Packet Crafting through “Scapy”

Gupta Bless
6 min readMar 29, 2020



What Is Scapy


Concept behind its working

Download and install

· By Kali Linux

· By using github cloning

How to send packet

· Simple packet crafting

. By adding source address in packet crafting

Sending and receiving packet

· Basic Function

· Packet Creation with sr1() function

· Packet Creation with sr() function

What is scapy: Scapy is a powerful interactive packet manipulation/crafting tool for computer networks. It is able to forge or decode packets of a wide number of protocols, send them, and match requests and replies.

They usually confuse decoding and interpreting. For instance they say “this port is open” instead of “I received a SYN-ACK”. Now you can not predict interpretation for the information.


· It can do tasks like scanning, trace routing, probing, attacks or network discovery and replaced these tools nmap, hping and arpscan.

· It gives us full decoded packets from the probe, before any interpretation.

· It has a flexible model that tries to avoid arbitrary limits, so you are free to put any value in any field.

· It works on “Domain Specific Language (DSL)” that enables a powerful and fast description of packet.

Working:We can craft packets by using inbuilt options and received packets can be dissected. Sniffing of packets helps us in understanding what communication is taking place in the network.

Download and install:

a. By using Kali Linux

It comes pre installed in Kali Just open the terminal and type “scapy”

b. By using github cloning

You can also use this by cloning the repository from the github.


By using “git clone we can copy the repository. Navigate to the scapy folder and then run this by using

sudo ./run_scapy

Sending Packets

· Simple Packet Crafting:We try to create a simple ICMP packet with “hi” message

Destination Address:, this is the IP address of my computer which have the Wireshark running and it will be same throughout the blog.

Source Address:, IP Address of my Kali Machine

send(IP(dst=”< IP-Address-of-Destination”)/<Protocol>/”Message”)

Command Used:

send = This can be used when you want to send a single packet.

IP = Type of packet such as IP(Internet Protocol) packet

dst = Destination IP of the machine where you want to this packet.

ICMP() = Protocol. Here we used Internet Control Message Protocol

”HI” = Payload or Message


o/p after sniffing in wireshark.

· By adding source address in packet crafting

You can also manipulate the source from where the packet is originated. Just use the src attribute to modify the source address.

send(IP(src=”< IP-Address-of-Source >”, dst=”< IP-Address-of-destination>”)/<Protocol>/”Message”)

Command Used:

src= Originating IP of the packet.

send(IP(src=”” ,dst=””)/ICMP()/”HI”)

o/p after sniffing in wireshark

Sending and receiving packets

· Basic Function: We not only send packets from scapy but also we can receive packets. They returned in two lists. The first elements in list are “packet sent, answer” and the second element in the list is “unanswered packet”.

While working on sending and receiving packets, there are 3 main functions.

a. Sr(): This function is for sending packets and receiving answers. This function returns a couple of answered and the unanswered packet.

b. Sr1(): This function only returns one packet that was answered from the packet you have sent.

These both function works at layer 3

c. Srp():Work same as above but on layer 2.

· Packet Creation with sr1() function:

h= sr1(IP(dst=”< IP-Address-of-Destination>”)/<Protocol>)

Command Used:

h= Name of the packet, we can declare anything.

Sr1 = This tells scapy that you want to send a packet and want to check whether it was answered or not(checking the status)

h= sr1(IP(dst=””)/ICMP())

Note: sr1() returns first answered packet.


It is used to check the attributes in received packet, just type name of the

Packet in my case its “h”.

Please check below image

Check output in different format

If we want same information with formatting

We can use

· Packet Creation with sr() function

To check “unanswered packets”, we use sr() function

p= sr(IP(dst=”< IP-Address-of-Destination>”)/<Protocol>(dport=<which want to check>))

Command Used:

p= Name of the packet, you can use any variable for that.

sr = This tells scapy that you want to send a packet and want to receive the answer

p= sr(IP(dst=””)/TCP(dport=23))


By sending multiple ports

p= sr(IP(dst=”< IP-Address-of-Destination>”)/<Protocol>(dport=<Multiple ports on which you want to send the packet>))

Command Used:

p= Name of the packet, we can declare anything.


Note: In multi ports, 1 packet per port.


Output with format

Each send packet has corresponding received packet.

Note: In above output we have ”S” and “SA”

“S”: S stand for SYN packet

“SA”:SA stand for SYN-ACK .

Which tells us port is open as it acknowledge our SYN packet.

Command for SYN scan:

p= sr(IP(dst=”< IP-Address-of-Router>”)/<Protocol>(sport=<sourec_port>,dport=[<Multipleportswhich want to check>],flags=”S”))

Command Used:

p= Name of the packet, we can declare anything.

Sport=Source Port

p= sr(IP(dst=””)/TCP(sport=666,dport=[53,80],flags=”S”))


2 ports means 2 packets with all source port is 666.So we above result we can Easily check what ports are open on my router.

Command for packet crafting by using inter,Randshort()

p= sr(IP(src=<Source Ip Address>,dst=”< IP-Address-of-Router>”)/<Protocol>(sport=RandShort(),dport=[<Multilpleportswhich want to check>],inter=<Can provide value>,retry=<Can provide value>,timeout=<Can provide value>))

Command Used:

RandShort() = Used to randomized the source port.

inter = By specify a time to wait between two packets.If some packets are lost or if specifying an interval is not enough, you can resend all the unanswered packets, either by calling the function again, directly with the unanswered list, or by specifying a retry parameter.

retry = If retry is 2, Scapy will try to resend unanswered packet 2 times.If retry is -2, scaly will resend unanswered packets until no more answers are given for the same set of unanswered packets 2 times in a row.

timeout =The timeout parameter specifies the time to wait after the last packet has been sent.

p= sr(IP(src=””,dst=””)/TCP(sport=RandShort(),dport=[53,22,80,44380]),inter=2.0,retry=4,timeout=2)




Gupta Bless

Security enthusiast working to secure web for others.