Scapy: Getting more Out of your packets


DNS Query


Ping Collection

· In throughout blog I am using below mentioned 2 ip address, Use as destination IP addresses. Use as Destination (Router) IP Address:

· DNS Query: The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

To execute “DNS” the base domain of canonical domain name.


Command Used:

sr1 : This is used to send and receives function that only returns the first answered packet.

Dst: Destination IP of the machine where you want to this packet.

UDP(): User DataGramProtocol. DNS is a UDP port which works on port 53.

DNS- To tell Scapy that we want to create a DNS packet.

Rd=1: 1 is used for recursion


qd = “QueryDomain”

DNSQR = DNS Question Record

Qname = is the name of domain for what you are querying.



Note: By default scapy works on “A” records.

If we want to check NS records of a website, we have to modify the query and query becomes:

sr1(IP(dst=”")/UDP()/DNS(rd=1,qd=DNSQR(qname=””,qtype= “NS”)))

If we want to check Name Server Records of a Domain we can pass that domain in qname parameter and in qtype you can pass which record you want to fetch ( like NS, MX)


· Trace route: A traceroute is a network utility used to show the route taken by packets across an IP network. It provides the hostname, IP address, and the response time to a ping

Scapy has pre-built trace route functionality.

1) traceroute ([“"], maxttl=20)

Command Used:

maxttl : TTL Stands for Time To Live refers to the amount of time or “hops” that a packet took to exist inside a network before being discarded by a router.

When a packet travel in network, there is a risk that it will continue to pass from router to router indefinitely. So to mitigate this packets are assigned with hop limit or hop values. This information is useful for how long a packet has been in circulation, and allows the sender to receive information about a packet’s path through the internet.

Whenever router receives a packet, it subtracts one from TTL count and then passes it onto next location. If at any point the TTL count is equal to zero after the subtraction, the router will discard the packet and send an ICMP message

back to the originating host.

traceroute ([“"], maxttl=10)


Received 10 packets, 9 TCp and 1 ICMP

As I defined TTL as 10 so it took only 10 hops and then packet was expired.

Scapy is actually a TCP traceroute and not an ICMP one.After1 packet we got

SA at the end of line because we are sending SYN packet and expecting a SYN-

ACK response.

2) traceroute ([“”],dport=21,maxttl=10)

Command Used:

dport : Scapy by default uses port 80 so I try to change port to 21.


After changing the port all responses were RA(Reset Acknowledgement).

Why 10 packets each time?

Scapy sends all the packets at the same time. This has the disadvantage that it cannot know when to stop.

3) traceroute ([“”,,””],maxttl=10)

If we want to traceroute more than one destinations.

We added 2 destinations and remove dport from command


So total 30 packets send and all the results for each of the different destinations all lined up next to each other. By doing it through scapy we came to know it’s so fast as compare to normal traceroute command.

In above screen shot we noticed the answered packets and unanswered packets. To explore it further:

For unanswered:

For answered:

Note: If the target IP answers an ICMP time exceeded in transit (ICMP Type 11) before answering to the handshake, there is a Destination NAT happening first.

· Ping Collection: Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network.

1) ARP Ping: Built in utility of scapy, to perform ARP scan on your network range


Command Used:


192.168.1.* : We can use * if we want to ping whole 4 octant and if we want to ping individual we can also do accordingly.


As in above screen shot we use single ip for ping it send only 1 packet.

2) ICMP ping:ICMP(Internet Control Message Protocol) is a shows if a target host is reachable over the internet via the ICMP protocol.


Command Used:

ICMP(): Protocol for which we are doing scan.


3) TCP ping: TCP Ping is a TCP oriented ping alternative. It is used to test the reachability of a service on a host using TCP/IP and measure the time it takes to connect to the specified port.

This is a simple TCP ping against a subnet or on a specified IP address using port 80 (HTTP) and sending just a SYN flag.SYN flag synchronizes sequence numbers to initiate a TCP connection. The FIN flag indicates the end of data transmission to finish a TCP connection.

ans,unans=sr( IP(dst=””)/TCP(dport=80, flags=”S”) )

Command Used:

sr = This tells scapy we want to check unanswered packet.

TCP(): Protocol for which we are doing scan.

Flags=”S”: Sending SYNflag.

Dport: On which port we are sending.


4) UDP ping:The goal of UDP ping is to detect if there is an active host on the target interface (IP address). To do so, UDP ping sends an IP packet carrying a UDP packet. Once the packet is sent, UDP ping listens to all incoming ICMP message.

Written by

Security enthusiast working to secure web for others

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store