RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Secure Your Wireless Networks with Scapy Packet Manipulation : Page 2

To secure a wireless network you must first determine the state of the network and then provide a defense against intrusions. Enter Scapy, a packet-crafting tool written in Python.

Sniffing Packets and Discovering Network Access Points
Access points are critical infrastructure; they are the bridge between the wireless and wired IP networks. Other NICs connect these access points and add them to the larger network over wireless networks. Unfortunately, access points also are points of attack for malicious hackers. The first requirement for performing wireless network assessment is a simple discovery phase in which you identify possible access points.

Access points are configured to emit beacon management frames at regular intervals. These frames contain information about SSID, MAC address, timestamp, etc. Once the interface eth1 is in monitor mode, one can start accessing the beacon frames. You can use Scapy to access these packets as follows:

root@bluelinux:/home/shreeraj/wifi# scapy
Welcome to Scapy (
>>> conf.iface="eth1"
>>> p=sniff(count=1)
>>> p

>>> p[0]

The preceding block shows that Scapy has started and one packet on eth1 is sniffed. Viewing the contents of the packet reveals that it is clearly a Dot11 packet containing a beacon frame with information. Scapy provides a method for getting a pictorial view. Entering the following commands at the interactive prompt activates this method:

>>> pkt=p[0]
>>> pkt.pdfdump()

Figure 1 offers a peek at the PDF document of this particular packet.

Click to enlarge

Figure 1. 802.11 Beacon Frame

This frame helps you determine critical information such as MAC address of access point, SSID, and WEP support. You can build an identical view for all the different Dot11 packets and frames. This view is a great help in learning 802.11 standards.

The following is a set of commands that you can run to extract critical fields from the packet. This block provides the SSID and base MAC address:

>>> pkt.addr2
>>> pkt.payload.payload.info

You can extract the same information from the following command as well using sprintf(), a nice method for printing out various fields of the packet.

>>> pkt.sprintf("%Dot11.addr2%[%Dot11Elt.info%|%Dot11Beacon.cap%]")

The following is a simple script that collects all beacon packets and extracts information. It uses the list "unique" to maintain your list of collected beacons based on their MAC addresses. This provides a filtered view of the considerable air traffic.

#!/usr/bin/env python

import sys
from scapy import *

interface = sys.argv[1]    
unique = []

def sniffBeacon(p):	
     if p.haslayer(Dot11Beacon):
          if unique.count(p.addr2) == 0:
           print p.sprintf("%Dot11.addr2%[%Dot11Elt.info%|%Dot11Beacon.cap%]")


Running this script produces the following output:

root@bluelinux:/home/shreeraj/wifi# ./sniffssid.py eth1

Netsquare7 has a privacy bit turned on that suggests it is WEP supported. Running this script allows the discovery of wireless access points residing in the neighborhood, along with their configuration.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date