故障排除

FAQ

我无法在监视器模式下嗅探/注入数据包。

The use monitor mode varies greatly depending on the platform, reasons are explained on the Wireshark wiki:

Unfortunately, changing the 802.11 capture modes is very platform/network adapter/driver/libpcap dependent, and might not be possible at all (Windows is very limited here).

Here is some guidance on how to properly use monitor mode with Scapy:

  • Using Libpcap (or Npcap):

    libpcap must be called differently by Scapy in order for it to create the sockets in monitor mode. You will need to pass the monitor=True to any calls that open a socket (send, sniff...) or to a Scapy socket that you create yourself (conf.L2Socket...)

    On Windows, you additionally need to turn on monitor mode on the WiFi card, use:

    # Of course, conf.iface can be replaced by any interfaces accessed through conf.ifaces
>>> conf.iface.setmonitor(True)
  • Native Linux (with libpcap disabled):

    You should set the interface in monitor mode on your own. The easiest way to do that is to use airmon-ng:

    $ sudo airmon-ng start wlan0

    You can also use:

    $ iw dev wlan0 interface add mon0 type monitor
$ ifconfig mon0 up

    If you want to enable monitor mode manually, have a look at https://wiki.wireshark.org/CaptureSetup/WLAN#linux

警告

If you are using Npcap: please note that Npcap npcap-0.9983 broke the 802.11 support until npcap-1.3.0. Avoid using those versions.

如果您的适配器可以与Wireshark一起工作,而不是与scapy一起工作,那么我们会尽最大努力使其工作,您可以随时报告一个问题。

我的TCP连接被scapy或内核重置。

内核不知道Scapy背后在做什么。如果scapy发送一个syn,目标将使用syn-ack进行响应,并且您的内核看到了它,它将使用rst进行响应。要防止这种情况发生,请使用本地防火墙规则(例如,Netfilter for Linux)。scapy不介意本地防火墙。

我无法ping通127.0.0.1(或::1)。在环回接口上,SCAPY不能与127.0.0.1(或::1)配合使用。

环回接口是一个非常特殊的接口。通过它的数据包并不是真正组装和拆卸的。内核将数据包路由到其目的地,而它仍以内部结构存储。你看到的是什么 `tcpdump -i lo “这只是一个假象,让你以为一切正常。”内核不知道Scapy在背后做什么,所以您在环回接口上看到的也是假的。只不过这个不是来自当地的建筑。因此,内核永远不会接收到它。

备注

Starting from Scapy > 2.5.0, Scapy will automatically use L3RawSocket when necessary when using L3-functions (sr-like) on the loopback interface, when libpcap is not in use.

On Linux, in order to speak to local IPv4 applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems than Linux):

>>> conf.L3socket
<class __main__.L3PacketSocket at 0xb7bdf5fc>
>>> conf.L3socket = L3RawSocket
>>> sr1(IP() / ICMP())
<IP  version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>

使用IPv6,您只需执行以下操作:

# Layer 3
>>> sr1(IPv6() / ICMPv6EchoRequest())
<IPv6  version=6 tc=0 fl=866674 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply  type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>

# Layer 2
>>> srp1(Ether() / IPv6() / ICMPv6EchoRequest(), iface=conf.loopback_name)
<Ether  dst=00:00:00:00:00:00 src=00:00:00:00:00:00 type=IPv6 |<IPv6  version=6 tc=0 fl=866674 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply  type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>>

警告

On Linux, libpcap does not support loopback IPv4 pings:
>>> conf.use_pcap = True
>>> sr1(IP() / ICMP())
Begin emission:
Finished sending 1 packets.
.....................................

You can disable libpcap using conf.use_pcap = False or bypass it on layer 3 using conf.L3socket = L3RawSocket.

On Windows, BSD, and macOS, you must deactivate/configure the local firewall prior to using the following commands:

# Layer 3
>>> sr1(IP() / ICMP())
<IP  version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>
>>> sr1(IPv6() / ICMPv6EchoRequest())
<IPv6  version=6 tc=0 fl=866674 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply  type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>

# Layer 2
>>> srp1(Loopback() / IP() / ICMP(), iface=conf.loopback_name)
<Loopback  type=IPv4 |<IP  version=4 ihl=5 tos=0x0 len=28 id=56066 flags= frag=0 ttl=64 proto=icmp chksum=0x0 src=127.0.0.1 dst=127.0.0.1 |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>>
>>> srp1(Loopback() / IPv6() / ICMPv6EchoRequest(), iface=conf.loopback_name)
<Loopback  type=IPv6 |<IPv6  version=6 tc=0 fl=0 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply  type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>>

Getting 'failed to set hardware filter to promiscuous mode' error

Disable promiscuous mode:

conf.sniff_promisc = False

Scapy says there are 'Winpcap/Npcap conflicts'

On Windows, as Winpcap is becoming old, it's recommended to use Npcap instead. Npcap is part of the Nmap project.

备注

This does NOT apply for Windows XP, which isn't supported by Npcap. On XP, uninstall Npcap and keep Winpcap.

  1. If you get the message 'Winpcap is installed over Npcap.' it means that you have installed both Winpcap and Npcap versions, which isn't recommended.

You may first uninstall winpcap from your Program Files, then you will need to remove some files that are not deleted by the Winpcap uninstaller:

C:/Windows/System32/wpcap.dll
C:/Windows/System32/Packet.dll

And if you are on an x64 machine, additionally the 32-bit variants:

C:/Windows/SysWOW64/wpcap.dll
C:/Windows/SysWOW64/Packet.dll

Once that is done, you'll be able to use Npcap properly.

2. If you get the message 'The installed Windump version does not work with Npcap' it means that you have probably installed an old version of Windump, made for Winpcap. Download the one compatible with Npcap on https://github.com/hsluoyz/WinDump/releases

In some cases, it could also mean that you had installed both Npcap and Winpcap, and that the Npcap Windump is using Winpcap. Fully delete Winpcap using the above method to solve the problem.

图形太难看/字体太大/图像被截断。

快速修复:使用PNG格式:

>>> x.graph(format="png")

升级至graphviz的最新版本。

尝试提供不同的DPI选项(例如50、70、75、96101125)::

>>> x.graph(options="-Gdpi=70")

如果它有效,你可以使它永久:

>>> conf.prog.dot = "dot -Gdpi=70"

你也可以在你的 ~/.scapy_startup.py 文件

得到帮助

常见问题解答。

如果您需要其他帮助,请查看:

还有一个低流量邮件列表 scapy.ml(at)secdev.org (archiveRSS, NNTP )通过发送邮件订阅 scapy.ml-subscribe(at)secdev.org .

我们鼓励您发送问题、错误报告、建议、想法、欺诈的酷用法等。