otherwise, scapy is working as expected on my arm64.  So
it would be nice to incorporate this architecture for
others to enjoy as this platform ramps up.  I don't know
enough about the architecture handling to properly
incorporate this as a new architecture update to scapy
at this point.

Otherwise, thanks for this neat off-hand packet tool!

Without a fix:

In [3]: sniffres = sniff(iface="eth1", filter="not tcp")
error                                     Traceback (most recent call last)
<ipython-input-3-81ab776d5c1e> in <module>()
----> 1 sniffres = sniff(iface="eth1", filter="not tcp")

/usr/local/lib/python2.7/dist-packages/scapy/sendrecv.pyc in sniff(count, store, offline, prn,
lfilter, L2socket, timeout, opened_socket, stop_filter, *arg, **karg)
     559             if L2socket is None:
     560                 L2socket = conf.L2listen
--> 561             s = L2socket(type=ETH_P_ALL, *arg, **karg)
     562         else:
     563             s = PcapReader(offline)

/usr/local/lib/python2.7/dist-packages/scapy/arch/ in __init__(self, iface, type,
promisc, filter, nofilter)
     471                     filter = "not (%s)" % conf.except_filter
     472             if filter is not None:
--> 473                 attach_filter(self.ins, filter)
     474         if promisc is None:
     475             promisc = conf.sniff_promisc

/usr/local/lib/python2.7/dist-packages/scapy/arch/ in attach_filter(s, filter)
     138         bpfh = struct.pack("HL", nb, id(bpf)+36)
     139     else:
--> 140         bpfh = struct.pack("HI", nb, id(bpf)+20)
     141     s.setsockopt(SOL_SOCKET, SO_ATTACH_FILTER, bpfh)

error: 'I' format requires 0 <= number <= 4294967295


To unsubscribe, send a mail to <at>

Karlo Rodriguez | 16 Jul 07:46 2015

Scapy python script consuming too much cpu while sniffing

I have coded a wireless probe sniffer using python + scapy. I'm want to use this script in openwrt routers.

Everytime it captures a probe request from nearby devices, the information is send to a webservice. (mac, power and probe).

My problem is the high consumption of CPU. The script runs quite good in my laptop (it takes between 50-70% of cpu), but when I run it in an openwrt router (400mhz cpu,16 ram) it takes 99%. It's a well known bug in scapy the lost of packets with high loads (I have tested at the same time the script in my laptop and in the router and the router do not catched all the available packets in the air)

I already made some optimizations to the code, but I think there's more room for improvement.

This is the script:


from scapy.all import *

import time

import thread

import requests

from datetime import datetime





def PacketHandler(pkt):

global buf

if pkt.haslayer(Dot11):

if pkt.type==PROBE_REQUEST_TYPE and pkt.subtype == PROBE_REQUEST_SUBTYPE:

arrival= int(time.mktime(time.localtime()))


extra = pkt.notdecoded




if extra!=None:

signal_strength = -(256-ord(extra[-4:-3]))


signal_strength = -100

source = pkt.addr2

dest= pkt.addr3



if buf['source']!=source and buf['probe']!=probe:

print 'se lanza %r %r %r' % (source,dest,probe)





print 'Error al lanzar el hilo %r' % source

def exporter (arrival,source,dest,pwr,probe):

    global uuid




        print r.status_code

        print r.content


        print 'ERROR EN EL HILO:::::: %r' % source

        #print 'wait 2 secs'



        #print r.status_code

        #print r.content

def main():

    print "[%s] Starting scan"



if __name__=="__main__":


I have tried adding filters to the sniff function

def main():

    print "[%s] Starting scan"

    sniff(iface=sys.argv[1],prn=PacketHandler, filter='link[26] = 0x40',store=0)


In my laptop runs really smooth, using between 1%-3% of cpu and catching most of the available packets in the air.

but when I run this on the router, the script throws an error and crash.

Traceback (most recent call last):

  File "", line 66, in <module>


  File "", line 63, in main

    sniff(iface=sys.argv[1],prn=PacketHandler, filter='link[26] = 0x40', store=0)

  File "/usr/lib/python2.7/site-packages/scapy/", line 550, in sniff

    s = L2socket(type=ETH_P_ALL, *arg, **karg)

  File "/usr/lib/python2.7/site-packages/scapy/arch/", line 460, in __init__

    attach_filter(self.ins, filter)

  File "/usr/lib/python2.7/site-packages/scapy/arch/", line 132, in attach_filter

    s.setsockopt(SOL_SOCKET, SO_ATTACH_FILTER, bpfh)

  File "/usr/lib/python2.7/", line 224, in meth

    return getattr(self._sock,name)(*args)

socket.error: [Errno 99] Protocol not available

In the router I have installed the last version of scapy and tcpdump. Now I really don't know what to do.
Henning Reich | 7 Jul 16:33 2015

Re: PCAP Replay: DNS Response has bad udp cksum. (chksum recalulated)

Thanks for your reply. Yes, I have both in my PCAP and yes, show() shows "None" as value. 
Will try tomorrow the send() function and take a look on it.

Thanks for your help

Apologise Now | 3 Jul 11:14 2015


Henning Reich | 1 Jul 13:49 2015

PCAP Replay: DNS Response has bad udp cksum. (chksum recalulated)

Hi, I'm confused.

i use scapy to replay some pcaps. But it doesn't work with my captured DNS traffic and I have no idea, where the problem is. 

I load my pcap, replace IPs and MAC-Addresses and try:

for i in pkt:
    del i[IP].chksum
    del i[IP].payload.chksum

For the DNS Queries, all works as expected. Tcpdump on target devices returns something like:

11:43:11.446256 IP (tos 0x0, ttl 63, id 18669, offset 0, flags [none], proto UDP (17), length 66) > [udp sum ok] 25784+ [1au] A? ar: . OPT UDPsize=4096 (38)

But for the "Answer",, I got:

11:43:11.471941 IP (tos 0x0, ttl 54, id 29702, offset 0, flags [none], proto UDP (17), length 322) > [bad udp cksum 0xd907 -> 0x42a4!] 25784 q: A? 16/0/1 [4m59s] A,  [...]

Any ideas? Thank you
Iain R. Learmonth | 15 Jun 15:47 2015

UDP-lite layer for Scapy


Can someone take another look at this pull request?

I really would like to have this in scapy as currently I'm having to ship a
modified scapy to get UDP-lite for my project.



e: irl <at>            w:
x: irl <at>     t: EPVPN 2105
c: 2M0STB                  g: IO87we
p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
jérémie banier | 10 Jun 10:31 2015

Re: HTTP GET failing

Hi Hiren,

I wrote a blog post a while back after a BruCON session: 
It does the complete "wget" of a page, that should be enough to get you started.

Don't hesitate to come back if you have questions or comments :)

Le mer. 10 juin 2015 à 09:33, Marco Zunino <eng.marco.zunino <at>> a écrit :
I believe you are missing the creation of TCP connection. You need first to complete the 3way handshake in order to send/receive data on a TCP stream, you do this by completing the handshake between the client and the server:

# as source TCP port, we select a random one

# prepare the SYN packet to send to server to start the handshake, note the flags=S for SYN packet

# As for TCP standard, the server side will reply with an SYN ACK packet to our SYN

# If we get a response from the server, we use the values of the SYN ACK response to assign the correct
# SEQ and ACK number of our next TCP packet (containing the HTTP REQUEST)
if syn_ack:
    request1=IP(dst=sys.argv[1])/TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq + 1, flags='A')/httpRqs
  # We send the HTTP request and store the related ACK from the server for firther transmission
    replyAck = sr1(request)

So basically we first create a TCP connection and then we send the request on that stream, maybe google about the TCP handshake process to better understand the values assigned to SEQ and ACK numbers.

Here is the content of the HTTP request I am using:

httpRqs  = 'GET / HTTP/1.1\r\n' + \
'User-Agent: ZetaSec/1.0\r\n' + \
'Host:\r\n' + \
'Accept: */*\r\n' 

I think you might have problem with the request you are using because it is missing some mandatory HTTP Header, but that is a second step.

On Wed, Jun 10, 2015 at 2:13 AM, hiren panchasara <hiren <at>> wrote:
Hi all,

I am on FreeBSD and scapy-2.2.0_1 and I am getting Fin back from the
server when I try to http GET an object that I know is there. (I
confirmed with wget.) I want to grab. And if I do wget, I do get the object. Which means, I might be
doing something wrong in the scapy commands. Here is how it looks?

ip = IP(dst="<ip of>")
get = "GET /obj\r\n"

Is this not the correct way? Any pointers to debug this further?