scapy.packet¶

Packet class

Provides:

the default Packet classes
binding mechanisms
fuzz() method
exploration methods: explore() / ls()

class scapy.packet.NoPayload(*args, **kargs)[source]¶

Bases: scapy.base_classes.Gen[scapy.packet.Packet]

add_payload(payload)[source]¶

add_underlayer(underlayer)[source]¶

aliastypes¶

answers(other)[source]¶

build()[source]¶

build_done(p)[source]¶

build_padding()[source]¶

build_ps(internal=0)[source]¶

clear_cache()[source]¶

command()[source]¶

copy()[source]¶

delfieldval(attr)[source]¶

dissection_done(pkt)[source]¶

do_build()[source]¶

fragment(*args, **kargs)[source]¶

getfield_and_val(attr)[source]¶

getfieldval(attr)[source]¶

getlayer(cls, nb=1, _track=None, _subclass=None, **flt)[source]¶

hashret()[source]¶

haslayer(cls, _subclass=None)[source]¶

hide_defaults()[source]¶

lastlayer(layer=None)[source]¶

layers()[source]¶

remove_payload()[source]¶

remove_underlayer(other)[source]¶

route()[source]¶

setfieldval(attr, val)[source]¶

show(dump=False, indent=3, lvl='', label_lvl='')[source]¶

sprintf(fmt, relax=1)[source]¶

class scapy.packet.Packet(*args, **kargs)[source]¶

Bases: scapy.base_classes.Gen[scapy.packet.Packet]

add_payload(payload)[source]¶

add_underlayer(underlayer)[source]¶

aliastypes¶

answers(other)[source]¶: DEV: true if self is an answer from other

build()[source]¶

Create the current layer

Returns: string of the packet with the payload

build_done(p)[source]¶

build_padding()[source]¶

build_ps(internal=0)[source]¶

canvas_dump(layer_shift=0, rebuild=1)[source]¶

class_default_fields¶

class_default_fields_ref¶

class_dont_cache¶

class_fieldtype¶

class_packetfields¶

clear_cache()[source]¶: Clear the raw packet cache for the field and all its subfields

clone_with(payload=None, share_time=False, **kargs)[source]¶

command()[source]¶: Returns a string representing the command you have to type to obtain the same packet

classmethod convert_packet(pkt, **kwargs)[source]¶

Converts another packet to be this type.

This is not guaranteed to be a lossless process.

Parameters: pkt (scapy.packet.Packet) – The packet to convert.
Returns: Converted form of the packet.
Return type: cls
Raises: TypeError – When conversion is not possible

classmethod convert_packets(pkts, **kwargs)[source]¶

Converts many packets to this type.

This is implemented as a generator.

See Packet.convert_packet.

convert_to(other_cls, **kwargs)[source]¶

Converts this Packet to another type.

This is not guaranteed to be a lossless process.

By default, this only implements conversion to Raw.

Parameters: other_cls (Type[scapy.packet.Packet]) – Reference to a Packet class to convert to.
Returns: Converted form of the packet.
Return type: other_cls
Raises: TypeError – When conversion is not possible

copy()[source]¶: Returns a deep copy of the instance.

copy_field_value(fieldname, value)[source]¶

copy_fields_dict(fields)[source]¶

decode_payload_as(cls)[source]¶: Reassembles the payload and decode it using another packet class

default_fields¶

default_payload_class(payload)[source]¶

DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.

Parameters: payload (str) – the layer’s payload
Returns: the default payload class define inside the configuration file

delfieldval(attr)[source]¶

deprecated_fields = {}¶

direction¶

display(*args, **kargs)[source]¶: Deprecated. Use show() method.

dissect(s)[source]¶

dissection_done(pkt)[source]¶: DEV: will be called after a dissection is completed

do_build()[source]¶

Create the default version of the layer

Returns: a string of the packet with the payload

do_build_payload()[source]¶

Create the default version of the payload layer

Returns: a string of payload layer

do_build_ps()[source]¶

do_dissect(s)[source]¶

do_dissect_payload(s)[source]¶

Perform the dissection of the layer’s payload

Parameters: s (str) – the raw layer

do_init_cached_fields()[source]¶: Initialize each fields of the fields_desc dict, or use the cached fields information

do_init_fields(flist)[source]¶: Initialize each fields of the fields_desc dict

explicit¶

extract_padding(s)[source]¶

DEV: to be overloaded to extract current layer’s padding.

Parameters: s (str) – the current layer
Returns: a couple of strings (actual layer, padding)

fields¶

fields_desc¶

fieldtype¶

firstlayer()[source]¶

fragment(*args, **kargs)[source]¶

classmethod from_hexcap()[source]¶

get_field(fld)[source]¶: DEV: returns the field instance from the name of the field

getfield_and_val(attr)[source]¶

getfieldval(attr)[source]¶

getlayer(cls, nb=1, _track=None, _subclass=None, **flt)[source]¶: Return the nb^th layer that is an instance of cls, matching flt values.

guess_payload_class(payload)[source]¶

DEV: Guesses the next payload class from layer bonds. Can be overloaded to use a different mechanism.

Parameters: payload (str) – the layer’s payload
Returns: the payload class

hashret()[source]¶: DEV: returns a string that has the same value for a request and its answer.

haslayer(cls, _subclass=None)[source]¶: true if self has a layer that is an instance of cls. Superseded by “cls in self” syntax.

hide_defaults()[source]¶: Removes fields’ values that are the same as default values.

init_fields()[source]¶: Initialize each fields of the fields_desc dict

iterpayloads()[source]¶: Used to iter through the payloads of a Packet. Useful for DNS or 802.11 for instance.

lastlayer(layer=None)[source]¶: Returns the uppest layer of the packet

layers()[source]¶: returns a list of layer classes (including subclasses) in this packet

classmethod lower_bonds()[source]¶

match_subclass = False¶

mysummary()[source]¶: DEV: can be overloaded to return a string that summarizes the layer. Only one mysummary() is used in a whole packet summary: the one of the upper layer, # noqa: E501 except if a mysummary() also returns (as a couple) a list of layers whose # noqa: E501 mysummary() must be called if they are present.

name¶

original¶

overload_fields¶

overloaded_fields¶

packetfields¶

payload¶

payload_guess¶

post_build(pkt, pay)[source]¶

DEV: called right after the current layer is build.

Parameters

pkt (str) – the current packet (build by self_buil function)
pay (str) – the packet payload (build by do_build_payload function)

Returns

a string of the packet with the payload

post_dissect(s)[source]¶: DEV: is called right after the current layer has been dissected

post_dissection(pkt)[source]¶: DEV: is called after the dissection of the whole packet

post_transforms¶

pre_dissect(s)[source]¶: DEV: is called right before the current layer is dissected

prepare_cached_fields(flist)[source]¶: Prepare the cached fields of the fields_desc dict

raw_packet_cache¶

raw_packet_cache_fields¶

remove_payload()[source]¶

remove_underlayer(other)[source]¶

route()[source]¶

self_build()[source]¶

Create the default layer regarding fields_desc dict

Parameters: field_pos_list –

sent_time¶

setfieldval(attr, val)[source]¶

show(dump=False, indent=3, lvl='', label_lvl='')[source]¶

Prints or returns (when “dump” is true) a hierarchical view of the packet.

Parameters

dump – determine if it prints or returns the string value
indent (int) – the size of indentation for each layer
lvl (str) – additional information about the layer lvl
label_lvl (str) – additional information about the layer fields

Returns

return a hierarchical view if dump, else print it

show2(dump=False, indent=3, lvl='', label_lvl='')[source]¶

Prints or returns (when “dump” is true) a hierarchical view of an assembled version of the packet, so that automatic fields are calculated (checksums, etc.)

Parameters

dump – determine if it prints or returns the string value
indent (int) – the size of indentation for each layer
lvl (str) – additional information about the layer lvl
label_lvl (str) – additional information about the layer fields

Returns

return a hierarchical view if dump, else print it

show_indent = 1¶

show_summary = True¶

sniffed_on¶

sprintf(format[, relax=1]) → str[source]¶

Where format is a string that can include directives. A directive begins and ends by % and has the following format: %[fmt[r],][cls[:nb].]field%

Parameters

fmt –

is a classic printf directive, “r” can be appended for raw substitution: (ex: IP.flags=0x18 instead of SA), nb is the number of the layer (ex: for IP/IP packets, IP:2.src is the src of the upper IP layer). Special case : “%.time%” is the creation time. Ex:

p.sprintf(
  "%.time% %-15s,IP.src% -> %-15s,IP.dst% %IP.chksum% "
  "%03xr,IP.proto% %r,TCP.flags%"
)

Moreover, the format string can include conditional statements. A conditional statement looks like : {layer:string} where layer is a layer name, and string is the string to insert in place of the condition if it is true, i.e. if layer is present. If layer is preceded by a “!”, the result is inverted. Conditions can be imbricated. A valid statement can be:

p.sprintf("This is a{TCP: TCP}{UDP: UDP}{ICMP:n ICMP} packet")
p.sprintf("{IP:%IP.dst% {ICMP:%ICMP.type%}{TCP:%TCP.dport%}}")

A side effect is that, to obtain “{” and “}” characters, you must use “%(” and “%)”.

summary(intern=0)[source]¶: Prints a one line summary of a packet.

time¶

underlayer¶

update_sent_time(time)[source]¶: Use by clone_with to share the sent_time value

classmethod upper_bonds()[source]¶

wirelen¶

class scapy.packet.Padding(*args, **kargs)[source]¶

Bases: scapy.base_classes.Gen[scapy.packet.Packet]

aliastypes¶

build_padding()[source]¶

fields_desc¶

Display RFC-like schema

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              LOAD             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                           Fig. Padding

Padding fields¶
load	`StrField`	`b''`

self_build(field_pos_list=None)[source]¶

class scapy.packet.Raw(*args, **kargs)[source]¶

Bases: scapy.base_classes.Gen[scapy.packet.Packet]

aliastypes¶

answers(other)[source]¶

classmethod convert_packet(pkt, **kwargs)[source]¶

fields_desc¶

Display RFC-like schema

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              LOAD             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                             Fig. Raw

Raw fields¶
load	`StrField`	`b''`

mysummary()[source]¶

scapy.packet.bind_bottom_up(lower, upper, __fval=None, **fval)[source]¶

Bind 2 layers for dissection. The upper layer will be chosen for dissection on top of the lower layer, if ALL the passed arguments are validated. If multiple calls are made with the same layers, the last one will be used as default.

ex:

>>> bind_bottom_up(Ether, SNAP, type=0x1234)
>>> Ether(b'\xff\xff\xff\xff\xff\xff\xd0P\x99V\xdd\xf9\x124\x00\x00\x00\x00\x00')  # noqa: E501
<Ether  dst=ff:ff:ff:ff:ff:ff src=d0:50:99:56:dd:f9 type=0x1234 |<SNAP  OUI=0x0 code=0x0 |>>  # noqa: E501

scapy.packet.bind_layers(lower, upper, __fval=None, **fval)[source]¶

Bind 2 layers on some specific fields’ values.

It makes the packet being built and dissected when the arguments are present.

This function calls both bind_bottom_up and bind_top_down, with all passed arguments.

Please have a look at their docs:

help(bind_bottom_up)
help(bind_top_down)

scapy.packet.bind_top_down(lower, upper, __fval=None, **fval)[source]¶

Bind 2 layers for building. When the upper layer is added as a payload of the lower layer, all the arguments will be applied to them.

ex:

>>> bind_top_down(Ether, SNAP, type=0x1234)
>>> Ether()/SNAP()
<Ether  type=0x1234 |<SNAP  |>>

scapy.packet.explore(layer=None)[source]¶

Function used to discover the Scapy layers and protocols. It helps to see which packets exists in contrib or layer files.

params:

layer: If specified, the function will explore the layer. If not,
the GUI mode will be activated, to browse the available layers

Examples

>>> explore()  # Launches the GUI
>>> explore("dns")  # Explore scapy.layers.dns
>>> explore("http2")  # Explore scapy.contrib.http2
>>> explore(scapy.layers.bluetooth4LE)

Note: to search a packet by name, use ls(“name”) rather than explore.

scapy.packet.fuzz(p, _inplace=0)[source]¶

Transform a layer into a fuzzy layer by replacing some default values by random objects.

Parameters: p – the Packet instance to fuzz
Returns: the fuzzed packet.

scapy.packet.ls(obj=None, case_sensitive=False, verbose=False)[source]¶

List available layers, or infos on a given layer class or name.

Parameters

obj – Packet / packet name to use
case_sensitive – if obj is a string, is it case sensitive?
verbose –

scapy.packet.rfc(cls, ret=False, legend=True)[source]¶

Generate an RFC-like representation of a packet def.

Parameters

cls – the Packet class
ret – return the result instead of printing (def. False)
legend – show text under the diagram (default True)

Ex:

>>> rfc(Ether)

scapy.packet.split_bottom_up(lower, upper, __fval=None, **fval)[source]¶: This call un-links an association that was made using bind_bottom_up. Have a look at help(bind_bottom_up)

scapy.packet.split_layers(lower, upper, __fval=None, **fval)[source]¶

Split 2 layers previously bound. This call un-links calls bind_top_down and bind_bottom_up. It is the opposite of # noqa: E501 bind_layers.

Please have a look at their docs:

help(split_bottom_up)
help(split_top_down)

scapy.packet.split_top_down(lower, upper, __fval=None, **fval)[source]¶: This call un-links an association that was made using bind_top_down. Have a look at help(bind_top_down)