Python scapy.all.Ether() Examples

def scan_ips(interface='wlan0', ips='192.168.1.0/24'):
	"""a simple ARP scan with Scapy"""
	try:
		print('[*] Start to scan')
		conf.verb = 0 # hide all verbose of scapy
		ether = Ether(dst="ff:ff:ff:ff:ff:ff")
		arp = ARP(pdst = ips)
		answer, unanswered = srp(ether/arp, timeout = 2, iface = interface, inter = 0.1)

		for sent, received in answer:
			print(received.summary())

	except KeyboardInterrupt:
		print('[*] User requested Shutdown')
		print('[*] Quitting...')
		sys.exit(1) 

def test_multiple_packets():
    packets = [
        # HTTP Packet
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / TCP(sport=12345, dport=80)
        / HTTP()
        / HTTPRequest(Method="GET", Path="/foo", Host="https://google.com"),
        # DNS Packet
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / UDP(sport=80, dport=53)
        / DNS(rd=1, qd=DNSQR(qtype="A", qname="google.com"), an=DNSRR(rdata="123.0.0.1")),
        # TCP Packet
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / TCP(sport=80, dport=5355),
    ]

    events = list(packets_to_datasource_events(packets).events())
    assert len(events) == 3

    assert [e["event_type"] for e in events] == ["HTTPRequest", "DNS", "TCP"] 

def test_single_dns_resp_packet():

    packets = [
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / UDP(sport=80, dport=53)
        / DNS(rd=1, qd=DNSQR(qtype="A", qname="google.com"), an=DNSRR(rdata="123.0.0.1"))
    ]

    events = list(packets_to_datasource_events(packets).events())
    assert len(events) == 1

    assert events[0]["src_mac"] == "ab:ab:ab:ab:ab:ab"
    assert events[0]["dst_mac"] == "12:12:12:12:12:12"
    assert events[0]["src_ip"] == "127.0.0.1"
    assert events[0]["dst_ip"] == "192.168.1.1"
    assert events[0]["sport"] == 80
    assert events[0]["dport"] == 53
    assert events[0]["qname"] == "google.com."
    assert events[0]["qanswer"] == "123.0.0.1"
    assert events[0]["qtype"] == "A"
    assert events[0]["event_type"] == "DNS" 

def test_single_http_packet():

    packets = [
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / TCP(sport=12345, dport=80)
        / HTTP()
        / HTTPRequest(Method="GET", Path="/foo", Host="https://google.com")
    ]

    events = list(packets_to_datasource_events(packets).events())
    assert len(events) == 1

    assert events[0]["src_mac"] == "ab:ab:ab:ab:ab:ab"
    assert events[0]["dst_mac"] == "12:12:12:12:12:12"
    assert events[0]["src_ip"] == "127.0.0.1"
    assert events[0]["dst_ip"] == "192.168.1.1"
    assert events[0]["sport"] == 12345
    assert events[0]["dport"] == 80
    assert events[0]["http_method"] == "GET"
    assert events[0]["uri"] == "/foo"
    assert events[0]["http_dest"] == "https://google.com"

    assert events[0]["event_type"] == "HTTPRequest" 

def test_single_tcp_packet():

    packets = [
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / TCP(sport=80, dport=5355)
    ]

    events = list(packets_to_datasource_events(packets).events())
    assert len(events) == 1

    assert events[0]["src_mac"] == "ab:ab:ab:ab:ab:ab"
    assert events[0]["dst_mac"] == "12:12:12:12:12:12"
    assert events[0]["src_ip"] == "127.0.0.1"
    assert events[0]["dst_ip"] == "192.168.1.1"
    assert events[0]["sport"] == 80
    assert events[0]["dport"] == 5355
    assert events[0]["event_type"] == "TCP" 

def callback(self, packet):
        flags = packet.sprintf("%TCP.flags%")
        proto = IP
        if IPv6 in packet:
            proto = IPv6
        if flags == "A" and not self.ignore_packet(packet, proto):
            src_mac = packet[Ether].src
            dst_mac = packet[Ether].dst
            src_ip = packet[proto].src
            dst_ip = packet[proto].dst
            src_port = packet[TCP].sport
            dst_port = packet[TCP].dport
            seq = packet[TCP].seq
            ack = packet[TCP].ack
            if self.verbose:
                print("RST from %s:%s (%s) --> %s:%s (%s) w/ %s" % (src_ip, src_port, src_mac, dst_ip, dst_port, dst_mac, ack))
            if self.noisy:
                self.send(self.build_packet(src_mac, dst_mac, src_ip, dst_ip, src_port, dst_port, seq, proto))
            self.send(self.build_packet(dst_mac, src_mac, dst_ip, src_ip, dst_port, src_port, ack, proto)) 

def scan(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1,
                              verbose=False)[0]

    clients_list = []
    for element in answered_list:
        client_dict = {"ip": element[1].psrc, "mac": element[1].hwsrc}
        clients_list.append(client_dict)
    return clients_list 

def _process_syn_scan(self, pkt):
        """
        Receives SYN scan response from devices.

        """
        src_mac = pkt[sc.Ether].src
        device_id = utils.get_device_id(src_mac, self._host_state)
        device_port = pkt[sc.TCP].sport

        with self._host_state.lock:
            port_list = self._host_state.pending_syn_scan_dict.setdefault(device_id, [])
            if device_port not in port_list:
                port_list.append(device_port)
                utils.log('[SYN Scan Debug] Device {} ({}): Port {}'.format(
                    pkt[sc.IP].src, device_id, device_port
                )) 

def run(self):
        """Sends IGMP general query packets using the multicast address 224.0.0.1.
        Received replies are processed by a SniffThread.
        """

        # create IGMP general query packet
        ether_part = Ether(src=self.mac)
        ip_part = IP(ttl=self._TTL, src=self.ip, dst=self._IGMP_MULTICAST)
        igmp_part = IGMP(type=self._IGMP_GENERAL_QUERY)

        # Called to explicitely fixup associated IP and Ethernet headers
        igmp_part.igmpize(ether=ether_part, ip=ip_part)

        while True:
            sendp(ether_part / ip_part / igmp_part)
            time.sleep(self._SLEEP) 

def run(self):
        """Starts the thread, which is sniffing incoming ARP packets and sends out packets to spoof
        all clients on the network and the gateway. This packets are sent every __SLEEP seconds.

        Note:
            First, a ARP request packet is generated for every possible client of the network.
            This packets are directed at the gateway and update existing entries of the gateway's ARP table.
            So the gateway is not flooded with entries for non-existing clients.

            Second, a GARP broadcast request packet is generated to spoof every client on the network.
        """
        # start sniffing thread
        self.sniffthread.start()

        # generates a packet for each possible client of the network
        # these packets update existing entries in the arp table of the gateway
        # packets = [Ether(dst=self.gate_mac) / ARP(op=1, psrc=str(x), pdst=str(x)) for x in self.ip_range]

        # gratuitous arp to clients
        # updates the gateway entry of the clients arp table
        packets = [Ether(dst=ETHER_BROADCAST) / ARP(op=1, psrc=self.ipv4.gateway, pdst=self.ipv4.gateway, hwdst=ETHER_BROADCAST)]
        while True:
            sendp(packets)
            time.sleep(self.__SLEEP) 

def send_dhcp_advertise(p, basep, target):
    global ipv6noaddrc
    resp = Ether(dst=basep.src)/IPv6(src=config.selfaddr, dst=basep[IPv6].src)/UDP(sport=547, dport=546) #base packet
    resp /= DHCP6_Advertise(trid=p.trid)
    #resp /= DHCP6OptPref(prefval = 255)
    resp /= DHCP6OptClientId(duid=p[DHCP6OptClientId].duid)
    resp /= DHCP6OptServerId(duid=config.selfduid)
    resp /= DHCP6OptDNSServers(dnsservers=[config.selfaddr])
    if config.localdomain:
        resp /= DHCP6OptDNSDomains(dnsdomains=[config.localdomain])
    if target.ipv4 != '':
        addr = config.ipv6prefix + target.ipv4.replace('.', ':')
    else:
        addr = config.ipv6prefix + '%d:%d' % (config.ipv6noaddr, config.ipv6noaddrc)
        config.ipv6noaddrc += 1
    opt = DHCP6OptIAAddress(preflft=300, validlft=300, addr=addr)
    resp /= DHCP6OptIA_NA(ianaopts=[opt], T1=200, T2=250, iaid=p[DHCP6OptIA_NA].iaid)
    sendp(resp, iface=config.default_if, verbose=False) 

def test_single_udp_packet():

    packets = [
        Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12")
        / IP(src="127.0.0.1", dst="192.168.1.1")
        / UDP(sport=80, dport=5355)
    ]

    events = list(packets_to_datasource_events(packets).events())
    assert len(events) == 1

    assert events[0]["src_mac"] == "ab:ab:ab:ab:ab:ab"
    assert events[0]["dst_mac"] == "12:12:12:12:12:12"
    assert events[0]["src_ip"] == "127.0.0.1"
    assert events[0]["dst_ip"] == "192.168.1.1"
    assert events[0]["sport"] == 80
    assert events[0]["dport"] == 5355
    assert events[0]["event_type"] == "UDP" 

def send_dhcp_reply(p, basep):
    resp = Ether(dst=basep.src)/IPv6(src=config.selfaddr, dst=basep[IPv6].src)/UDP(sport=547, dport=546) #base packet
    resp /= DHCP6_Reply(trid=p.trid)
    #resp /= DHCP6OptPref(prefval = 255)
    resp /= DHCP6OptClientId(duid=p[DHCP6OptClientId].duid)
    resp /= DHCP6OptServerId(duid=config.selfduid)
    resp /= DHCP6OptDNSServers(dnsservers=[config.selfaddr])
    if config.localdomain:
        resp /= DHCP6OptDNSDomains(dnsdomains=[config.localdomain])
    try:
        opt = p[DHCP6OptIAAddress]
        resp /= DHCP6OptIA_NA(ianaopts=[opt], T1=200, T2=250, iaid=p[DHCP6OptIA_NA].iaid)
        sendp(resp, iface=config.default_if, verbose=False)
    except IndexError:
        # Some hosts don't send back this layer for some reason, ignore those
        if config.debug or config.verbose:
            print('Ignoring DHCPv6 packet from %s: Missing DHCP6OptIAAddress layer' % basep.src) 

def dhcpv6_callback(pkt):
    global dhcpv6_server_mac
    global dhcpv6_server_ipv6_link
    global dhcpv6_server_duid

    if pkt.haslayer(DHCP6_Advertise) or pkt.haslayer(DHCP6_Reply):
        if pkt[DHCP6OptServerId].duid is None:
            return False
        else:
            dhcpv6_server_mac = pkt[Ether].src
            dhcpv6_server_ipv6_link = pkt[IPv6].src
            dhcpv6_server_duid = pkt[DHCP6OptServerId].duid
            return True
    else:
        return False 

def cmd_arp_ping(ip, iface, verbose):
    """
    Send ARP packets to check if a host it's alive in the local network.

    Example:

    \b
    # habu.arp.ping 192.168.0.1
    Ether / ARP is at a4:08:f5:19:17:a4 says 192.168.0.1 / Padding
    """

    if verbose:
        logging.basicConfig(level=logging.INFO, format='%(message)s')

    conf.verb = False

    if iface:
        iface = search_iface(iface)
        if iface:
            conf.iface = iface['name']
        else:
            logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface))
            return False

    res, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), timeout=2)

    for _, pkt in res:
        if verbose:
            print(pkt.show())
        else:
            print(pkt.summary()) 

def send_ra():
    # Send a Router Advertisement with the "managed" and "other" flag set, which should cause clients to use DHCPv6 and ask us for addresses
    p = Ether(dst='33:33:00:00:00:01')/IPv6(dst='ff02::1')/ICMPv6ND_RA(M=1, O=1)
    sendp(p, iface=config.default_if, verbose=False)

# Whether packet capturing should stop 

def process(self, pkt):
            if all(layer in pkt for layer in (scapy.Ether, scapy.ARP)):
                if pkt[scapy.Ether].src != str(net.ifhwaddr(self.iface)) and pkt[scapy.ARP].op == 1: # who-has
                    resp = scapy.Ether()/scapy.ARP(hwsrc=str(net.ifhwaddr('tap0')), hwdst=pkt.hwsrc, psrc=pkt.pdst, pdst=pkt.psrc, op="is-at")
                    scapy.sendp(resp, iface='tap0')

                    if pkt.pdst not in self.ips:
                        self.ips.add(pkt.pdst)
                        cidr = '{!s}/{:d}'.format(pkt.pdst, 28)
                        logger.info("Attaching new IP address {:s} to {:s}".format(cidr, self.iface))
                        subprocess.run(['ip', 'addr', 'add', cidr, 'dev', self.iface]) 

def testCallBack(originalFrame, decryptedMsg):
	print("\n[%s] '%s'.\n" % (originalFrame[Ether].src.lower(), decryptedMsg)) 

def run(self):
        """Starts multiple threads sends out packets to spoof
        all existing clients on the network and the gateway. This packets are sent every __SLEEP seconds.
        The existing clients (device entries) are read from the redis database.

        Threads:
            A SniffThread, which sniffs for incoming ARP packets and adds new devices to the redis db.
            Several HostDiscoveryThread, which are searching for existing devices on the network.
            A PubSubThread, which is listening for redis expiry messages.

        Note:
            First, ARP replies to spoof the gateway entry of existing clients arp cache are generated.
            ARP relpies to spoof the entries of the gateway are generated next.
            Unlike the holistic mode only packets for existing clients are generated.

        """
        try:
            for worker in self.threads:
                self.threads[worker].start()

            # lamda expression to generate arp replies to spoof the clients
            exp1 = lambda dev: Ether(dst=dev[1]) / ARP(op=2, psrc=self.ipv4.gateway, pdst=dev[0], hwdst=dev[1])

            while not self.exit.is_set():
                # generates packets for existing clients

                sendp([p(dev) for dev in self.ipv4.redis.get_devices_values(filter_values=True) for p in (exp1,)])
                try:
                    with self.sleeper:
                        self.sleeper.wait(timeout=self.__SLEEP)
                except RuntimeError as e:
                    # this error is thrown by the with-statement when the thread is stopped
                    if len(e.args) > 0 and e.args[0] == "cannot release un-acquired lock":
                        return
                    else:
                        raise e

            self._return_to_normal()
        except Exception as e:
            self.logger.error("Process IPv4")
            self.logger.exception(e) 

def parse_message(self, pkt):
		"""
		Start the brokering server listener.
		:param ip: Client IP addr [str]
		:return: None
		"""
		# Here is where you want to hook up to automate communication
		# with the clients.

		if pkt[ARP].op is not 1:
			# Not 'who has?'
			return
		if pkt[Ether].dst.lower() != "ff:ff:ff:ff:ff:ff":
			# Not broadcast
			return

		try:
			# pkt[ARP][Padding].show()
			payload = pkt[ARP][Padding].load

		except:
			pass

		decPayload = AESDecryptOFB(key=self.key, text=payload)

		if self.retFunc is not None:
			self.retFunc(pkt ,decPayload) 

def get_mac_by_ip_s(ip_address, delay):
    """try to retrieve MAC address associated with ip using Scapy library """
    responses, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),
                       timeout=delay, retry=10)
    # return the MAC address from a response
    for _, response in responses:
        return response[Ether].src
    return None 

def get_cbr0_ip_mac(self):
        config = get_config()
        res = srp1(Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(), verbose=0, timeout=config.network_timeout)
        return res[IP].src, res.src 

def build_packet(self, src_mac, dst_mac, src_ip, dst_ip, src_port, dst_port, seq, proto):
        eth = Ether(src=src_mac, dst=dst_mac, type=0x800)
        if proto == IP:
            ip = IP(src=src_ip, dst=dst_ip)
        elif proto == IPv6:
            ip = IPv6(src=src_ip, dst=dst_ip)
        else:
            return str(eth) #if unknown L2 protocol, send back dud ether packet
        tcp = TCP(sport=src_port, dport=dst_port, seq=seq, flags="R")
        return str(eth/ip/tcp) 

def cmd_dhcp_discover(iface, timeout, verbose):
    """Send a DHCP request and show what devices has replied.

    Note: Using '-v' you can see all the options (like DNS servers) included on the responses.

    \b
    # habu.dhcp_discover
    Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP
    """

    conf.verb = False

    if iface:
        iface = search_iface(iface)
        if iface:
            conf.iface = iface['name']
        else:
            logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface))
            return False

    conf.checkIPaddr = False

    hw = get_if_raw_hwaddr(conf.iface)

    ether = Ether(dst="ff:ff:ff:ff:ff:ff")
    ip = IP(src="0.0.0.0",dst="255.255.255.255")
    udp = UDP(sport=68,dport=67)
    bootp = BOOTP(chaddr=hw)
    dhcp = DHCP(options=[("message-type","discover"),"end"])

    dhcp_discover = ether / ip / udp / bootp / dhcp

    ans, unans = srp(dhcp_discover, multi=True, timeout=5)      # Press CTRL-C after several seconds

    for _, pkt in ans:
        if verbose:
            print(pkt.show())
        else:
            print(pkt.summary()) 

def update_cache(self):
        try:
            ans, unans = arping(self._router_ip + "/24",
                                iface=self._interface, verbose=False)

            self._arp_cache = []

            if ans:
                for s, r in ans:
                    self._arp_cache.append([r[ARP].psrc, r[Ether].src.lower()])

            _LOGGER.debug("ARP cache: %s", self._arp_cache)
        except Exception as e:
            _LOGGER.error("Error when trying update ARP cache: %s", str(e)) 

def run(self):
        """Sends broadcast ARP requests for every possible client of the network.
        Received ARP replies are processed by a SniffThread.
        """
        sendp(Ether(dst=ETHER_BROADCAST) / ARP(op=1, psrc=self.gateway, pdst=self.network)) 

def _return_to_normal(self):
        """This method is called when the daemon is stopping.
        First, sends a GARP broadcast request to all clients to tell them the real gateway.
        Then an ARP request is sent to every client, so that they answer the real gateway and update its ARP cache.
        """
        # clients gratutious arp
        sendp(
            Ether(dst=ETHER_BROADCAST) / ARP(op=1, psrc=self.ipv4.gateway, pdst=self.ipv4.gateway, hwdst=ETHER_BROADCAST,
                                             hwsrc=self.ipv4.gate_mac))
        # to clients so that they send and arp reply to the gateway
        # sendp(Ether(dst=ETHER_BROADCAST) / ARP(op=1, psrc=self.gateway, pdst=str(self.network), hwsrc=self.gate_mac)) 

def _return_to_normal(self):
        """This method is called when the daemon is stopping.
        Apate tells the clients the real gateway via neighbor advertisements.
        """
        # spoof clients with nd advertisements
        with self.sleeper:
            # check if the impersonation of the DNS server is necessary
            tgt = (self.ipv6.gateway, self.ipv6.dns_servers[0]) if util.is_spoof_dns(self.ipv6) else (self.ipv6.gateway,)

            for source in tgt:
                sendp(Ether(dst=ETHER_BROADCAST) / IPv6(src=source, dst=MulticastPingDiscoveryThread._MULTICAST_DEST) /
                      ICMPv6ND_NA(tgt=source, R=1, S=0, O=1) / ICMPv6NDOptDstLLAddr(lladdr=self.ipv6.gate_mac)) 

def spoof_devices(ip, devs, logger):
        for entry in devs:
            dev_hw = util.get_device_mac(entry)
            dev_ip = devs[entry]
            if not ip.redis.check_device_disabled(util.get_device_mac(entry)):
                sendp(Ether(dst=dev_hw) / ARP(op=2, psrc=ip.gateway, pdst=dev_ip, hwdst=dev_hw))
            else:
                sendp(Ether(dst=dev_hw) / ARP(op=2, psrc=ip.gateway, pdst=dev_ip, hwdst=dev_hw, hwsrc=ip.gate_mac)) 

def get_kube_dns_ip_mac(self):
        config = get_config()
        kubedns_svc_ip = self.extract_nameserver_ip()

        # getting actual pod ip of kube-dns service, by comparing the src mac of a dns response and arp scanning.
        dns_info_res = srp1(
            Ether() / IP(dst=kubedns_svc_ip) / UDP(dport=53) / DNS(rd=1, qd=DNSQR()),
            verbose=0,
            timeout=config.network_timeout,
        )
        kubedns_pod_mac = dns_info_res.src
        self_ip = dns_info_res[IP].dst

        arp_responses, _ = srp(
            Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, pdst=f"{self_ip}/24"), timeout=config.network_timeout, verbose=0,
        )
        for _, response in arp_responses:
            if response[Ether].src == kubedns_pod_mac:
                return response[ARP].psrc, response.src