David Smith | 25 Mar 22:48 2015

igmpv3 module question

having some issues figuring out the proper configuration of various packets; 

for example this one, the dest address gets sent to loopback instead of the sending interface IP (which has the ether src="" mac as defined)

any help is appreciated.



import scapy.contrib.igmpv3


a=Ether(dst = "01:00:5e:00:01:01", src="00:1e:c9:5a:6b:ae")



c.srcaddrs = ['', '']

c.srcaddrs += ['']

c=scapy.contrib.igmpv3.IGMPv3(type=0x22, gaddr="")

print "Joining IP " + c.gaddr + " MAC " + a.dst

sendp(a/b/c, iface="em2")





[root <at> qa-05 ~]# tshark -V -i p8p1

Running as user "root" and group "root". This could be dangerous.

Capturing on 'p8p1'

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

    Interface id: 0

    Encapsulation type: Ethernet (1)

    Arrival Time: Mar 24, 2015 14:23:42.398555000 PDT

    [Time shift for this packet: 0.000000000 seconds]

    Epoch Time: 1427232222.398555000 seconds

    [Time delta from previous captured frame: 0.000000000 seconds]

    [Time delta from previous displayed frame: 0.000000000 seconds]

    [Time since reference or first frame: 0.000000000 seconds]

    Frame Number: 1

    Frame Length: 60 bytes (480 bits)

    Capture Length: 60 bytes (480 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:igmp]

Ethernet II, Src: 2wire_5a:6b:ae (00:1e:c9:5a:6b:ae), Dst: IPv4mcast_00:01:01 (01:00:5e:00:01:01)

    Destination: IPv4mcast_00:01:01 (01:00:5e:00:01:01)

        Address: IPv4mcast_00:01:01 (01:00:5e:00:01:01)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

    Source: 2wire_5a:6b:ae (00:1e:c9:5a:6b:ae)

        Address: 2wire_5a:6b:ae (00:1e:c9:5a:6b:ae)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

    Type: IP (0x0800)

    Padding: 000000000000000000000000000000000000

Internet Protocol Version 4, Src: (, Dst: (

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

    Total Length: 28

    Identification: 0x0001 (1)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 1

        [Expert Info (Note/Sequence): "Time To Live" only 1]

            [Message: "Time To Live" only 1]

            [Severity level: Note]

            [Group: Sequence]

    Protocol: IGMP (2)

    Header checksum: 0x7876 [correct]

        [Good: True]

        [Bad: False]

    Source: (

    Destination: (

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

Internet Group Management Protocol

    [IGMP Version: 3]

    Type: Membership Report (0x22)

    Header checksum: 0xfcfd [correct]

    Num Group Records: 257

[Malformed Packet: IGMP]

    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]

        [Message: Malformed Packet (Exception occurred)]

        [Severity level: Error]

        [Group: Malformed]


mahdieh Shahverdi | 17 Mar 07:19 2015

Re: split a url into multiple packets using scapy

Thanks but I means as below:
suppose this long url : http://developers.jollypad.com/fb/index.php?dmmy=1&fb_sig_in_iframe=1&fb_sig_iframe_key=8e296a067a37563370ded05f5a3bf3ec&fb_sig_locale=bg_BG&fb_sig_in_new_facebook=1&fb_sig_time=1282749119.128&fb_sig_added=1&fb_sig_profile_update_time=1229862039&fb_sig_expires=1282755600&fb_sig_user=761405628&fb_sig_session_key=2.IuyNqrcLQaqPhjzhFiCARg__.3600.1282755600-761405628&fb_sig_ss=igFqJKrhJZWGSRO__Vpx4A__&fb_sig_cookie_sig=a9f110b4fc6a99db01d7d1eb9961fca6&fb_sig_ext_perms=user_birthday,user_religion_politics,user_relationships,user_relationship_details,user_hometown,user_location,user_likes,user_activities,user_interests,user_education_history,user_work_history,user_online_presence,user_website,user_groups,user_events,user_photos,user_videos,user_photo_video_tags,user_notes,user_about_me,user_status,friends_birthday,friends_religion_politics,friends_relationships,friends_relationship_details,friends_hometown,friends_location,friends_likes,friends_activities,friends_interests,friends_education_history,friends_work_history,friends_online_presence,friends_website,friends_groups,friends_events,friends_photos,friends_videos,friends_photo_video_tags,friends_notes,friends_about_me,friends_status&fb_sig_country=bg&fb_sig_api_key=9f7ea9498aabcd12728f8e13369a0528&fb_sig_app_id=177509235268&fb_sig=1a5c6100fa19c1c9b983e2d6ccfc05ef

I want to split this url into three tcp segment and send each tcp segment as a separate packet.
How should I do it?

On Monday, February 16, 2015 4:37 PM, Marco Zunino <eng.marco.zunino <at> gmail.com> wrote:

I think a good article on the topic is the following

There are 3 post in total, first two address the theory behind fragmentation and checksum, the third one shows you the concrete example in Scapy. To be honest with you, I did not read fully the article, but at first impression looks like good information, worst case this should be at least a good starting point.

Let us know if have luck, I will check further the topic and play with the code later

On Mon, Feb 16, 2015 at 12:44 PM, mahdieh Shahverdi <m.shahverdi <at> ymail.com> wrote:
I means a long URL as application data that may be store in multiple TCP segments each of them makes a IP packet.

On Monday, February 16, 2015 2:59 PM, Tobias Mueller <muelli <at> cryptobitch.de> wrote:

On Mon, Feb 16, 2015 at 11:11:43AM +0000, mahdieh Shahverdi wrote:

> Hi,How to split a url into multiple IP packets using scapy?

I'm confused. What does it even mean to have a URL in IP packets?


To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

newlog | 10 Mar 12:00 2015

Error injecting traffic from Windows (libdnet / scapy issue)

Hi all,

I've been trying to inject traffic from pcap files to the network. I've
been lucky on some environments, but I haven't in many others. I usually
get the following error:

> WARNING: No match between your pcap and dnet network interfaces found.
> You probably won't be able to send packets. Deactivating unneeded
> interfaces and restarting Scapy might help.

My code is as simple as:

> packets = sniff(offline=self.PCAPFileName)
> sendp(packets)

I think I've read all the information available for this issue. A
overview of the topic by Dirk here:

I know that the problem happens in scapy/arch/windows/__ini__.py:

> def load_from_dnet(self):
>         """Populate interface table via dnet"""
>         for i in pcapdnet.dnet.intf():
>             try:
>                 # comment...
>                 if i["name"].startswith("eth") and "addr" in i:
>                     self.data[i["name"]] = NetworkInterface(i)
>             except (KeyError, PcapNameNotFoundError):
>                 pass
>         if len(self.data) == 0:
>             log_loading.warning("error")

So I don't have a clue why intf() returns an empty object in the
problematic systems. I've have all IPs setted statically. It's really
weird because it doesn't work in Windows 7 x64, but works correctly on
Windows 2012 R2 x64, so it's not because the 32 vs 64 bits.

I know that this is a libdnet bug, but given that libdnet code seems to
be abandoned and scapy relies on it for such critical things as getting
OS NICs, how's that in 5 years no workarounds have been looked? Don't
want to sound as an asshole (my english deficiencies here!)! It's just
one thing that bugs me. Is it because lack of time/resources? Because
really few people is affected by this issue? Is it really hard to solve?

I've also read that previous tries to move away from libdnet and use
WinPcap have been done (from 2009):

I guess that this didn't get to mainstream, isn't it? It would be
awesome given that WinPcap is an active project not as libdnet.

Finally, if there's no solution for this issue and, therefore, for
injecting pcap traffic from a Windows box using scapy, which are the
remaining approaches (using python)? I've been trying to look for any
other solutions, but it seems that everything boils down to libdnet or
Unix platforms (that aren't an option for me).
Does this mean that no one reliably injects traffic on windows machines
using python scripts? :)

Thanks for your great work with scapy. It really is an amazin tool.

P.S.: I've just read this:

Compiling lidbnet is a nightmare! I've tried it and I ended up using the
packages from this repo (for py2.7 and x64):

I guess I'll have to try harder to compile libdnet!

To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Darren McDonald | 4 Mar 11:52 2015


Does scapy support MPLS? I want to generate sendp(Ether()/IP()/ICMP()) 
packets, but include one or more MPLS shim labels between layers 2 and 
3. I've had a look around on google and the answer seems to be no. If 
not, id appreciate any tips or guidance on how I might go about 
implementing this myself.

Best regards,


To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Todd Bezenek | 17 Feb 23:21 2015

How to receive packets through netfilter/iptables into scapy?

I'm debugging a DNS firewall which uses netfilter/iptables.

I can send DNS requests which are processed by the firewall by setting:


However, when scapy gets a reply from the DNS (server), netfilter/iptables 
does not see the traffic.

Is there a way to do this?  Having scapy NOT listen would work fine as a 

Thank you for any help,

bezenek <at> gmail.com

To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

mahdieh Shahverdi | 16 Feb 12:11 2015

split a url into multiple packets using scapy

How to split a url into multiple IP packets using scapy?
Guillaume Valadon | 15 Feb 18:32 2015

[announce] Two Scapy related dojos at CanSecWest

Hi guys,

I will be giving two Scapy related dojos at CanSecWest on Monday March
16th and Tuesday March 17th.

The first one focuses on IPv6 network security and uses Scapy to provide
examples of link local attacks (https://cansecwest.com/dojos/2015/ipv6_netsec.html).
The second one is an advanced tutorial dedicated to Scapy.  (https://cansecwest.com/dojos/2015/scapy.html)


To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Bug processing packets with TCP options in scapy 2.3

Hi folks,

I’m enhancing the support of BGP-4 in scapy. To that avail, I have forked scapy2.3. My repo is at https://bitbucket.org/paaguti/scapy23-mpbgp if someone is interested.

In the process, I have found a strange bug when processing packets with TCP options:

When there are no TCP Options, the BGP payload is detected correctly:

###[ Ethernet ]###
  dst       = c2:02:0b:7e:00:00
  src       = c2:01:0b:7e:00:00
  type      = 0x86dd
###[ IPv6 ]###
     version   = 6L
     tc        = 192L
     fl        = 0L
     plen      = 39
     nh        = TCP
     hlim      = 64
     src       = 2001:db8::1
     dst       = 2001:db8::2
###[ TCP ]###
        sport     = 42037
        dport     = bgp
        seq       = 3288183041
        ack       = 2355868711
        dataofs   = 5L
        reserved  = 0L
        flags     = PA
        window    = 16339
        chksum    = 0xb5e3
        urgptr    = 0
        options   = []
###[ BGPHeader ]###
           marker    = 0xffffffffffffffffffffffffffffffffL
           len       = 19
           type      = KEEP_ALIVE

With TCP Options, the BGP payload is shown as Raw:

###[ Ethernet ]###
  dst       = c2:01:0b:7e:00:00
  src       = c2:02:0b:7e:00:00
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0xc0
     len       = 120
     id        = 53218
     flags     =
     frag      = 0L
     ttl       = 255
     proto     = tcp
     chksum    = 0xd6da
     src       =
     dst       =
     \options   \
###[ TCP ]###
        sport     = bgp
        dport     = 15110
        seq       = 2081661860
        ack       = 1098840934
        dataofs   = 10L
        reserved  = 0L
        flags     = PA
        window    = 16320
        chksum    = 0xca16
        urgptr    = 0
        options   = [('MD5SumOld', 'H\xea\xc8)O\x15N\xaa\xe3\x10\x0e\xea\xfe\xf9\x10,'), ('EOL', None)]
###[ Raw ]###
           load      = '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00<\x02\x00\x00\x00\x19 <at> \x01\x01\x00 <at> \x02\x04\x02\x01\xfd\xea <at> \x03\x04\n\x00\x00\x02\x80\x04\x04\x00\x00\x00\x00\x18\xac\x11\x02\x18\xac\x11\x01\x18\xac\x11\x00’

I have started by adding the missing option in the TCPOptions field, but that hasn’t helped and I’m lost.

The capture I’m working on comes from http://packetlife.net/captures/BGP_MP_NLRI.cap and I used Wireshark to store it as PCAP for scapy. 

Thanks for any help,
Dr. Pedro A. Aranda Gutiérrez

Technology Exploration -
Network Innovation & Virtualisation
email: pedroa d0t aranda At telefonica d0t com
Telefónica, Investigación y Desarrollo
C/ D. Ramón de la Cruz,84
28006 Madrid, Spain

Fragen sind nicht da, um beantwortet zu werden.
Fragen sind da, um gestellt zu werden.
Georg Kreisler

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Martin | 3 Feb 00:01 2015

Question about timestamp imput form in NTP packet


At end of Scapy documentation 2.1.0 i found your email where it says that i
can ask a question if something is needed.

I am trying to forge NTP packet and things stopped at Timestamp value input.
There should be something like "Feb 2, 2015 21:46:55.000000000 UTC"

In which format i need to enter this behind "=" (mypacket.ref = ___) so it
would be recognised corectly?

Thank you for your help!
Have a nice day!

Regards Martin

To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Iain R. Learmonth | 27 Jan 06:44 2015

UDP-Lite Support for Scapy


I have produced a patch to add UDP-Lite support for Scapy.


Have I pull requested the right repository for this? If there are any
comments, I'm happy to make minor changes.

I need to use Scapy with UDP-Lite for some work I'm doing for the OONI
project (https://ooni.torproject.org/). I have carved out the necessary bits
to allow for OONI to use for now, but it would be good to see this included
in the main Scapy distribution soon.



e: irl <at> fsfe.org            w: iain.learmonth.me
x: irl <at> jabber.fsfe.org     t: EPVPN 2105
c: 2M0STB                  g: IO87we
p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
Patrik Hagara | 20 Jan 15:04 2015

Automaton custom listen socket

Hi list,

I stumbled upon an issue with customizing listen socket of automata.

While the sending socket class can be changed just fine by passing 'll'
keyword argument to the constructor, the listening socket always gets
initialized with an instance of conf.L2listen.

The reason why I'm trying to do this is unit testing of my automaton.
As it is now, I have to mock the whole conf.L2listen thing and also
single-step the automaton into its initial state, so that the listen
socket instance is created. Otherwise a race condition will occur when
you try to run multiple automata at once, possibly mis-assigning
listen sockets.

My current workaround:
> monkeypatch.setattr(conf, 'L2listen', MyMockListenSocket)
> a = MyAutomaton(ll=MyMockSendSocket)
> a.add_breakpoints(a.initial_states[0])
> try:
>   a.run()
> except Automaton.Breakpoint:
>   assert a.state.state == a.initial_states[0].atmt_state

I propose adding a new optional keyword argument to the Automaton
class constructor that would behave similarly to the 'll' kwarg
that is already present. That is, save the requested sending socket
class in its constructor (as eg. self.listen_sock_class) and then
instantiate the saved class in _do_run() (passing it the remaining



To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org