故障排除
FAQ
我无法在监视器模式下嗅探/注入数据包。
The use monitor mode varies greatly depending on the platform, reasons are explained on the Wireshark wiki:
Unfortunately, changing the 802.11 capture modes is very platform/network adapter/driver/libpcap dependent, and might not be possible at all (Windows is very limited here).
Here is some guidance on how to properly use monitor mode with Scapy:
- Using Libpcap (or Npcap):
libpcap
must be called differently by Scapy in order for it to create the sockets in monitor mode. You will need to pass themonitor=True
to any calls that open a socket (send
,sniff
...) or to a Scapy socket that you create yourself (conf.L2Socket
...)On Windows, you additionally need to turn on monitor mode on the WiFi card, use:
# Of course, conf.iface can be replaced by any interfaces accessed through conf.ifaces >>> conf.iface.setmonitor(True)
- Native Linux (with libpcap disabled):
You should set the interface in monitor mode on your own. The easiest way to do that is to use
airmon-ng
:$ sudo airmon-ng start wlan0
You can also use:
$ iw dev wlan0 interface add mon0 type monitor $ ifconfig mon0 up
If you want to enable monitor mode manually, have a look at https://wiki.wireshark.org/CaptureSetup/WLAN#linux
警告
If you are using Npcap: please note that Npcap npcap-0.9983
broke the 802.11 support until npcap-1.3.0
. Avoid using those versions.
如果您的适配器可以与Wireshark一起工作,而不是与scapy一起工作,那么我们会尽最大努力使其工作,您可以随时报告一个问题。
我的TCP连接被scapy或内核重置。
内核不知道Scapy背后在做什么。如果scapy发送一个syn,目标将使用syn-ack进行响应,并且您的内核看到了它,它将使用rst进行响应。要防止这种情况发生,请使用本地防火墙规则(例如,Netfilter for Linux)。scapy不介意本地防火墙。
我无法ping通127.0.0.1(或::1)。在环回接口上,SCAPY不能与127.0.0.1(或::1)配合使用。
环回接口是一个非常特殊的接口。通过它的数据包并不是真正组装和拆卸的。内核将数据包路由到其目的地,而它仍以内部结构存储。你看到的是什么 `tcpdump -i lo
“这只是一个假象,让你以为一切正常。”内核不知道Scapy在背后做什么,所以您在环回接口上看到的也是假的。只不过这个不是来自当地的建筑。因此,内核永远不会接收到它。
备注
Starting from Scapy > 2.5.0, Scapy will automatically use L3RawSocket
when necessary when using L3-functions (sr-like) on the loopback interface, when libpcap is not in use.
On Linux, in order to speak to local IPv4 applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems than Linux):
>>> conf.L3socket
<class __main__.L3PacketSocket at 0xb7bdf5fc>
>>> conf.L3socket = L3RawSocket
>>> sr1(IP() / ICMP())
<IP version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>
使用IPv6,您只需执行以下操作:
# Layer 3
>>> sr1(IPv6() / ICMPv6EchoRequest())
<IPv6 version=6 tc=0 fl=866674 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>
# Layer 2
>>> srp1(Ether() / IPv6() / ICMPv6EchoRequest(), iface=conf.loopback_name)
<Ether dst=00:00:00:00:00:00 src=00:00:00:00:00:00 type=IPv6 |<IPv6 version=6 tc=0 fl=866674 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>>
警告
- On Linux, libpcap does not support loopback IPv4 pings:
>>> conf.use_pcap = True >>> sr1(IP() / ICMP()) Begin emission: Finished sending 1 packets. .....................................
You can disable libpcap using conf.use_pcap = False
or bypass it on layer 3 using conf.L3socket = L3RawSocket
.
On Windows, BSD, and macOS, you must deactivate/configure the local firewall prior to using the following commands:
# Layer 3
>>> sr1(IP() / ICMP())
<IP version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>
>>> sr1(IPv6() / ICMPv6EchoRequest())
<IPv6 version=6 tc=0 fl=866674 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>
# Layer 2
>>> srp1(Loopback() / IP() / ICMP(), iface=conf.loopback_name)
<Loopback type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=28 id=56066 flags= frag=0 ttl=64 proto=icmp chksum=0x0 src=127.0.0.1 dst=127.0.0.1 |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>>
>>> srp1(Loopback() / IPv6() / ICMPv6EchoRequest(), iface=conf.loopback_name)
<Loopback type=IPv6 |<IPv6 version=6 tc=0 fl=0 plen=8 nh=ICMPv6 hlim=64 src=::1 dst=::1 |<ICMPv6EchoReply type=Echo Reply code=0 cksum=0x7ebb id=0x0 seq=0x0 |>>>
Getting 'failed to set hardware filter to promiscuous mode' error
Disable promiscuous mode:
conf.sniff_promisc = False
Scapy says there are 'Winpcap/Npcap conflicts'
On Windows, as Winpcap
is becoming old, it's recommended to use Npcap
instead. Npcap
is part of the Nmap
project.
备注
This does NOT apply for Windows XP, which isn't supported by Npcap
. On XP, uninstall Npcap
and keep Winpcap
.
If you get the message
'Winpcap is installed over Npcap.'
it means that you have installed both Winpcap and Npcap versions, which isn't recommended.
You may first uninstall winpcap from your Program Files, then you will need to remove some files that are not deleted by the Winpcap
uninstaller:
C:/Windows/System32/wpcap.dll
C:/Windows/System32/Packet.dll
And if you are on an x64 machine, additionally the 32-bit variants:
C:/Windows/SysWOW64/wpcap.dll
C:/Windows/SysWOW64/Packet.dll
Once that is done, you'll be able to use Npcap
properly.
2. If you get the message 'The installed Windump version does not work with Npcap'
it means that you have probably installed an old version of Windump
, made for Winpcap
.
Download the one compatible with Npcap
on https://github.com/hsluoyz/WinDump/releases
In some cases, it could also mean that you had installed both Npcap
and Winpcap
, and that the Npcap Windump
is using Winpcap
. Fully delete Winpcap
using the above method to solve the problem.
BPF过滤器不工作。我在一个购买力平价链接上
这是一个已知的错误。BPF过滤器必须在ppp链接上使用不同的偏移量进行编译。如果使用libpcap(将用于编译bpf过滤器),而不是使用本机Linux支持(pf_数据包套接字),它可能会工作。
traceroute()不起作用。我在一个购买力平价链接上
这是一个已知的错误。请参阅BPF过滤器不工作。我在一个购买力平价链接上
要解决此问题,请使用 nofilter=1
::
>>> traceroute("target", nofilter=1)
图形太难看/字体太大/图像被截断。
快速修复:使用PNG格式:
>>> x.graph(format="png")
升级至graphviz的最新版本。
尝试提供不同的DPI选项(例如50、70、75、96101125)::
>>> x.graph(options="-Gdpi=70")
如果它有效,你可以使它永久:
>>> conf.prog.dot = "dot -Gdpi=70"
你也可以在你的 ~/.scapy_startup.py
文件
得到帮助
常见问题解答。
如果您需要其他帮助,请查看:
还有一个低流量邮件列表 scapy.ml(at)secdev.org
(archive , RSS, NNTP )通过发送邮件订阅 scapy.ml-subscribe(at)secdev.org
.
我们鼓励您发送问题、错误报告、建议、想法、欺诈的酷用法等。