转载请注明：@小五义：http://www.cnblogs/xiaowuyi

在安装完scapy(前两篇笔记有介绍)后，linux环境下，执行sudo scapy运行scapy。

一、简单的发送包

1、send()在第三层发送数据包，但没有接收功能。如：

>>> send(IP(dst="www.baidu.com",ttl=1)/ICMP())

.

Sent1 packets.

这里相当于ping了下百度，ttl=1

2、sendp()，在第二层发送数据包，同样没有接收功能。如：

>>> sendp(Ether()/IP(dst="www.baidu.com",ttl=1)/ICMP())

WARNING: Mac address to reach destination not found. Using broadcast.

.

Sent1packets.>>> sendp(Ether()/IP(dst="127.0.0.1",ttl=1)/ICMP())

.

Sent1 packets.

3、sr()，在第三层发送数据包，有接收功能。如：

>>> p=sr(IP(dst="www.baidu.com",ttl=1)/ICMP())

Begin emission:

..Finished to send1packets.

.*Received4 packets, got 1 answers, remaining 0packets>>>p

(, )>>> p[0]

>>> p[0].show()0000 IP / ICMP 27.214.222.160 > 61.135.169.105 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror

再比如，连续发送ttl=1,2,3,4四个包的情况

>>> p=sr(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())

Begin emission:

Finished to send4packets.

.*.*.*.*Received8 packets, got 4 answers, remaining 0packets>>>p

(, )>>> p[0].show()0000 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror0001 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 222.132.4.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror0002 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 119.190.5.126 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror0003 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 112.253.4.197 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror>>>

4、sr1(),在第三层发送数据包，有接收功能，但只接收第一个包。以上面的发送四个包为例：

>>> q=sr1(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())

Begin emission:

Finished to send4packets.

.*.*.*.*Received8 packets, got 4 answers, remaining 0packets>>>q>>>

>>>q.show()

###[ IP ]###

version= 4Lihl= 5Ltos= 0xc0len= 56id= 4773flags=frag= 0Lttl= 255proto=icmp

chksum= 0xb611src= 27.214.220.1dst= 27.214.222.160\options\

###[ ICMP ]###

type= time-exceeded

code= ttl-zero-during-transit

chksum= 0xf4ffunused= 0###[ IPinICMP ]###

version= 4Lihl= 5Ltos= 0x0len= 28id= 1flags=frag= 0Lttl= 1proto=icmp

chksum= 0xd879src= 27.214.222.160dst= 61.135.169.105\options\

###[ ICMPinICMP ]###

type= echo-request

code= 0chksum= 0xf7ffid= 0x0seq= 0x0

5、srloop()，在第三层工作，如下：

>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP())

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror^C

Sent5 packets, received 5 packets. 100.0%hits.>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP(),inter=3,count=2)

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror

RECV1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror /ICMPerror

Sent2 packets, received 2 packets. 100.0% hits.

这里第一条语句在执行时，将会不停的ping百度，第二条执行时每隔3秒ping一次，一共执行两次。inter表示间隔，count记录次数。

6、srp()、srp1()、srploop()与上面3、4、5相同，只是工作在第二层。

二、SYN扫描

SYN扫描：也叫“半开式扫描”(half-open scanning)，因为它没有完成一个完整的TCP连接。这种方法向目标端口发送一个SYN分组(packet)，如果目标端口返回SYN/ACK，那么可以肯定该端口处于检听状态；否则，返回的是RST/ACK。

>>> sr1(IP(dst="61.135.169.105")/TCP(dport=80,flags="S"))

Begin emission:

Finished to send1packets.

.*Received2 packets, got 1 answers, remaining 0packets>

>>> sr1(IP(dst="61.135.169.105")/TCP(dport=81,flags="S"))

Begin emission:

Finished to send1packets.

.*Received2 packets, got 1 answers, remaining 0packets>>>

从结果看，当扫描百度(61.135.169.105)的80端口时，返回的包中ACK＝1或者flags=SA，说明该端口处于监听状态，当扫描81端口时，无ACK＝1,或者flags=，说明其未处于监听状态。

如果要扫描多个端口，可以使用以下语句，如扫描百度的80－83端口：

>>>sr(IP(dst="www.baidu.com")/TCP(dport=(80,83),flags="S"))

如要扫描21，80，3389等端口：

>>>sr(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags="S"))

简单要显示结果：

>>>ans,unans=_>>>ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%"))

http SA81RA82RA83 RA

这里我在扫描80－83时，总是在不停的扫，用ctrl+C停止后，只能得到两个结果，目前没搞明白是什么原因。如下：

>>> sr(IP(dst="www.baidu.com",ttl=56)/TCP(dport=(80,83),flags="S"))

Begin emission:

Finished to send4packets.

.*.*.................................................................................^C

Received85 packets, got 2 answers, remaining 2packets

(, )>>> ans,unans=_>>>ans.summary()

IP/ TCP 27.214.134.124:ftp_data > 61.135.169.105:http S ==> IP / TCP 61.135.169.105:http > 27.214.134.124:ftp_data SA

IP/ TCP 27.214.134.124:ftp_data > 61.135.169.105:82 S ==> IP / ICMP 123.125.248.42 > 27.214.134.124 dest-unreach communication-prohibited / IPerror /TCPerror>>> ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%"))

http SA?? ??

三、TCP traceroute

traceroute:用来追踪出发点到目的地所经过的路径,通过Traceroute我们可以知道信息从你的计算机到互联网另一端的主机是走的什么路径。当然每次数据包由某一同样的出发点(source)到达某一同样的目的地(destination)走的路径可能会不一样，但基本上来说大部分时候所走的路由是相同的。

>>> ans,unans=sr(IP(dst="www.baidu.com",ttl=(4,25),id=RandShort())/TCP(flags=0x2))

Begin emission:

...*.*.*.*.*.*.*.*.*.*.*Finished to send 22packets.

.*.*.*.*.*.*.*.*.*.*....^C

Received48 packets, got 21 answers, remaining 1packets>>> for snd,rcv inans:

... print snd.ttl,rcv.src,isinstance(rcv.payload,TCP)

...4 112.253.4.177False5 219.158.98.221False6 124.65.194.22False7 124.65.58.182False8 123.125.248.42False9 61.135.169.105True10 61.135.169.105True11 61.135.169.105True12 61.135.169.105True13 61.135.169.105True14 61.135.169.105True15 61.135.169.105True16 61.135.169.105True17 61.135.169.105True18 61.135.169.105True19 61.135.169.105True20 61.135.169.105True21 61.135.169.105True22 61.135.169.105True23 61.135.169.105True24 61.135.169.105 True