I recently used this to create a tethering program. It works well, but there is a large bug. In particular, in the sniff function. When you sniff UDP packets, Scapy miscalculates the length of the IP and UDP packets. What is happening is that Scapy uses the UDP length as the IP length, and then subtracts the size of the UDP header for the UDP header. If you then try and send it to another computer, the packet is "malformed" because the length is incorrect. To prove this, when you sniff a udp packet and then do packet.show(), the packet looks totally correct. If you use packet.show2(), the packet cuts off the end. This is because the show2 function uses the length and recalculates the checksum. To solve this, delete the packet[IP].len and the packet[UDP].len and then show2(). This correctly recalculates the length and shows the full packet.

I tried to use node.js instead of scapy, dropping down to a C++ addon that we wrote in order to do ioctl calls and send raw packets.

We ended up keeping the addon for the ioctl calls, but the addon for sending raw packets didn't make it: we didn't want to reconstruct the javascript object versions of packets sniffed by node_pcap in order to send them on the raw socket (didn't want to make a small mistake and break the whole project for ourselves).

So we used scapy that part of the tethering project; worked well for us though it could have used more docs.

Did you submit a bug report or a patch? You seem to have diagnosed it quite sufficiently.

I did.

See also pcapy/Impacket: http://corelabs.coresecurity.com/index.php?module=Wiki&a...

Scapy and Impacket are basically Python scriptable versions of tcpdump / wireshark. Very useful tools, particularly for measuring a server's behavior without having to modify it for logging, etc. I once used pcapy to log several years of an NTP pool server to make this graph: http://imgur.com/IvRdU

This appears to be somewhat outdated. There's more recent information here: http://trac.secdev.org/scapy/wiki

Includes a FAQ and a great guide for capturing rogue DHCP servers on your network: http://trac.secdev.org/scapy/wiki/IdentifyingRogueDHCPServer...

I've had to use it a few times. It is also (or used to?) be in MacPorts.

This appears to be a newfangled version of:

http://packetfactory.openwall.net/projects/libnet/

which route created / maintained.

Can scapy or any other util modify packets on the fly?

I've always wanted an "nsed" -- to mimic the "ngrep" idea. A quick and dirty way to, for example, modify HTTP headers on the fly.

I can't say I have tried, perhaps I will later, but how about netcat piped to sed? Also, check out burpsuite for most of that functionality.. just not cli based.

it can, yet, headers such as checksums will have to be handled as well.

Try ettercap

Guess I'm not sure how/why this hit HN's front page? Scapy has been around for years. Nothing new to see here and, well, I'm not sure Scapy has a very vibrant development anymore... o_O

When I type in 'modules' at the help prompt, the program hangs. Same with 'modules spam'.