creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/analyzing-network-packets-with-scapy/references/api-reference.md
T
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
2026-03-11 00:41:59 +01:00

2.1 KiB
Raw Blame History

Scapy Network Packet Analysis API Reference

Core Scapy Functions

Reading Packets

from scapy.all import rdpcap, sniff, wrpcap

# Read pcap file
packets = rdpcap("capture.pcap")

# Live sniff with BPF filter (requires root)
packets = sniff(filter="tcp port 80", count=100, iface="eth0")

# Write packets to pcap
wrpcap("output.pcap", packets)

Packet Layer Access

from scapy.all import IP, TCP, UDP, DNS, DNSQR, ICMP

pkt = packets[0]
pkt.haslayer(IP)        # Check if layer exists
pkt[IP].src             # Source IP
pkt[IP].dst             # Destination IP
pkt[TCP].sport          # Source port
pkt[TCP].dport          # Destination port
pkt[TCP].flags          # TCP flags: S, SA, A, FA, R, PA
pkt[DNS].qd.qname       # DNS query name
pkt[ICMP].type          # ICMP type (8=echo request, 0=echo reply)

Packet Crafting

from scapy.all import IP, TCP, sr1, send

# SYN probe (authorized testing only)
syn = IP(dst="192.168.1.1") / TCP(dport=80, flags="S")
response = sr1(syn, timeout=2, verbose=0)

# ICMP ping
ping = IP(dst="192.168.1.1") / ICMP()
send(ping, verbose=0)

# Custom DNS query
dns = IP(dst="8.8.8.8") / UDP(dport=53) / DNS(rd=1, qd=DNSQR(qname="example.com"))

Protocol Fields Reference

TCP Flags

Flag Value Meaning
S 0x02 SYN
SA 0x12 SYN-ACK
A 0x10 ACK
F 0x01 FIN
R 0x04 RST
P 0x08 PSH

ICMP Types

Type Meaning
0 Echo Reply
3 Destination Unreachable
8 Echo Request
11 Time Exceeded

BPF Filter Syntax

tcp port 443              # TCP traffic on port 443
host 10.0.0.1             # All traffic to/from IP
src net 192.168.0.0/24    # Source from subnet
udp and port 53           # DNS traffic
tcp[tcpflags] & tcp-syn != 0  # SYN packets only

CLI Usage

# Analyze pcap file for anomalies
python agent.py --pcap capture.pcap --output report.json

# Custom thresholds
python agent.py --pcap traffic.pcapng --syn-threshold 50 --dns-length 30

# Port scan detection sensitivity
python agent.py --pcap scan.pcap --scan-threshold 10
Reference in New Issue View Git Blame Copy Permalink