creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-network-packets-with-scapy/references/api-reference.md
T
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
2026-03-11 00:41:59 +01:00

91 lines
2.1 KiB
Markdown
Raw Blame History

# Scapy Network Packet Analysis API Reference
## Core Scapy Functions
### Reading Packets
```python
from scapy.all import rdpcap, sniff, wrpcap
# Read pcap file
packets = rdpcap("capture.pcap")
# Live sniff with BPF filter (requires root)
packets = sniff(filter="tcp port 80", count=100, iface="eth0")
# Write packets to pcap
wrpcap("output.pcap", packets)
```
### Packet Layer Access
```python
from scapy.all import IP, TCP, UDP, DNS, DNSQR, ICMP
pkt = packets[0]
pkt.haslayer(IP) # Check if layer exists
pkt[IP].src # Source IP
pkt[IP].dst # Destination IP
pkt[TCP].sport # Source port
pkt[TCP].dport # Destination port
pkt[TCP].flags # TCP flags: S, SA, A, FA, R, PA
pkt[DNS].qd.qname # DNS query name
pkt[ICMP].type # ICMP type (8=echo request, 0=echo reply)
```
### Packet Crafting
```python
from scapy.all import IP, TCP, sr1, send
# SYN probe (authorized testing only)
syn = IP(dst="192.168.1.1") / TCP(dport=80, flags="S")
response = sr1(syn, timeout=2, verbose=0)
# ICMP ping
ping = IP(dst="192.168.1.1") / ICMP()
send(ping, verbose=0)
# Custom DNS query
dns = IP(dst="8.8.8.8") / UDP(dport=53) / DNS(rd=1, qd=DNSQR(qname="example.com"))
```
## Protocol Fields Reference
### TCP Flags
| Flag | Value | Meaning |
|------|-------|---------|
| S | 0x02 | SYN |
| SA | 0x12 | SYN-ACK |
| A | 0x10 | ACK |
| F | 0x01 | FIN |
| R | 0x04 | RST |
| P | 0x08 | PSH |
### ICMP Types
| Type | Meaning |
|------|---------|
| 0 | Echo Reply |
| 3 | Destination Unreachable |
| 8 | Echo Request |
| 11 | Time Exceeded |
## BPF Filter Syntax
```
tcp port 443 # TCP traffic on port 443
host 10.0.0.1 # All traffic to/from IP
src net 192.168.0.0/24 # Source from subnet
udp and port 53 # DNS traffic
tcp[tcpflags] & tcp-syn != 0 # SYN packets only
```
## CLI Usage
```bash
# Analyze pcap file for anomalies
python agent.py --pcap capture.pcap --output report.json
# Custom thresholds
python agent.py --pcap traffic.pcapng --syn-threshold 50 --dns-length 30
# Port scan detection sensitivity
python agent.py --pcap scan.pcap --scan-threshold 10
```
Reference in New Issue View Git Blame Copy Permalink