scapy.layers.l2

Classes and functions for layer 2 protocols.

class scapy.layers.l2.ARP

Bases: scapy.packet.Packet

aliastypes
answers(other)
extract_padding(s)
fields_desc
ARP fields

hwtype

XShortField

1

ptype

XShortEnumField

2048

hwlen

FieldLenField

None

plen

FieldLenField

None

op

ShortEnumField

1

hwsrc

MultipleTypeField

None

psrc

MultipleTypeField

None

hwdst

MultipleTypeField

None

pdst

MultipleTypeField

None

hashret()
mysummary()
route()
class scapy.layers.l2.ARP_am(**kargs)

Bases: scapy.ansmachine.AnsweringMachine

Fake ARP Relay Daemon (farpd)

example: To respond to an ARP request for 192.168.100 replying on the ingress interface:

farpd(IP_addr='192.168.1.100',ARP_addr='00:01:02:03:04:05')

To respond on a different interface add the interface parameter:

farpd(IP_addr='192.168.1.100',ARP_addr='00:01:02:03:04:05',iface='eth0')

To respond on ANY arp request on an interface with mac address ARP_addr:

farpd(ARP_addr='00:01:02:03:04:05',iface='eth1')

To respond on ANY arp request with my mac addr on the given interface:

farpd(iface='eth1')

Optional Args:

inter=<n>   Interval in seconds between ARP replies being sent
filter = 'arp'
function_name = 'farpd'
is_request(req)
make_reply(req)
parse_options(IP_addr=None, ARP_addr=None)
print_reply(req, reply)
static send_function(x, inter=0, loop=0, iface=None, iface_hint=None, count=None, verbose=None, realtime=None, return_packets=False, socket=None, *args, **kargs)

Send packets at layer 2

Parameters
  • x – the packets

  • inter – time (in s) between two packets (default 0)

  • loop – send packet indefinetly (default 0)

  • count – number of packets to send (default None=1)

  • verbose – verbose mode (default None=conf.verbose)

  • realtime – check that a packet was sent before sending the next one

  • return_packets – return the sent packets

  • socket – the socket to use (default is conf.L3socket(kargs))

  • iface – the interface to send the packets on

  • monitor – (not on linux) send in monitor mode

Returns

None

send_reply(reply)
class scapy.layers.l2.ARPingResult(res=None, name='ARPing', stats=None)

Bases: scapy.plist.SndRcvList

show()

Print the list of discovered MAC addresses.

class scapy.layers.l2.CookedLinux

Bases: scapy.packet.Packet

aliastypes
fields_desc
CookedLinux fields

pkttype

ShortEnumField

0

lladdrtype

XShortField

512

lladdrlen

ShortField

0

src

StrFixedLenField

b''

proto

XShortEnumField

2048

payload_guess

Possible sublayers: CAN, EAPOL, IP, IPv6, IrLAPHead, ARP, Dot1AD, Dot1Q, Ether, LLC, PPPoED, PPPoE

class scapy.layers.l2.DestMACField(name)

Bases: scapy.fields.MACField

i2h(pkt, x)
i2m(pkt, x)
class scapy.layers.l2.Dot1AD

Bases: scapy.layers.l2.Dot1Q

aliastypes
fields_desc
Dot1AD fields

prio

BitField (3 bits)

0

id

BitField (1 bit)

0

vlan

BitField (12 bits)

1

type

XShortEnumField

0

payload_guess

Possible sublayers: MACsec, SPBM, Dot1AD, Dot1Q

class scapy.layers.l2.Dot1Q

Bases: scapy.packet.Packet

aliastypes
answers(other)
default_payload_class(pay)
extract_padding(s)
fields_desc
Dot1Q fields

prio

BitField (3 bits)

0

id

BitField (1 bit)

0

vlan

BitField (12 bits)

1

type

XShortEnumField

0

mysummary()
payload_guess

Possible sublayers: EtherCat, LLDPDU, MACControl, MACsec, SPBM, Dot1AD

class scapy.layers.l2.Dot3

Bases: scapy.packet.Packet

aliastypes
answers(other)
classmethod dispatch_hook(_pkt=None, *args, **kargs)
extract_padding(s)
fields_desc
Dot3 fields

dst

DestMACField

None

src

SourceMACField

None

len

LenField

None

mysummary()
payload_guess

Possible sublayers: LLC

class scapy.layers.l2.ERSPAN

Bases: scapy.packet.Packet

aliastypes
fields_desc
ERSPAN fields

ver

BitField (4 bits)

0

vlan

BitField (12 bits)

0

cos

BitField (3 bits)

0

en

BitField (2 bits)

0

t

BitField (1 bit)

0

session_id

BitField (10 bits)

0

reserved

BitField (12 bits)

0

index

BitField (20 bits)

0

payload_guess

Possible sublayers: Ether

class scapy.layers.l2.Ether

Bases: scapy.packet.Packet

aliastypes
answers(other)
classmethod dispatch_hook(_pkt=None, *args, **kargs)
fields_desc
Ether fields

dst

DestMACField

None

src

SourceMACField

None

type

XShortEnumField

36864

hashret()
mysummary()
payload_guess

Possible sublayers: AOE, EtherCat, HomePlugAV, IFE, SlowProtocol, LLDPDU, MACControl, MACsec, MPLS, NSH, ProfinetIO, SPBM, EAPOL, IP, IPv6, ARP, Dot1AD, Dot1Q, Ether, LLC, LLTD, PPP_ECP, PPP_IPCP, PPPoED, PPPoE

class scapy.layers.l2.GRE

Bases: scapy.packet.Packet

aliastypes
classmethod dispatch_hook(_pkt=None, *args, **kargs)
fields_desc
GRE fields

chksum_present

BitField (1 bit)

0

routing_present

BitField (1 bit)

0

key_present

BitField (1 bit)

0

seqnum_present

BitField (1 bit)

0

strict_route_source

BitField (1 bit)

0

recursion_control

BitField (3 bits)

0

flags

BitField (5 bits)

0

version

BitField (3 bits)

0

proto

XShortEnumField

0

chksum

XShortField (Cond)

None

offset

XShortField (Cond)

None

key

XIntField (Cond)

None

seqence_number

XIntField (Cond)

None

payload_guess

Possible sublayers: MPLS, NSH, EAPOL, IP, IPv6, ARP, Dot1AD, Dot1Q, ERSPAN, Ether, GRErouting, LLC

post_build(p, pay)
class scapy.layers.l2.GRE_PPTP

Bases: scapy.layers.l2.GRE

Enhanced GRE header used with PPTP RFC 2637

aliastypes
fields_desc
GRE_PPTP fields

chksum_present

BitField (1 bit)

0

routing_present

BitField (1 bit)

0

key_present

BitField (1 bit)

1

seqnum_present

BitField (1 bit)

0

strict_route_source

BitField (1 bit)

0

recursion_control

BitField (3 bits)

0

acknum_present

BitField (1 bit)

0

flags

BitField (4 bits)

0

version

BitField (3 bits)

1

proto

XShortEnumField

34827

payload_len

ShortField

None

call_id

ShortField

None

seqence_number

XIntField (Cond)

None

ack_number

XIntField (Cond)

None

payload_guess

Possible sublayers: EAPOL, IP, IPv6, ARP, Dot1AD, Dot1Q, ERSPAN, Ether, GRErouting, LLC, PPP

post_build(p, pay)
class scapy.layers.l2.GRErouting

Bases: scapy.packet.Packet

aliastypes
fields_desc
GRErouting fields

address_family

ShortField

0

SRE_offset

ByteField

0

SRE_len

FieldLenField

None

routing_info

StrLenField

b''

payload_guess

Possible sublayers: GRErouting, Raw

class scapy.layers.l2.LLC

Bases: scapy.packet.Packet

aliastypes
fields_desc
LLC fields

dsap

XByteField

0

ssap

XByteField

0

ctrl

ByteField

0

payload_guess

Possible sublayers: _create_cln_pdu, SNAP, STP

class scapy.layers.l2.LoIntEnumField(name, default, enum)

Bases: scapy.fields.IntEnumField

i2m(pkt, x)
m2i(pkt, x)
class scapy.layers.l2.Loopback

Bases: scapy.packet.Packet

*BSD loopback layer

aliastypes
fields_desc
Loopback fields

type

LoIntEnumField

2

payload_guess

Possible sublayers: IP, IPv6

class scapy.layers.l2.Neighbor

Bases: object

register_l3(l2, l3, resolve_method)
resolve(l2inst, l3inst)
class scapy.layers.l2.SNAP

Bases: scapy.packet.Packet

aliastypes
fields_desc
SNAP fields

OUI

X3BytesField

0

code

XShortEnumField

0

payload_guess

Possible sublayers: CDPv2_HDR, DTP, VTP, EAPOL, IP, IPv6, ARP, Dot1AD, Dot1Q, Ether, STP

class scapy.layers.l2.STP

Bases: scapy.packet.Packet

aliastypes
fields_desc
STP fields

proto

ShortField

0

version

ByteField

0

bpdutype

ByteField

0

bpduflags

ByteField

0

rootid

ShortField

0

rootmac

MACField

'00:00:00:00:00:00'

pathcost

IntField

0

bridgeid

ShortField

0

bridgemac

MACField

'00:00:00:00:00:00'

portid

ShortField

0

age

BCDFloatField

1

maxage

BCDFloatField

20

hellotime

BCDFloatField

2

fwddelay

BCDFloatField

15

class scapy.layers.l2.SourceMACField(name, getif=None)

Bases: scapy.fields.MACField

getif
i2h(pkt, x)
i2m(pkt, x)
scapy.layers.l2.arpcachepoison(target, victim, interval=60)

Poison target’s cache with (your MAC,victim’s IP) couple arpcachepoison(target, victim, [interval=60]) -> None

scapy.layers.l2.arping(net, timeout=2, cache=0, verbose=None, **kargs)

Send ARP who-has requests to determine which hosts are up arping(net, [cache=0,] [iface=conf.iface,] [verbose=conf.verb]) -> None Set cache=True if you want arping to modify internal ARP-Cache

scapy.layers.l2.arpleak(target, plen=255, hwlen=255, **kargs)

Exploit ARP leak flaws, like NetBSD-SA2017-002.

https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-002.txt.asc

scapy.layers.l2.etherleak(target, **kargs)

Exploit Etherleak flaw

scapy.layers.l2.getmacbyip(ip, chainCC=0)

Return MAC address corresponding to a given IP address

scapy.layers.l2.is_promisc(ip, fake_bcast='ff:ff:00:00:00:00', **kargs)

Try to guess if target is in Promisc mode. The target is provided by its ip.

scapy.layers.l2.l2_register_l3(l2, l3)
scapy.layers.l2.l2_register_l3_arp(l2, l3)
scapy.layers.l2.promiscping(net, timeout=2, fake_bcast='ff:ff:ff:ff:ff:fe', **kargs)

Send ARP who-has requests to determine which hosts are in promiscuous mode promiscping(net, iface=conf.iface)