Apr 29, 2021 1.1About Scapy Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks. In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode. See full list on Scapy is amazingly flexible when it comes to creating packets, but in some cases you may want to mangle or change packets that you've sniffed and saved in a trace file. Scapy currently supports.cap,.pcap, and.pcapng files. Reading these files are possible through the rdpcap function. Scapy is a packet manipulation tool for computer networks written in Python. It runs natively on Linux (as well as Mac OS X), but the latest versions of scapy actually supports Windows out-of-the-box. So you can use nearly all of scapy's features on a Windows machine as well. Scapy sniffer is not designed to be super fast so it can miss packets sometimes. Always use use tcpdump when you can, which is more simpler and efficient. We can add filtering to capture only packets that are interesting to us.

My motivation was to start from a known good packet capture, for example, a DNS request and reply, and modify that request to create something interesting: an example to examine in Wireshark, or positive and negative test cases for an IDS software (Snort, Suricata).

I haven’t done much with Scapy before, but it seemed like the right tool for the task. My planned steps were as follows:

All the commands shown were run on an Ubuntu 18.04 LTS VM running on VirtualBox, but should work on any Linux host with Python3, Scapy, and tcpdump.

1. Take pcap (packet capture)

In one terminal I ran tcpdump, capturing only port 53 traffic:

In another terminal I generated a DNS request. I limited it to A records to reduce the number of packets generated:

I confirmed it worked:

2. Import pcap via scapy

First I set up a virtual environment. This was probably unnecessary, but is a habit I have when starting any new Python project:

Then I ran Scapy and imported the packet capture:

3. Change pcap

First I looked at the packets in Scapy just to see what the objects looked like:

2 packets: one request, one reply.

What if I wanted to change the packets so that the request and reply are instead for And the record data is

Can tcpdump still read it?

That doesn’t look quite right. What about tshark?

It looks unhappy: Malformed Packet. What went wrong?

Oh! The length and the checksum in both the IP header and the UDP header are incorrect.

Searching around for how to address this led me to How to calculate a packet checksum without sending it? on StackOverflow. It suggested deleting the checksums and rebuilding the packets, and Scapy would automatically calculate the checksums.

A tangent on using__class__:

I thought it inadvisable to use “magic” objects (see like __class__ as in the example on StackOverflow. But it does make sense:

No matter what subclass of a packet layer you have, __class__ will give you the right subclass.

Back to the task at hand. I ended up deleting the length (len) and checksum (chksum) from both the IP layer and the UDP layer and rebuilt the packets:

[Note: I also changed the host request from to I also included the trailing dot in the request and reply: b'']

Then I re-built the PacketList:

4. Export pcap

Scapy’s wrpcap function takes a destination filename and a PacketList object (scapy.plist.PacketList).

Did it work?

Anki cozmo app. Success!

5. View pcap in Wireshark

If it worked in tcpdump and tshark, I expected it to work in Wireshark, but I wanted to make sure:

A note on packet timestamps:

I don’t see any timestamp data when I view the packets in Scapy, but tcpdump shows timestamps:

How can I modify the timestamps? The timestamps appear to be the time the packet was created/rebuilt by Scapy. I would like to have better control of this, but I have not yet found a way to do that. Please leave a comment if you know of a way to do this!

Latest version


Daemon and tooling to enable using scapy without root permissions.

Project description

Daemon and tooling to enable using scapy without root permissions.


scapy_unroot can be installed by just running

The requirements also installed by this are listed inrequirements.txt.


The scapy-unroot daemon

The daemon to allow usage of scapy without root permissions requires rootitself. You can start it with the following command:

The provided argument scapy should be a permission group, users who areallowed to use scapy without root permissions should be in.


By default, all files related to scapy_unroot are managed in the directory/var/run/scapy-unroot. You can change that directory using the -r /--run-dir argument:

The UNIX domain socket to communicate with the daemon will be created under thename server-socket in that directory.

Network interfaces that users of scapy_unroot should not be able to send overor sniff on can be blacklisted using the -b / --interface-blacklistargument. Multiple interfaces can be provided:

To run the daemon in background, use the -d / --daemonize parameter:

To get more information on the arguments of the scapy-unroot daemon, run

All arguments described above can be combined.

Configuring scapy to communicate with the daemon

Before sending or sniffing with scapy, just do

You can provide a different server address by the server_addr argument. Thedefault is /var/run/scapy_unroot/server-socket.

You can also configure the timeout for waiting for a reply from the server usingthe connection_timeout argument.

Release historyRelease notifications RSS feed

0.3.0b4 pre-release

0.3.0b3 pre-release

0.3.0b2 pre-release

0.3.0b1 pre-release

0.2.0a1 pre-release

0.1.1a1 pre-release

0.1.0a1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for scapy-unroot, version 0.3.0b4
Filename, sizeFile typePython versionUpload dateHashes
Filename, size scapy_unroot-0.3.0b4-py3-none-any.whl (30.5 kB) File type Wheel Python version py3 Upload dateHashes
Filename, size scapy_unroot-0.3.0b4.tar.gz (8.8 kB) File type Source Python version None Upload dateHashes

Scapy Documentation

Hashes for scapy_unroot-0.3.0b4-py3-none-any.whl

Hashes for scapy_unroot-0.3.0b4-py3-none-any.whl
AlgorithmHash digest

Hashes for scapy_unroot-0.3.0b4.tar.gz

Scapy Send

Hashes for scapy_unroot-0.3.0b4.tar.gz
AlgorithmHash digest