.TH SCAPY 1 "May 12, 2003"
.SH NAME
scapy \- Interactive packet manipulation tool
.SH SYNOPSIS
.B scapy
.RI [ options ]
.SH DESCRIPTION
This manual page documents briefly the
.B scapy
tool.
.PP
\fBscapy\fP is a powerful interactive packet manipulation tool, 
packet generator, network scanner, network discovery, packet sniffer,
etc. It can for the moment replace hping, 85% of nmap, arpspoof, arp-sk,
arping, tcpdump, tethereal, p0f, ...
.PP
\fBscapy\fP uses the python interpreter as a command board. That means that 
you can use directly python language (assign variables, use loops, 
define functions, etc.) If you give a file as parameter when you run 
\fBscapy\fP, your session (variables, functions, intances, ...) will be saved 
when you leave the interpretor, and restored the next time you launch
\fBscapy\fP. 
.PP
\fBscapy\fP is not user proof yet. But it is almost reliable. Some more things 
need to be done to support more platforms.
.PP
The idea is simple. Those kind of tools do two things : sending packets 
and receiving answers. That's what \fBscapy\fP does : you define a set of 
packets, it sends them, receives answers, matches requests with answers 
and returns a list of packet couples (request, answer) and a list of 
unmatched packets. This has the big advantage over tools like nmap or 
hping that an answer is not reduced to (open/closed/filtered), but is 
the whole packet. 
.PP
On top of this can be build more high level functions, for example one 
that does traceroutes and give as a result only the start TTL of the 
request and the source IP of the answer. One that pings a whole network 
and gives the list of machines answering. One that does a portscan and 
returns a LaTeX report. 

.SH OPTIONS
Options for scapy are:
.TP
\fB\-h\fR
display help screen and exit
.TP
\fB\-s\fR FILE
use FILE to save/load session values (variables, functions, intances, ...) 

.SH COMMANDS
Only the vital commands to begin are listed here for the moment.
.TP
\fBls()\fR
lists supported protocol layers. If a protocol layer is given as parameter, lists its fields and types of fields.
.TP
\fBlsc()\fR
lists some user commands. If a command is given as parameter, its documentation is displayed.
.TP
\fBconf\fR
this object contains the configuration. 


.SH EXAMPLES

More verbose examples are available at
http://www.cartel-securite.fr/pbiondi/scapy.html.
Just run \fBscapy\fP and try the following commands in the interpreter.

.LP
Test the robustness of a network stack with invalid packets:
.nf
sr(IP(dst="172.16.1.1", ihl=2, options="\verb$\x02$", version=3)/ICMP())
.fi

.LP
Packet sniffing and dissection (with a bpf filter or thetereal-like output):
.nf
a=sniff(filter="tcp port 110")
a=sniff(prn = lambda x: x.display) 
.fi

.LP
Sniffed packet reemission:
.nf
a=sniff(filter="tcp port 110")
sendp(a)
.fi

.LP
Pcap file packet reemission:
.nf
sendp(rdpcap("file.cap"))
.fi

.LP
Manual TCP traceroute:
.nf
sr(IP(dst="www.google.com", ttl=(1,30))/TCP(seq=RandInt(), sport=RandShort(), dport=dport)
.fi

.LP
Protocol scan:
.nf
sr(IP(dst="172.16.1.28", proto=(1,254)))
.fi

.LP
ARP ping:
.nf
srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.16.1.1/24"))
.fi

.LP
ACK scan:
.nf
sr(IP(dst="172.16.1.28")/TCP(dport=(1,1024), flags="A"))
.fi

.LP
Passive OS fingerprinting:
.nf
sniff(prn=prnp0f) 
.fi

.LP
Active OS fingerprinting:
.nf
nmap_fp("172.16.1.232")
.fi


.LP
ARP cache poisonning:
.nf
sendp(Ether(dst=tmac)/ARP(op="who-has", psrc=victim, pdst=target))
.fi

.LP
Reporting:
.nf
report_ports("192.168.2.34", (20,30))
.fi


.SH BUGS
Does not give the right source IP for routes that use interface aliases.

May miss packets under heavy load.

.SH AUTHOR
Philippe Biondi <biondi@cartel-securite.fr>
.PP
This manual page was written by Alberto Gonzalez Iniesta <agi@agi.as>
and Philippe Biondi
for the Debian GNU/Linux system (but may be used by others).