From charlesreid1

Wireless sniffer in 10 lines:


Scapy is a Python library for parsing out wireless information. Imagine an API for your hardware, aircrack, nmap, tcpdump, traceroute, and various other networking utilities, all rolled into one Python library. That's Scapy.


Great intro to scapy's many functions:

Great video tutorial:

Same setup, with a small battery-powered router:

Installing Scapy on Mac

NameError: global name dnet is not defined

On starting Scapy, I was seeing an error related to dnet.

Scapy has a number of dependencies on the Mac. One of them is a Python module that wraps a C library called dnet. If you try to install pydnet using pip, you will get errors when you run Scapy. But you can install libdnet from source, then build the Python extension yourself.

Hat tip to this page:


tar xfz libdnet-1.12.tgz
cd libdnet-1.12
sudo make install
cd python
sudo python install

Alternatively, you could use Homebrew to install libdnet and then install scapy, but that requires you to use Homebrew's Python - you can't mix, for example, a python install with a Homebrew install of Scapy.

Once you're done, you should be able to fire up scapy and get a command prompt:


Listing Scapy Commands

Once you get to the Scapy prompt, you can see all the different Scapy functions available to you with the lsc() command:

>>> lsc()
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
bind_layers         : Bind 2 layers on some specific fields' values
bridge_and_sniff    : Forward traffic between two interfaces and sniff packets exchanged
corrupt_bits        : Flip a given percentage or number of bits from a string
corrupt_bytes       : Corrupt a given percentage or number of bytes from a string
defrag              : defrag(plist) -> ([not fragmented], [defragmented],
defragment          : defrag(plist) -> plist defragmented as much as possible
dyndns_add          : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del          : Send a DNS delete message to a nameserver for "name"
etherleak           : Exploit Etherleak flaw
fragment            : Fragment a big IP datagram
fuzz                : Transform a layer into a fuzzy layer by replacing some default values by random objects
getmacbyip          : Return MAC address corresponding to a given IP address
hexdiff             : Show differences between 2 binary strings
hexdump             : --
hexedit             : --
is_promisc          : Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump         : --
ls                  : List  available layers, or infos on a given layer
promiscping         : Send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap              : Read a pcap file and return a packet list
send                : Send packets at layer 3
sendp               : Send packets at layer 2
sendpfast           : Send packets at layer 2 using tcpreplay for performance
sniff               : Sniff packets
split_layers        : Split 2 layers previously bound
sr                  : Send and receive packets at layer 3
sr1                 : Send packets at layer 3 and return only the first answer
srbt                : send and receive using a bluetooth socket
srbt1               : send and receive 1 packet using a bluetooth socket
srflood             : Flood and receive packets at layer 3
srloop              : Send a packet at layer 3 in loop and print the answer each time
srp                 : Send and receive packets at layer 2
srp1                : Send and receive packets at layer 2 and return only the first answer
srpflood            : Flood and receive packets at layer 2
srploop             : Send a packet at layer 2 in loop and print the answer each time
traceroute          : Instant TCP traceroute
tshark              : Sniff packets and print them calling, a bit like text wireshark
wireshark           : Run wireshark on a list of packets
wrpcap              : Write a list of packets to a pcap file

You can list all of the different layers that are available using the ls() command:

>>> ls()

Using Scapy

Airoscapy: Airodump Clone

Here is an example of using Scapy as an airdoump clone. This shows how to perform basic tasks like interacting with the wireless card and processing packets directly from Python using Scapy:

Scapy/Airodump Clone

Simple AP Scanner

This script does exactly what it says: a simple AP scanner. It randomly hops around channels, and adds any APs it sees to a master list.

Scapy/AP Scanner

Analyzing Wifi Conversations

These notes cover the use of Scapy to identify packets flowing between devices (routers and clients) as part of conversations, and gather statistics about those conversations.


Collecting Wifi Data

This material is relevant to the UGR Project on wifi data.

In this project, we'll be using Scapy to monitor incoming packets, and populate a database with observations.

Scapy/Wifi Database



Scapy for Fake AP: