Back to article
Linux Protects Your Servers with Scapy (part 1)
November 18, 2010
The best server and network security tools come from Linux and FOSS. Paul Ferrill introduces Scapy, a powerful Python-based networking protocol analysis and testing tool.
Guarding your private network from the perils of the Internet is no easy task. The basics are pretty much the same from a defensive standpoint no matter how you slice it. Firewalls of one type or another protect an internal network by using two separate Ethernet connections with a software proxy filtering the traffic between the two ports. Linux serves as a great platform for this role with tools like netfilter/iptables.
On the offensive side, the techniques most often used involve either a packet monitoring tool such as Wireshark or a port scanning tool like nmap. Both of these tools have a wide following and should be familiar to any network administrator. Scapy is somewhat of a hybrid between the packet capture and analysis capabilities of Wireshark and nmap's packet generation features. Both of these were covered in a recent Linux Planet article. In this two-part article we'll look first at the basics of Scapy including how to get up and running, how to capture and display specific types of Ethernet traffic and how to create a few simple scripts using Python. In part two, we'll go more in depth to look at using Scapy to test your Web server for possible vulnerabilities, how to track down a rogue DNS server, and how to scan a wireless network for potential security holes.
Installing Scapy takes just a few minutes on a desktop version of Ubuntu. All you need to do is open the Ubuntu Software Center and search for SCAPY. It is actually named python-Scapy and is a collection of tools written in the Python language. You'll also need to install a few other packages if you want to take full advantage of all SCAPY features. The extras list includes python-crypto, python-gnuplot, python-pyx, graphviz and imagemagick.
If you want to get the latest and greatest version of Scapy, you'll need to download the source and execute a few command line instructions to install it. The instructions are available on the Scapy wiki but basically involve downloading the scapy-latest.zip file, extracting the contents and then executing the setup.py command as follows:
$ sudo python setup.py install
There are a number of places to learn about Scapy including the online HTML documentation, the Scapy Wiki, and a variety of presentations and papers available on the main Scapy website. To take full advantage of Scapy you'll need to know TCP/IP networking and a little about the Python language. The main Python website is a good place to start. There are any number of good tutorials and books available with a simple Google search. The book Dive Into Python is available on the web and has been used by many to get started with the language.
There are any number of basic operations you can accomplish with Scapy. It will even function similarly to Wireshark in that it will capture or sniff the Ethernet devices for all traffic. There are a number of command line options available when you launch Scapy. You also must launch Scapy with administrator privileges if you want to capture any Ethernet traffic directly from any network device. This would look something like:
$ sudo scapy
Once you have Scapy running you should see a three arrow prompt as in >>>. At this point you can enter commands or use Python code. One useful single-line command from the documentation shows how to execute an ICMP Ping for a range of addresses as follows:
The sniff command allows you to capture Ethernet packets for further analysis. You can specify a specific interface to use with the iface= option, or leave it blank to capture on all devices. Other options include filter for setting a filter condition for the captured packets, count for specifying how many packets to capture, and prn for creating a special print function to format your output. The ls() and lsc() functions display a list of layers and available functions. (The good documentation will help you to get a full understanding of these commands and how to use them.)