I’ve used scapy for years and found it especially useful when performing internal penetration tests. It has useful patterns for tasks like quickly putting together a custom DNS server, UDP source spoofing, walking all ICMP codes (or a quick and dirty ICMP redirect tool), or couple it with matplotlib and to estimate how many active hosts are communicating with a remote server based on TCP sequence numbers (I believe this is part of the scapy examples.)

Coupled with interfaces to import and export PCAP files, it’s also a great way to learn about or explore/tamper with network protocols.

The fact that it’s implemented in Python might scare some off, but I personally feel that this only adds to its usefulness since it can benefit from all of the external tooling and flexibility that comes with the language.

Scapy is great if you want to send and receive packets onto a network from Python. There are a few gotchas, for example it can be eager to send real packets out in order to resolve names which might not always be what you want if you're doing offline analysis.

If you are parsing packet captures or defining custom protocols then dpkt[0] is also worth a look. It's a simpler module with substantially higher performance.

[0] https://dpkt.readthedocs.io/en/latest/

Additionally scapy is GPL and dpkt is more permissive. They both make mistakes, it can be illuminating to try both side by side. Scapy is more forgiving. dpkt is more performant.

Related:

Scapy: a powerful interactive packet manipulation program - https://news.ycombinator.com/item?id=4892380 - Dec 2012 (13 comments)

Traceroute in 15 lines of code using Scapy - https://news.ycombinator.com/item?id=6653644 - Nov 2013 (2 comments)

I have been doing a lot of Go and Rust these last few years but always come back to Python for quick iterations and proof of concept, scapy is a blessing for low level network programming inspections.

Scapy is an exceptional library that I enjoyed using for a recent project. However, I felt that the focus is entirely on capturing and analyzing traffic. If you want to manipulate the packets then the API is a little unsuited for that (for example recomputing packet checksums requires some invocation to pretty-print the packet which is weird).

OTOH, really amazing project to put together quick packet-level prototypes. Really shows the strength of the python ecosystem.

Sadly it's missing a native TCP-reassambly. Was caught by suprise by that recently, but there's always pyshark

Unfortunately, in my experience Wireshark sometimes fails to reassemble TCP streams after a retransmission or out-of-order event, despite the presence of a checkbox to do just that...

I wrote a pcap re-orderer (with scapy) just for this bug.

I'd join the overall praise here, but some design choices in Scapy are quite weird and the implementations for many protocols are just plain terrible. Granted, that's not the fault of the original designers, since those protocols just fly around on Github, but geez are some of them bad..

Some of the choices are a bit odd but it's an absolutely brilliant library. It's super simple to get started with and fairly easy to extend. If you do end up adding support for a standard protocol, please consider submitting a PR. The developers are super responsive and helpful.

Scapy is great, but if you need only something simple, it's hard to go past dpkt https://github.com/kbandla/dpkt

Protobuf as a Scapy dissector, with Farsight's SIE as an example: https://github.com/m3047/tahoma_nmsg

Scapy's great. Another similar library is Impacket: https://github.com/SecureAuthCorp/impacket

I have used scapy for parsing and replaying (with some modification) pcap files containing a UDP packet stream. It worked perfectly, albeit python is perhaps not the language for high-speed networking.

Does it work properly in python running in Windows?

I've been wanting to learn more about the low level networking space. Is this a good library to use as a springboard for that?

It really depends on how much you already know. "Practical Packet Analysis" (No Starch Press) is a great book that I really appreciated: https://nostarch.com/packetanalysis3

This also depends what you consider "low level networking" and how you want to learn. Scapy can be made to work it may just be either under or overkill depending on what you are wanting to achieve. Implementing HTTP from the ground up? Scapy is probably overkill, just open a TCP socket in your language of choice and start building. Just want to understand what happens if different fields are changed below what a standard TCP/UDP socket call gets you access to? Scapy is a great choice to abstract the OS specific pieces out of the way and provide you with prebuilt blocks to base your experimentation off of.

The built-in sockets library in Python tells you which constants are already available, and has useful functions like gethostbyaddr.

Since you didn’t mention a platform, also note that (last I looked) WSL was inadequate for crafting raw packets.

I've used it successfully for my ends in a personal project of mine. Together with wireshark it's good for learning in my experience

scapy was incredibly useful while I was writing some packet processing for just crafting test payloads and iterating quickly.

scapy is awesome for writing tests of low-level network code. You can sandbox a VM or process and inject packets.