Todd Bezenek | 17 Feb 23:21 2015

How to receive packets through netfilter/iptables into scapy?

I'm debugging a DNS firewall which uses netfilter/iptables.

I can send DNS requests which are processed by the firewall by setting:

However, when scapy gets a reply from the DNS (server), netfilter/iptables 
does not see the traffic.

Is there a way to do this?  Having scapy NOT listen would work fine as a 

Thank you for any help,

bezenek <at>

To unsubscribe, send a mail to <at>

mahdieh Shahverdi | 16 Feb 12:11 2015

split a url into multiple packets using scapy

How to split a url into multiple IP packets using scapy?
Guillaume Valadon | 15 Feb 18:32 2015

[announce] Two Scapy related dojos at CanSecWest

Hi guys,

I will be giving two Scapy related dojos at CanSecWest on Monday March
16th and Tuesday March 17th.

The first one focuses on IPv6 network security and uses Scapy to provide
examples of link local attacks (
The second one is an advanced tutorial dedicated to Scapy.  (


To unsubscribe, send a mail to <at>

Bug processing packets with TCP options in scapy 2.3

Hi folks,

I’m enhancing the support of BGP-4 in scapy. To that avail, I have forked scapy2.3. My repo is at if someone is interested.

In the process, I have found a strange bug when processing packets with TCP options:

When there are no TCP Options, the BGP payload is detected correctly:

###[ Ethernet ]###
  dst       = c2:02:0b:7e:00:00
  src       = c2:01:0b:7e:00:00
  type      = 0x86dd
###[ IPv6 ]###
     version   = 6L
     tc        = 192L
     fl        = 0L
     plen      = 39
     nh        = TCP
     hlim      = 64
     src       = 2001:db8::1
     dst       = 2001:db8::2
###[ TCP ]###
        sport     = 42037
        dport     = bgp
        seq       = 3288183041
        ack       = 2355868711
        dataofs   = 5L
        reserved  = 0L
        flags     = PA
        window    = 16339
        chksum    = 0xb5e3
        urgptr    = 0
        options   = []
###[ BGPHeader ]###
           marker    = 0xffffffffffffffffffffffffffffffffL
           len       = 19
           type      = KEEP_ALIVE

With TCP Options, the BGP payload is shown as Raw:

###[ Ethernet ]###
  dst       = c2:01:0b:7e:00:00
  src       = c2:02:0b:7e:00:00
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0xc0
     len       = 120
     id        = 53218
     flags     =
     frag      = 0L
     ttl       = 255
     proto     = tcp
     chksum    = 0xd6da
     src       =
     dst       =
     \options   \
###[ TCP ]###
        sport     = bgp
        dport     = 15110
        seq       = 2081661860
        ack       = 1098840934
        dataofs   = 10L
        reserved  = 0L
        flags     = PA
        window    = 16320
        chksum    = 0xca16
        urgptr    = 0
        options   = [('MD5SumOld', 'H\xea\xc8)O\x15N\xaa\xe3\x10\x0e\xea\xfe\xf9\x10,'), ('EOL', None)]
###[ Raw ]###
           load      = '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00<\x02\x00\x00\x00\x19 <at> \x01\x01\x00 <at> \x02\x04\x02\x01\xfd\xea <at> \x03\x04\n\x00\x00\x02\x80\x04\x04\x00\x00\x00\x00\x18\xac\x11\x02\x18\xac\x11\x01\x18\xac\x11\x00’

I have started by adding the missing option in the TCPOptions field, but that hasn’t helped and I’m lost.

The capture I’m working on comes from and I used Wireshark to store it as PCAP for scapy. 

Thanks for any help,
Dr. Pedro A. Aranda Gutiérrez

Technology Exploration -
Network Innovation & Virtualisation
email: pedroa d0t aranda At telefonica d0t com
Telefónica, Investigación y Desarrollo
C/ D. Ramón de la Cruz,84
28006 Madrid, Spain

Fragen sind nicht da, um beantwortet zu werden.
Fragen sind da, um gestellt zu werden.
Georg Kreisler

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Martin | 3 Feb 00:01 2015

Question about timestamp imput form in NTP packet


At end of Scapy documentation 2.1.0 i found your email where it says that i
can ask a question if something is needed.

I am trying to forge NTP packet and things stopped at Timestamp value input.
There should be something like "Feb 2, 2015 21:46:55.000000000 UTC"

In which format i need to enter this behind "=" (mypacket.ref = ___) so it
would be recognised corectly?

Thank you for your help!
Have a nice day!

Regards Martin

To unsubscribe, send a mail to <at>

Iain R. Learmonth | 27 Jan 06:44 2015

UDP-Lite Support for Scapy


I have produced a patch to add UDP-Lite support for Scapy.

Have I pull requested the right repository for this? If there are any
comments, I'm happy to make minor changes.

I need to use Scapy with UDP-Lite for some work I'm doing for the OONI
project ( I have carved out the necessary bits
to allow for OONI to use for now, but it would be good to see this included
in the main Scapy distribution soon.



e: irl <at>            w:
x: irl <at>     t: EPVPN 2105
c: 2M0STB                  g: IO87we
p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
Patrik Hagara | 20 Jan 15:04 2015

Automaton custom listen socket

Hi list,

I stumbled upon an issue with customizing listen socket of automata.

While the sending socket class can be changed just fine by passing 'll'
keyword argument to the constructor, the listening socket always gets
initialized with an instance of conf.L2listen.

The reason why I'm trying to do this is unit testing of my automaton.
As it is now, I have to mock the whole conf.L2listen thing and also
single-step the automaton into its initial state, so that the listen
socket instance is created. Otherwise a race condition will occur when
you try to run multiple automata at once, possibly mis-assigning
listen sockets.

My current workaround:
> monkeypatch.setattr(conf, 'L2listen', MyMockListenSocket)
> a = MyAutomaton(ll=MyMockSendSocket)
> a.add_breakpoints(a.initial_states[0])
> try:
> except Automaton.Breakpoint:
>   assert a.state.state == a.initial_states[0].atmt_state

I propose adding a new optional keyword argument to the Automaton
class constructor that would behave similarly to the 'll' kwarg
that is already present. That is, save the requested sending socket
class in its constructor (as eg. self.listen_sock_class) and then
instantiate the saved class in _do_run() (passing it the remaining



To unsubscribe, send a mail to <at>

Sadia Bashir | 20 Jan 01:56 2015

Generating GRE tunneled traffic with Scapy

Hello everyone,

I am new to scapy. I want to test performance and behaviour of encapsulated traffic, for this purpose, I want to generate traffic as given in NVGRE draft here:

Currently I am generating GRE tunneled traffic with following command in Scapy:

this is an encapsulation test")))

but in Wireshark I get "Encapsulated 0x0001(unknown)" instead of " Encapsulated Possible GRE keepalive packet"

Please see the image attached and suggest me some workaround to make this thing work. Thank you for any suggestion/guidance/help in advance.



To unsubscribe, send a mail to <at>
Robin Jarry | 14 Jan 10:01 2015

Reuse scapy as a lib in other projects

Hi all,

It appears that when importing some sub parts of scapy source tree from a 3rd party app, *all* (or almost all) scapy code is imported (not only dependencies of the imported module). This process not only is slow, but also "pollutes" the globals() with a lot of unnecessary symbols.

I understand that is necessary when running the scapy shell app, but could this be avoided while using scapy as a lib from another app? Maybe by reworking the way the layers are loaded and by trying to reduce to the minimum the dependencies between scapy sub modules (no more import * stuff). I think that this would also speed-up scapy start and maybe fix some hidden bugs along the way.

I am willing to work on that issue, but first I wanted to discuss it with guys that have a better knowledge of the framework than me.

* Do you agree this would be a good thing?
* Are there things that cannot be changed for good reasons?
* Are there problems that I should anticipate?

Thanks in advance for your input.


Joshua Wright | 3 Jan 16:07 2015

Non-interactive color

Does anyone have a suggestion for getting color in a non-interactive script?

$ scapy
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python Crypto lib. Won't be able to decrypt WEP.
Welcome to Scapy (2.1.0)
>>> conf.color_scheme=AnsiColorTheme()
>>> print Dot11().show()
###[ 802.11 ]###
  subtype= 0
  type= Management
  proto= 0
  ID= 0
  addr1= 00:00:00:00:00:00
  addr2= 00:00:00:00:00:00
  addr3= 00:00:00:00:00:00
  SC= 0
  addr4= 00:00:00:00:00:00

Here, "print Dot11().show()" displays in color in my terminal on OS X.

$ cat
#!/usr/bin/env python
from scapy.all import *
print Dot11().show()
$ python
WARNING: No route found for IPv6 destination :: (no default route?)
###[ 802.11 ]###
  subtype   = 0
  type      = Management
  proto     = 0
  FCfield   =
  ID        = 0
  addr1     = 00:00:00:00:00:00
  addr2     = 00:00:00:00:00:00
  addr3     = 00:00:00:00:00:00
  SC        = 0
  addr4     = 00:00:00:00:00:00

Here, it does not display in color on the same terminal.  I spent some time poking around in some of the source,
but I wasn't able to figure out how Scapy decided when to use color and when not to use color.  Any suggestions?


To unsubscribe, send a mail to <at>

simon | 29 Dec 15:40 2014

pip install not working

There seem to be two scapy versions on pypi -scapy and scapy-real.

Neither work with pip install because the releases are called xxx-dev and pip 
treats these as development releases and rejects as invalid.

To unsubscribe, send a mail to <at>