Robin Jarry | 27 Mar 18:34 2014

full IPSec layer support

Hello all,

Some of you may already know the old scapysec implementation by Frédéric Roudault. Unfortunately, this was for scapy 1.X and it was never adapted from 2.X. After spending some time trying to rebase it on the head of scapy, I decided to start from scratch.

While the old implementation works fine, I found some problems:
  • Overly complex system with a SAD object hacked into scapy.conf.setkey. Which does not cover the whole SP/SA mechanism of a real ipsec implementation anyways (like linux).
  • The user is forced to "know" the ipsec RFC when building ESP packets
  • No support for AH
  • And of course, does not work with scapy 2.X
I developed a re-implementation which has the following highlights:
  • Support for both ESP and AH
  • Simple SecurityAssociation object with 2 services "encrypt" and "decrypt". One can give any IP(v6) packet to encrypt and get a valid ESP or AH encrypted/authenticated packet in return. No complex "lookup" mechanism.
  • Has unit tests
Attached to this message is a patch with my changes. Could you tell me what you think of it? I'd like to have some input from "wise" guys before creating an actual pull request on bb.


PS: I tried to add "ipsec" in scapy.config.Conf.load_layers but it seems to break the startup imports. No layer classes are available except ESP AH and SecurityAssociation. Maybe you can help?

Robin Jarry
R&D Engineer

Attachment (ipsec.patch): text/x-patch, 74 KiB
To unsubscribe, send a mail to <at>
Ramakrishna | 20 Mar 00:44 2014

IPv6 Extension Header bug report along with fix


My colleague Zhihao and I have been playing with IPv6 packets that can potentially get fragmented. Currently, there are bugs in scapy-2.2.0/scapy/layers/ which prevent the response packet from getting matched to the sent packet while using the sndrcv function from, in the case of a fragmented IPv6 response packet. 

Bug 1 : In Class IPv6, in the function 'answers', the case where the received packet is an IPv6 extension header packet is not handled
Bug 2 : In Class ICMPv6EchoReply, in the function 'answers', a check is made to see if the data from both sent and received packets would match. However, if the packet gets fragmented, then the data would not match. 

We have fixed the bugs. Please find the modified version of scapy here : 

Zhihao and Rama
Công Nguyễn | 18 Mar 04:39 2014

Scapy Automaton leave a lot of file descriptors open

I had a Automaton script running in background to implement a protocol, the script runs fine, but after a day or two, the system eventually runs out of file descriptor.

Running lsof, I saw a lot of python process. Inscrease ulimit does help a bit, but eventually the script will stop with 

Unhandled exception in thread started by <bound method X._do_control of <pppoe.X object at 0x24eb210>>
Traceback (most recent call last):
  File "/root/python/local/lib/python2.7/site-packages/scapy/", line 524, in _do_control
    self.send_sock = self.send_sock_class()
  File "/root/python/local/lib/python2.7/site-packages/scapy/arch/", line 309, in __init__
  File "/root/python/local/lib/python2.7/site-packages/scapy/arch/", line 293, in _flush_fd
    r,w,e = select([fd],[],[],0)
ValueError: filedescriptor out of range in select()

I saw this bug: , but I can't reach the scapy bug tracker, so I can only send an email here.

is anyone having this problem? Is there any temporary fix?

Anastasios Mag | 20 Feb 21:57 2014

GSOC 2014

I was just wondering about scapy's participation in GSOC 2014 this year. Does anyone know something ?

OWASP because the world is cruel..!
Stathis mozbery se lew | 5 Feb 11:50 2014

Promiscuous mode

Hi list,

I created a script which it uses scapy to send a packet to my SIP server.But i dont get any answer.
So i checked out the syslog and when i am using scapy i get this message on the syslog
"device eth0 entered promiscuous mode"
and when i close my script in the syslog i see this:
"device eth0 left promiscuous mode".

Also my firewall is not active and in the wireshark i can see the packet that i am sending.
I am using Ubuntu 10.4 on a Vmware machine.
So anyone have any idea how to i can avoid  the "promiscuous mode"?

Thank you

Mick Jones | 2 Feb 16:32 2014

IPv6 Fragmentation - can't detect response

Hi all,

I am trying to fragment an IPv6 using scapy and then detect if a response is 
received, for example:

i = 


However, scapy never detects a response, even though I am able to see a 
response in wireshark/tcpdump. 

Is this expected behaviour? If this is expected behaviour, how can I use 
scapy to detect if there has been a response? 

If it isn't expected behaviour, could someone please provide a potential 



To unsubscribe, send a mail to <at>

BRULE Herman | 31 Jan 15:05 2014

Bug into scapy: ubyte format requires 0 <= number <= 255



With this command:

res,unans = traceroute(["","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""],dport=[80],maxttl=600,retry=30)

I have:

.ERROR: --- Error in child 28988

Traceback (most recent call last):

File "/usr/lib64/python2.7/site-packages/scapy/", line 89, in sndrcv


File "/usr/lib64/python2.7/site-packages/scapy/arch/", line 387, in send

sx = str(ll(x))

File "/usr/lib64/python2.7/site-packages/scapy/", line 261, in __str__


File "/usr/lib64/python2.7/site-packages/scapy/", line 319, in build

p = self.do_build()

File "/usr/lib64/python2.7/site-packages/scapy/", line 311, in do_build

pay = self.do_build_payload()

File "/usr/lib64/python2.7/site-packages/scapy/", line 303, in do_build_payload

return self.payload.do_build()

File "/usr/lib64/python2.7/site-packages/scapy/", line 308, in do_build

pkt = self.self_build()

File "/usr/lib64/python2.7/site-packages/scapy/", line 299, in self_build

p = f.addfield(self, p, val)

File "/usr/lib64/python2.7/site-packages/scapy/", line 70, in addfield

return s+struct.pack(self.fmt, self.i2m(pkt,val))

error: ubyte format requires 0 <= number <= 255


I speak too french (it's my native language).





alpha_one_x86 <alpha_one_x86 <at>>

Main developer of Ultracopier, Esourcing and server management

IT, OS, technologies, security and business department

Antonios Atlasis | 15 Jan 20:54 2014

No correct assignment of next header value in IPv6 when the embedded header is an IPv4 one

Hi list,

As we all know, IPv4 can be encapsulated in IPv6. In such a case, when crafting such a packet using Scapy, the "next header" value is not assigned to the correct value (that is, 4). Example:

[ IPv6 ]
version= 6 tc= 0 fl= 0 plen= None nh= No Next Header hlim= 64 src= ::1 dst= ::1
[ IP ]

In the above example, the nh should be IP (that is, 4), and not No Next Header (that is, 59). IMHO that is because there isn't the following line in the definition of IP class: overload_fields = {IPv6: { "nh": 0 }}

Any "quick and dirty" way to fix this?



Apologise Now | 14 Jan 21:57 2014

Modify DNS Fields

Hello all,

I have read in a PCAP file and wish to modify some of the DNS fields, mainly the transaction ID.

So far I have been unsuccessful, is this possible to do?

Ali Khalfan | 14 Jan 21:10 2014

Remove TZSP encapsulation and forward to virtual interface

I've got TZSP (Tazmen Sniffer Protocol) traffic coming to a linux box I
have.  I would like to use Scapy to decode this traffic and then forward
it to another interface which would be monitored by an IDS.

Remove the encapsulating tags is something that I think I could handle.
 But, how do I go by listening to the traffic on scapy and more
importantly, how do I go by forwarding it to the other interface? do I
just replace the destination MAC address.

Is this something that should be done in scapy, or would it be more
advisable to use something else ?

To unsubscribe, send a mail to <at>

Rainer Bredehorn | 13 Jan 16:11 2014

IPv6 Mac address resolution


I'm using scapy to send a simple ICMPv6 request with the send() command.
I can see a neigbour solicitation and a neigbor advertisement.
And then I can see the ICMPv6 request and the reply.

Looking at the details of the ICMPv6 request I can see that the MAC address destination is "FF:FF:FF:FF:FF:FF".
Why isn't there the correct MAC address from the MAC resolution?

Kind regards,