Blog 15 — Crafting and Sending Packets with Scapy
Most cybersecurity students use networking tools every day without understanding what actually happens behind the scenes. This blog is designed to change that. Instead of blindly running tools, you will learn how packets are built, manipulated, transmitted, and analyzed at a lower level using Python and Scapy.
Why Packet Crafting Matters
Tools like port scanners, firewalls, intrusion detection systems, and even malware rely heavily on network packets. If you understand how packets work internally, you stop depending completely on tools and start understanding the actual logic behind them.
Packet crafting is extremely important in areas like:
- Penetration testing
- Network security analysis
- Protocol fuzzing
- Malware traffic analysis
- Firewall evasion research
- Intrusion detection engineering
What is Scapy?
Scapy is a Python-based packet manipulation framework that allows you to craft, send, sniff, capture, and analyze packets. Unlike many traditional networking tools, Scapy gives you direct control over packet fields.
You can manually control things like:
- Source IP addresses
- Destination ports
- TCP flags
- Packet payloads
- Fragmentation behavior
- Protocol headers
Installing Scapy
Install Scapy using pip.
pip install scapyIn many cases, especially on Linux systems, you will need elevated privileges because Scapy works with raw sockets.
sudo python3 script.pyUnderstanding Packet Layers
Network packets are built in layers.
Ethernet → IP → TCP → Data
Scapy lets you build packets layer by layer using the / operator.
from scapy.all import *
packet = IP(dst="8.8.8.8") / ICMP()
packet.show()How the / Operator Works in Scapy
This is one of the most important things to understand in Scapy.
packet = IP(dst="1.1.1.1") / TCP(dport=80) / Raw(load="HELLO")Here, Scapy builds the packet step-by-step:
IP Header
└── TCP Header
└── PayloadSending Packets
Layer 3 Packet Sending
send(IP(dst="8.8.8.8") / ICMP())This works at the IP layer.
Layer 2 Packet Sending
sendp(Ether() / ARP())| Function | Layer |
|---|---|
| send() | Network Layer |
| sendp() | Data Link Layer |
Crafting a TCP SYN Packet
TCP communication begins with a handshake. A SYN packet is the first step of that process.
packet = IP(dst="192.168.1.10") / TCP(dport=80, flags="S")
packet.show()
The flags="S" field means that we are sending a SYN packet.
Common TCP Flags
| Flag | Meaning |
|---|---|
| S | SYN |
| A | ACK |
| F | FIN |
| R | RST |
Building a Basic SYN Scanner
A SYN scanner works by sending SYN packets and checking how the target responds.
from scapy.all import *
target = "192.168.1.10"
for port in range(1, 1025):
packet = IP(dst=target)/TCP(dport=port, flags="S")
response = sr1(packet, timeout=1, verbose=0)
if response:
if response.haslayer(TCP):
if response[TCP].flags == 0x12:
print(f"Port {port} is OPEN")
send(IP(dst=target)/TCP(dport=port, flags="R"), verbose=0)Packet Sniffing with Scapy
Packet sniffing is heavily used in malware analysis, incident response, and network monitoring.
Capture 10 Packets
sniff(count=10)Capture Only ICMP Traffic
sniff(filter="icmp", count=5)Custom Packet Callback
def process(packet):
print(packet.summary())
sniff(prn=process, count=10)Understanding ARP Spoofing
ARP spoofing works because ARP does not have built-in authentication.
Attackers can send fake ARP replies and manipulate how devices map IP addresses to MAC addresses.
packet = ARP(
op=2,
pdst="192.168.1.5",
psrc="192.168.1.1",
hwdst="ff:ff:ff:ff:ff:ff"
)
packet.show()IP Spoofing
IP spoofing allows attackers or researchers to fake the source IP address of a packet.
packet = IP(
src="1.2.3.4",
dst="192.168.1.10"
)/ICMP()
send(packet)One important thing beginners often misunderstand is that responses will go back to the spoofed IP address.
Packet Fragmentation
Packet fragmentation breaks large packets into smaller pieces.
Historically, fragmentation has been abused in firewall evasion and intrusion detection bypass techniques.
packet = IP(dst="192.168.1.10") / UDP() / ("X" * 2000)
fragments = fragment(packet, fragsize=500)
send(fragments)Protocol Fuzzing with Scapy
Fuzzing is the process of sending unexpected or malformed input to software in order to discover crashes or vulnerabilities.
from scapy.all import *
import random
while True:
packet = IP(dst="192.168.1.10") / TCP(
dport=80,
flags="S",
seq=random.randint(0, 999999)
)
send(packet, verbose=0)Reading PCAP Files
PCAP files are commonly used in digital forensics and incident response investigations.
packets = rdpcap("capture.pcap")
for packet in packets:
print(packet.summary())Common Beginner Mistakes
- Running Scapy without root privileges
- Ignoring timeout values
- Trusting every packet response blindly
- Testing on production systems without authorization
- Forgetting that real networks behave unpredictably
Suggested Practice Exercises
- Build your own TCP SYN scanner
- Create an ICMP monitoring tool
- Write a custom packet sniffer
- Experiment with packet fragmentation in a lab environment
- Analyze PCAP files and identify suspicious traffic
Final Thoughts
Understanding packet crafting changes the way you think about networking and cybersecurity.
You stop seeing simple commands and start understanding protocol behavior, packet structures, and communication patterns.
This level of understanding is what separates someone who only uses tools from someone who can actually build them.
Comments
Post a Comment