====== Scapy interactive tutorial ======

[[http://www.secdev.org/projects/scapy/|Scapy, an interactive packet manipulation program]]

followed the tutorial, did not get further from generating packets; scapy got stuck when trying to read a pcap file that was written by aircrack

====== how to ======

  * write and read a .pcap file ([[http://wikihead.wordpress.com/tag/scapy/]]):

<code python>
>>> pkts=sniff(count=100, iface="wlan1") #use exteranl wifi card to sniff
>>>pkts
<Sniffed: TCP:0 UDP:47 ICMP:0 Other:53>
>>> wrpcap(‘traffic.pcap’,pkts)      #  Write list of packets to PCAP file
>>> packetlist = rdpcap(‘traffic.pcap’) #  Read PCAP file into list of packets
>>> for pkt in packetlist:
...     print pkt, pkt.src, pkt.name #src give the MAC address of the device; name gives the protocol (Ethernet/802.3...)
</code>
returns a dump like this:
<code python>
... 
.H?     ??????????n??n????d     UPC00803????$0Hl
                                                */0????
                                                       2
                                                        `?      ??P?P?P?P?P?
                                                                            ?P???'?BC^b2/
.H?     ??????????{v
?{v
`???dNETGEAR????
                P?
.H?     ???8?3??
.H?     ?????????ia|?ia|?0/j?Q?d        UPC01185????$0Hl
                                                        */0????
                                                               2
                                                                `?      ??P?P?P?P?P?
                                                                                    ?P???'?BC^b2/
.H0?    ???L?%EY
.H?     ???8?3??
.H?     ???8?3??
?3??
    ??EW/?@@?o?gJ}O??@\??
-j??-
?qK?????k??o??!??????RAu
.H0?    ???L?%EY
.H?     ???
           ???

</code>

====== examples ======


  * [[http://www.packetstan.com/2011/03/extracting-ap-names-from-packet.html|PACKETSTAN: Extracting AP names from Packet Captures ]] 

works great, extracts MAC addresses and ESSIDs found in a pcap file. 

downloaded this script by Tim Medin; run it like this:

<code>./APNameFromPcap.py -f [a .pcap file] | sort -u</code>

returns a list like this:
<code>
00:--:--:--:--:--       Alexxa
00:--:--:--:--:--       NETGEAR
00:--:--:--:--:--       UPC008034
00:--:--:--:--:--       UPC011853
00:--:--:--:--:--       UPC019652
00:--:--:--:--:--       bobi13
bc:--:--:--:--:--       ASUS_lgdp
</code>

  * ping all online IPs; with timeout

<code>
#!/usr/bin/python
from scapy.all import *

TIMEOUT = 2
conf.verb = 0


for ip in range(0, 256):
    packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
    reply = sr1(packet, timeout=TIMEOUT)
    if not (reply is None):
         print reply.src, "is online"
    else:
         print "Timeout waiting for %s" % packet[IP].src

</code>

(doesn't really continue once it reaches my own IP)

  * [[http://samsclass.info/124/proj11/123-P14x-promscan.html|Detecting Promiscuous NICs with scapy]] fun exercise, tried it with 2 wifi cards