[笔记] scapy 使用 - xieyunzi/xieyunzi.github.io GitHub Wiki

在 macos 上 sniff 127.0.0.1 的数据

$ ifconfig | grep LOOPBACK
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

in scapy

>>> sniff(count=1,filter="icmp and ip host 127.0.0.1",iface=["lo0","en0"])
# ping localhost in another terminal tab
<Sniffed: TCP:0 UDP:0 ICMP:1 Other:0>
>>> _.summary()
Loopback / IP / ICMP 127.0.0.1 > 127.0.0.1 echo-reply 0 / Raw

send arp

>>> ls(Ether)
...
>>> ls(ARP)
...
>>> p=Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.100")
>>> p
<Ether  dst=ff:ff:ff:ff:ff:ff type=0x806 |<ARP  pdst=192.168.1.100 |>>
>>> p.show()
...
>>> (srp1(p)).show()
...

dns

send DNS query

>>> r=sr1(IP(dst="9.9.9.9")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.google.com")),verbose=0)
>>> r[DNSRR]
<DNSRR  rrname='www.google.com.' type=A rclass=IN ttl=203 rdata='66.220.155.12' |>

sniff DNS query from DNS server

>>> r=sniff(iface="interface",filter="port 53",count=5)
# query DNS from client
>>> r.summary()
...

references

• build-man-middle-tool-with-scapy-and-python
• build-dns-packet-sniffer-with-scapy-and-python
• build-stealth-port-scanner-with-scapy-and-python
• https://thepacketgeek.com/tag/scapy/
• bpf filter