Scapy Quick Reference
=====================

INSTALLATION
  pip install scapy

BASIC USAGE
  from scapy.all import *

PACKET CREATION
  # IP packet
  pkt = IP(dst="10.0.0.1")

  # TCP SYN
  pkt = IP(dst="10.0.0.1")/TCP(dport=80, flags="S")

  # UDP packet
  pkt = IP(dst="10.0.0.1")/UDP(dport=53)/DNS()

  # ICMP ping
  pkt = IP(dst="10.0.0.1")/ICMP()

  # HTTP request
  pkt = IP(dst="10.0.0.1")/TCP(dport=80)/Raw(b"GET / HTTP/1.1\r\n\r\n")

SEND / RECEIVE
  send(pkt)                Layer 3 send (no response)
  sr(pkt)                  Send and receive (layer 3)
  sr1(pkt)                 Send and receive 1 packet
  sendp(pkt)               Layer 2 send
  srp(pkt)                 Layer 2 send and receive

READING PCAP
  pkts = rdpcap("capture.pcap")
  pkts.summary()
  pkts[0].show()

  # Filter packets
  tcp_pkts = [p for p in pkts if TCP in p]
  http = [p for p in pkts if p.haslayer(Raw)]

  # Extract data
  for p in pkts:
      if Raw in p:
          print(p[Raw].load)

WRITING PCAP
  wrpcap("output.pcap", pkts)

PACKET INSPECTION
  pkt.show()               Show packet details
  pkt.summary()            One-line summary
  ls(TCP)                  List TCP fields
  pkt[TCP].sport           Access field
  pkt.haslayer(TCP)        Check layer exists
  hexdump(pkt)             Hex dump

SNIFFING
  pkts = sniff(count=10)
  pkts = sniff(filter="tcp port 80", count=10)
  sniff(prn=lambda p: p.summary())

COMMON CTF PATTERNS
  # Extract HTTP data from pcap
  pkts = rdpcap("capture.pcap")
  for p in pkts:
      if TCP in p and Raw in p:
          data = p[Raw].load
          if b"flag" in data or b"icoa{" in data:
              print(data)

  # DNS exfiltration
  dns_pkts = [p for p in pkts if DNS in p]
  for p in dns_pkts:
      if DNSQR in p:
          print(p[DNSQR].qname)

  # Reconstruct TCP stream
  from scapy.layers.http import *
  load_layer("http")
