链接地址: https://github.com/dhgdhg/Scapy-Note

三.修改主题

3.1.临时

conf.color_theme = ColorOnBlackTheme()

3.2.永久

修改文件/usr/local/lib/python3.7/dist-packages/scapy/main.py

from scapy.themes import ColorOnBlackTheme
conf.color_theme = ColorOnBlackTheme()

四.常用命令

https://scapy.readthedocs.io/en/latest/api/scapy.packet.html
https://scapy.readthedocs.io/en/latest/api/scapy.utils.html

explore: 显示层中的包类型

>>> explore(scapy.layers.l2)
Packets contained in scapy.layers.l2:
Class      |Name
-----------|-----------------------
ARP        |ARP
CookedLinux|cooked linux
Dot1AD     |802_1AD
Dot1Q      |802.1Q
Dot3       |802.3
ERSPAN     |ERSPAN
Ether      |Ethernet
GRE        |GRE
GRE_PPTP   |GRE PPTP
GRErouting |GRE routing information
LLC        |LLC
Loopback   |Loopback
SNAP       |SNAP
STP        |Spanning Tree Protocol

ls: 显示协议参数其及默认值

>>> ls(IP)
version    : BitField (4 bits)                   = (4)
ihl        : BitField (4 bits)                   = (None)
tos        : XByteField                          = (0)
len        : ShortField                          = (None)
id         : ShortField                          = (1)
flags      : FlagsField (3 bits)                 = (<Flag 0 ()>)
frag       : BitField (13 bits)                  = (0)
ttl        : ByteField                           = (64)
proto      : ByteEnumField                       = (0)
chksum     : XShortField                         = (None)
src        : SourceIPField                       = (None)
dst        : DestIPField                         = (None)
options    : PacketListField                     = ([])

/: 层叠加

  • 例: Ether()/IP()/UDP()

rdpcap(filename, count=-1): 读取pcap文件, count: 读取几个包, 默认全部

hexdump()

import_hexcap()

export_object(): export a base64 encoded Python data structure representing a packet

import_object()

.summary(): 显示概要

  • ans.summary(lambda s,r : r.sprintf("%TCP.sport% \t %TCP.flags%") )

.nsummary(): 显示概要(带数据包号)

fuzz(p): 返回除用户指定的数据外,其他参数均为随机的p

del(): 就数据恢复默认值

  • 例: del(a.ttl)

conf.route: 查看路由表

  • 例:
      >>> conf.route
  Network     Netmask         Gateway         Iface
  127.0.0.0   255.0.0.0       0.0.0.0         lo 
  192.168.8.0 255.255.255.0   0.0.0.0         eth0 
  0.0.0.0     0.0.0.0         192.168.8.1     eth0 
  >>> conf.route.delt(net="0.0.0.0/0",gw="192.168.8.1") 
  >>> conf.route.add(net="0.0.0.0/0",gw="192.168.8.254") 
  >>> conf.route.add(host="192.168.1.1",gw="192.168.8.1") 
  >>> conf.route 
  Network     Netmask         Gateway         Iface 
  127.0.0.0   255.0.0.0       0.0.0.0         lo 
  192.168.8.0 255.255.255.0   0.0.0.0         eth0 
  0.0.0.0     0.0.0.0         192.168.8.254   eth0 
  192.168.1.1 255.255.255.255 192.168.8.1     eth0 
  >>> conf.route.resync() 
  >>> conf.route 
  Network     Netmask         Gateway        Iface 
  127.0.0.0   255.0.0.0       0.0.0.0        lo 
  192.168.8.0 255.255.255.0   0.0.0.0        eth0 
  0.0.0.0     0.0.0.0         192.168.8.1     eth0
    traceroute()

sniff()

嗅探数据包并返回数据包列表.

  • count: 要捕获的包的数量. 0意味着无穷.

  • store: 是否存储嗅探包或丢弃它们

  • prn: 应用于每个包的函数, 如果返回某个内容, 则显示它

    • 例: prn = lambda x: x.summary()

  • session: defragment packets, before executing the prn.

    • IPSession: defragment IP packets on-the-flow, to make a stream usable by prn.
    • TCPSession: defragment certain TCP protocols*. Only HTTP 1.0 currently uses this functionality.
    • NetflowSession: resolve Netflow V9 packets from their NetflowFlowset information objects

  • filter: BPF过滤器

  • lfilter: 将Python函数应用于每个包, 以确定是否可以执行进一步的操作

    • 例: lfilter = lambda x: x.haslayer(Padding)

  • offline: 从PCAP文件(或PCAP文件列表)读取数据包, 而不是嗅探它们

  • timeout: 给定时间后停止嗅探(默认:None)

  • L2socket: 使用提供的L2socket(默认:使用conf.L2listen).

  • opened_socket: 为.recv()提供一个对象(或对象列表).

  • stop_filter: Python函数应用于每个包, 以确定我们是否必须在这个包之后停止捕获

    • 例: stop_filter = lambda x: x.haslayer(TCP)

  • iface: 接口或接口列表(默认:None, 嗅探所有接口).

  • monitor: 使用监控模式. 可能无法在所有操作系统上使用

  • started_callback: 嗅探器开始嗅探时立即调用(默认:None)

  • 例:

    • sniff(prn=lambda x:x.summary(), lfilter=lambda x:x.haslayer(TCP), stop_filter=lambda x:x.haslayer(Padding))

AsyncSniffer()

  • 例:

      t = AsyncSniffer(iface="enp0s3", count=200)
  t.start()
  t.join()
  results = t.results
  print(len(results))

  t = AsyncSniffer(prn=lambda x: x.summary(), store=False, filter="tcp")
  t.start()
  time.sleep(20)
  t.stop()

RandString(size=None, chars=b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789')

  • 返回指定size的字符串

Packet方法

  • https://scapy.readthedocs.io/en/latest/api/scapy.packet.html#scapy.packet.Packet
  • firstlayer()
  • get_field(fld)
  • getfield_and_val(attr)
  • getfieldval(attr)
  • getlayer(cls, nb=1, _track=None, _subclass=None, **flt)
  • haslayer(cls)
  • hide_defaults()
  • init_fields()
  • lastlayer(layer=None)
  • layers()
  • show(dump=False, indent=3, lvl=' | label_lvl='')
    • 打印或返回包的层次结构视图(如果“dump”为真).
  • show2(dump=False, indent=3, lvl=' | label_lvl='')
    • 打印或返回(当“dump”为真时)包的组装版本的层次视图, 以便计算自动字段(校验和等).
  • sniffed_on
  • sprintf(format[, relax=1])
    • 例:
        p.sprintf("%.time% %-15s,IP.src% -> %-15s,IP.dst% %IP.chksum% ""%03xr,IP.proto% %r,TCP.flags%")
  p.sprintf("This is a{TCP: TCP}{UDP: UDP}{ICMP:n ICMP} packet")
  p.sprintf("{IP:%IP.dst% {ICMP:%ICMP.type%}{TCP:%TCP.dport%}}")
  • summary(intern=0)

五.参数

a,b: 表示a, b

(a,b): 表示 [a, b]

SA: 表示SYN, ACK

Rate+HE: 表示Rate, HE

六.导入导出数据

6.1.导出

scapy -s mysessionpath

wrpcap("temp.cap",pkts)

6.2.导入

save_session('session.scapy')

pkts = rdpcap("temp.cap")

pkts = sniff(offline="temp.cap")

七.可视化

.make_table()

  • 例:
      #  头列值, 头行值, 显示值
  ans.make_table(lambda x:(x[IP].src, x[IP].ttl, x[IP].dst))     
  p.make_table(lambda x:(x[IP].dst, x[TCP].dport, x[TCP].sprintf(“%flags%”))
    .graph()
  • 例:
      res.graph(target="> /share/graph.svg")