CS 4440 Wiki:
Scapy Cheat Sheet


Below is an abridged cheat sheet of Scapy fundamentals that you'll use in this course.

This page is by no means comprehensive—we encourage you to bookmark and familiarize yourself with one of the many in-depth Scapy tutorials on the web. Some great examples are:

Scapy Basics

In case Scapy is not installed on your VM, just run $ pip3 install scapy in your VM's terminal. Once installed, here's how you can import Scapy in Python:

from scapy.all import *

rdpcap('❬pcap❭') : Retrieve packets from a packet capture file.

>>> packets = rdpcap('crack0.pcap')
>>> packet = packets[0]

packet.show() : Show available protocols and fields for a packet.

>>> packet.show()
###[ Ethernet ]###
    dst       = 08:00:27:6e:cf:4a
    src       = 0a:00:27:00:00:00
    ...
###[ IP ]###
    version   = 4
    ihl       = 5
    ...
###[ TCP ]###
    sport     = 54017
    dport     = ftp
    ...

packet.haslayer('❬protocol❭') : Check if packet contains the given protocol.

>>> packet.haslayer('TCP') 
True

packet['❬protocol❭'].payload : Retrieve the protocol's payload.

>>> packet['TCP'].payload
<Raw  load=b'220 redmint FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.\r\n' |>

packet['❬protocol❭'].src : The packet's source address for the link layer.

>>> packet['Ethernet'].src
'0a:00:27:00:00:00'

packet['❬protocol❭'].dst : The packet's destination address for the link layer.

>>> packet['Ethernet'].dst
'08:00:27:6e:cf:4a'

Network Layer

packet['❬protocol❭'].version : The packet's protocol version. For example, IPv4 or IPv6.

>>> packet['IP'].version
4

packet['❬protocol❭'].src : The packet's source address for the network layer.

>>> packet['IP'].src
'192.168.56.1'

packet['❬protocol❭'].dst : The packet's destination address for the network layer.

>>> packet['IP'].dst
'192.168.56.101'

Transport Layer

packet['❬protocol❭'].sport : The packet's source port for the transport layer.

>>> packet['TCP'].sport
54017

packet['❬protocol❭'].dport : The packet's destination port for the transport layer.

>>> packet['TCP'].dport
21

packet['❬protocol❭'].flags : Inspect a packet's flags.

>>> packet["TCP"].flags == 'S'  # Check for SYN flag
True

>>> packet["TCP"].flags.S   # Check for SYN flag
True

Application Layer

You can use the payload to grab a packet's application layer data from the transport layer.

>>> bytes(packet["TCP"].payload).decode("utf-8", "replace")
'220 redmint FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.\r\n'

Table of Contents: