Python Scapy Packet Crafting — Core Concepts

Learn how Scapy lets you build, send, and analyze network packets in Python for security testing, protocol debugging, and network research.

Why this matters in production

Most networking tools operate at a high level — you tell them “connect to this server” and they handle the packet details. Scapy operates at the lowest level, letting you control every byte of a network packet. This is essential for security testing (can your firewall detect a malformed SYN packet?), protocol development (does your new protocol implementation handle edge cases?), and network forensics (what exactly was in that suspicious packet?).

Scapy is used by penetration testers, network engineers, and researchers at companies like Google, Cisco, and government security agencies.

What Scapy does

Scapy is a Python library and interactive tool that can:

  • Craft packets — Build any network packet from scratch, layer by layer.
  • Send packets — Inject them onto the network.
  • Sniff packets — Capture traffic from the wire.
  • Decode packets — Parse captured data into readable fields.
  • Manipulate packets — Modify existing packets and retransmit them.

Unlike Wireshark (which is read-only) or nmap (which scans), Scapy gives you full read-write access to network traffic.

How packets are built

Network packets are layered, like nested envelopes. Scapy mirrors this with a stacking operator (/):

from scapy.all import IP, TCP, Ether

# Build an IP packet with a TCP segment
packet = IP(dst="192.168.1.1") / TCP(dport=80, flags="S")

# Add an Ethernet frame
frame = Ether() / IP(dst="192.168.1.1") / TCP(dport=80, flags="S")

Each layer fills in its defaults automatically. IP() sets the source address to your machine’s IP, calculates the header length, and computes the checksum. You only override the fields you care about.

Key operations

  • send() — Send packets at layer 3 (IP level). The OS handles Ethernet framing.
  • sendp() — Send packets at layer 2 (Ethernet level). You control everything.
  • sr() — Send and receive — sends packets and captures responses.
  • sr1() — Send and receive one — sends a packet and waits for a single response.
  • sniff() — Capture packets from the network interface.

Practical use cases

  • Port scanning — Send SYN packets to a range of ports and check for SYN-ACK responses.
  • Traceroute — Send packets with incrementing TTL values to discover the network path.
  • ARP scanning — Discover devices on the local network.
  • Firewall testing — Craft packets with unusual flags or options to test firewall rules.
  • Protocol fuzzing — Send malformed packets to test how applications handle bad input.

Common misconception

Many people think Scapy is a “hacking tool.” While it is used in security testing, it is fundamentally a packet construction library — the networking equivalent of a hex editor. A carpenter’s hammer can break a window, but that does not make it a burglary tool. Scapy is used for legitimate network research, education, and infrastructure testing.

That said, sending crafted packets on networks you do not own or have authorization to test is illegal in most jurisdictions.

Limitations to know

  • Root/admin required — Crafting raw packets requires elevated privileges on most operating systems.
  • Performance — Scapy is Python, not C. For high-speed packet generation, tools like trafgen or DPDK are better suited. Scapy excels at flexibility, not throughput.
  • Stateless — Scapy does not maintain TCP state. You can send a SYN, but building a full TCP handshake requires manual state management.

One thing to remember: Scapy gives you byte-level control over network packets. It is not for everyday networking — it is for when you need to understand, test, or break the rules of how packets are normally built.

pythonnetworkingsecurity

See Also

  • Python Dns Resolver Understand how Python translates website names into addresses, like a phone book for the entire internet.
  • Python Dpkt Packet Parsing Understand how Python reads and decodes captured network traffic, like opening envelopes to see what is inside each message.
  • Python Ftp Sftp Transfers Understand how Python moves files between computers over a network, like a digital delivery truck with a locked or unlocked cargo door.
  • Python Impacket Security Tools Understand how Python speaks the secret languages of Windows networks, helping security teams find weaknesses before attackers do.
  • Python Netconf Yang Understand how Python configures network devices automatically, like a remote control for every router and switch in your building.

Related Topics

ab-testing How tech companies run thousands of experiments at once to improve their products — the scientific method applied to everything from button colors to recommendation algorithms. 3 levels → activation-functions Why neural networks need these tiny mathematical functions — and how ReLU's simplicity accidentally made deep learning possible. 3 levels → ai-agents-architecture How AI systems go from answering questions to actually doing things — the design patterns that turn language models into autonomous agents that browse, code, and plan. 3 levels →