1

I have a problem with a very basic usage of Scapy on Windows 7 (Python 3.6, Scapy 2.4.0). I'm also running Npcap 0.99r7 and Wireshark 2.6.2 on this sytem. The system does only have one wireless network interface plus the Npcap loopback interface.

I set up this very classic TCP server... :

import socket

host = '127.0.0.1'
port = 8089
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
connection, address = s.accept()
while 1:
    try :
        data = connection.recv(1024)
    except ConnectionAbortedError:
        break
    if data:
        print('Received: %s' % (data.decode ('utf-8')))
    connection.sendall('Data received'.encode())
connection.close()
s.close()

...and I set up this very classic TCP client:

import socket

host = '127.0.0.1'
port = 8089
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('Hello, world!'.encode())
data = s.recv(1024)
print('Received: %s' % (data.decode('utf-8')))
s.close()

Both works fine. Wireshark does report the whole TCP traffic on the loopback interface.

Now, I'm running the server, and I try to run that piece of code that would just send a SYN to the server with Scapy :

from scapy.layers.inet import IP
from scapy.layers.inet import TCP
from scapy.sendrecv import *

dstHost='127.0.0.1'
dstPort = 8089
packet = IP(src='127.0.0.1', dst=dstHost)/TCP(dport=dstPort, flags='S')
response=sr1(packet, timeout=10)
response.display()

Python reports :

Begin emission:
..Finished sending 1 packets.
......Traceback (most recent call last):

  File "R:/Documents/Projets/python/hacking/scan.py", line 46, in <module>
    response.display()
AttributeError: 'NoneType' object has no attribute 'display'
Received 8 packets, got 0 answers, remaining 1 packets

Moreover, Wireshark does not see anything on the loopback interface. May somebody give an hint ?

Update 1

As suggested, I tried a more explicit code using sendp() and not send(), since we are talking layer 2 here:

route_add_loopback()
packet = Loopback()/IP(src='127.0.0.1', dst='127.0.0.1')/TCP(dport=8089, flags='S')
sendp(packet,iface='Npcap Loopback Adapter')

Unfortunately, Wireshark does not sniff the packet on either interfaces (the 'Intel(R) Centrino(R) Advanced-N 6235' and the 'Npcap Loopback Adapter').

Note that the call to route_add_loopback() is required, or show_interfaces() won't report the 'Npcap Loopback Adapter', which means that sendp() will fail. It is possible to restore the Scapy routing table by calling conf.route.resync () after route_add_loopback(), but the result is the same : Wireshark does not sniff the packet on either interface.

Should somebody find some Python piece of code running on Windows 7 that succesfully sends a simple TCP packet on the 'Npcap Loopback Adapter', he would be welcome...

Matt Davis
  • 45,297
  • 16
  • 93
  • 124
StashOfCode
  • 83
  • 1
  • 6

1 Answers1

1

The loopback interface is not a "regular" interface; this is particularly true for Windows.

You can check the route used by Scapy to send the packet by running: packet.route().

If the route displayed does not use the loopback interface, you can try to run (that's windows specific) route_add_loopback() and try again.

Another option would be to use srp1() instead of sr1(), and specify the loopback interface as iface= parameter.

Pierre
  • 6,047
  • 1
  • 30
  • 49
  • Thanks. I tried, but If I call route_add_loopback() before I create the packet, the Scapy routing table now contains an entry for 127.0.0.0 (the iface is the Npcap Loopback), but the gateway is 0.0.0.0 and not 127.0.0.1. The packet route is now (, '127.0.0.1', '0.0.0.0'), so the packet is not sent to the loopback but to the Intel iface. Any idea why the gateway for 127.0.0.0 is 0.0.0.0 and not 127.0.0.1 ? – StashOfCode Jul 29 '18 at 18:53
  • I have updated my answer with another option you can try. – Pierre Jul 30 '18 at 12:35
  • Good idea, but I tried to call srp1() instead of sr1() with the iface='Npcap Loopback Interface' argument, since this is the name of the interface that appears in the ifaces list once I have called route_add_loopback(). This gets worst: Wireshark does not sniff the packet on any of the interfaces... – StashOfCode Jul 31 '18 at 08:56
  • I must add that since srp1() is layer 2, I just added the Ether() header to the packet. Wireshark now sniffes it, but on the wiresless interface, not the loopback one. – StashOfCode Jul 31 '18 at 09:42
  • Try using a `Loopback()/IP...` frame rather than Ether – Cukic0d Jul 31 '18 at 11:32
  • @Cukic0d. Tried it (code added to my post as #Update 1). Unfortunately, this does not get better: Wireshark does not sniff the packet on any interface. – StashOfCode Jul 31 '18 at 22:24