BestHub
Sign in
Information Security 7 min read

Master Packet Crafting with Scapy: ARP Scanning and TCP SYN Port Scanning in Python

This tutorial shows how to use Python's Scapy library to craft and send ARP requests for network discovery, perform ARP spoofing attacks, and implement TCP SYN port scanning by interpreting packet flags, providing complete code examples and practical security insights.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Master Packet Crafting with Scapy: ARP Scanning and TCP SYN Port Scanning in Python

ARP Scanning with Scapy

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a LAN. Using Scapy, you can programmatically send a broadcast ARP request and collect the replies to discover hosts or perform ARP spoofing.

from scapy.all import *

def arp_scan(ip):
    answer, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), inter=0.1, timeout=2, verbose=False)
    mac_list = []
    for send, recv in answer:
        if recv[ARP].op == 2:
            mac_list.append((recv[ARP].psrc, recv[Ether].hwsrc))
    return mac_list

The function sends an Ethernet frame with a broadcast destination MAC, encapsulating an ARP request for the specified IP range. Each reply contains the target's IP and MAC, which the function returns as a list of tuples. Capturing these packets with Wireshark confirms the ARP request and reply exchange.

When an attacker replies to the ARP request before the legitimate host, the network suffers an ARP spoofing attack, redirecting traffic to the attacker’s MAC address. If the spoofed IP is the gateway, the impact is even more severe.

TCP SYN Port Scanning with Scapy

TCP SYN scanning works by sending a single SYN packet to a target port and interpreting the response flags. An ACK+SYN (flags value 18) indicates the port is open, while an ACK+RST (flags value 20) indicates it is closed.

from scapy.all import *

def port_scan(port):
    answer, _ = sr(IP(dst="192.168.1.1")/fuzz(TCP(dport=int(port), flags="S")))
    for snd, rcv in answer:
        if rcv[TCP].flags == 18:
            print("port is Open")
        if rcv[TCP].flags == 20:
            print("port is Closed")

Running this function repeatedly with different port numbers enables batch scanning of a host. Packet captures show the SYN handshake packet and the server’s response, confirming the scan results.

Scapy’s packet‑crafting capabilities extend far beyond ARP and TCP; you can also create ICMP, DHCP, DNS, and custom IP packets, making it a powerful tool for learning network protocols and building security utilities.

As a final thought, consider how you might construct custom IP packets to implement a traceroute utility, challenging you to apply the same principles demonstrated here.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securityNetwork programmingport scanningARPScapy
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment