Sending packets from pcap with changed src/dst in scapy

python pcap scapy
Jason Bart picture Jason Bart · Jan 4, 2012 · Viewed 38.7k times · Source

I am trying to send a previously recorded traffic (captured in pcap format) with scapy. Currently I am stuck at striping original Ether layer. The traffic was captured on another host and I basically need to change both IP and Ether layer src and dst. I managed to replace IP layer and recalculate checksums, but Ether layer gives me trouble.

Anyone has experience resending packets from capture file with applied changes to IP and Ether layer(src and dst)? Also, the capture is rather big couple of Gb, how about scapy performance with such amounts of traffic?

Answer

Abdurahman picture Abdurahman · Jan 12, 2012

check this example

from scapy.all import *
from scapy.utils import rdpcap

pkts=rdpcap("FileName.pcap")  # could be used like this rdpcap("filename",500) fetches first 500 pkts
for pkt in pkts:
     pkt[Ether].src= new_src_mac  # i.e new_src_mac="00:11:22:33:44:55"
     pkt[Ether].dst= new_dst_mac
     pkt[IP].src= new_src_ip # i.e new_src_ip="255.255.255.255"
     pkt[IP].dst= new_dst_ip
     sendp(pkt) #sending packet at layer 2

comments:

  • use rdpcap,wrpcap scapy methods to read and write from pcap formatted file
  • you can use sniff(offline="filename") to read packets and you may use prn parameter like this sniff(offline="filename",prn=My_Function) in this case My_Functions will be applied to every pkt sniffed
  • the correct way to write your new ip or mac is to consider it as a string ex: ip="1.1.1.1" and so on as illustrated above.
  • in example: sendp method included in for loop which is slower than making other loop to send packets
  • performance tip: in python using for loops is too slow use map instead if you would like a speed like a for loop in C ,Ref
  • the rdpcap as used above reads the file at once, if the memory available while reading say 1.5 Gb and you are reading a 2,3,.. Gb file it will fail.
  • if the performance issue is critical for you may use winpcap but you have to write more complex code in C;doing the same task using python/scapy is pretty easy an simple but it is not faster than c
  • it depends which one to use on the level of performance needed
  • if my guess is right you are sending a video stream packets in this case i would use a winpcap if i am sending an 1 mega pixel video or scapy in other cases(lower size per frame)
  • in case of using C/winpcap you will get a great performance in reading pcaps and change the data and resend but you have to be aware of the same problem (large files) you have to create a buffer with a proper size to use it for reading sending the packets in a quite performance
  • if the packet size is constant(which is rare in most cases, i guess) you may have an advantage get the most of your available memory
  • if you want to use python/scapy for the whole "project/program" you may create the high performance functions in C/Wincap and compile as dll then you can import this dll to your python program and you can use it inside a python program. This way you get benefits of wonderful easy python/Scapy and you only write a specific functions in c so you can get your job done faster and your code to be focused and maintainable

Related questions

How can I filter a pcap file by specific protocol using python?

I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file. There is a tool called openDPI, and it's …

Read More
Writing to a pcap with scapy

I'm trying to write to a pcap file once I filter out all NBNS traffic. This is giving me a syntax error. from scapy.all import * Capture = raw_input("Enter file path of pcap file: " ) pcap = rdpcap(Capture) ports=137 filtered = (…

Read More
Scapy and rdpcap function

I'm using rdpcap function of Scapy to read a PCAP file. I also use the module described in a link to HTTP support in Scapy which is needed in my case, as I have to retrieve all the HTTP requests …

Read More