Defining Actions for Packets

Introduction

Previously, we used Scapy’s sniff function to monitor traffic flowing over the network. With sniff, we can use BPF filters to identify packets of interest and send them to a function for further processing and analysis.

However, our current code only prints the contents of the packet. It doesn’t process the packet itself or take different actions for different types of packets.

This capability is essential if we want to build honeypots or servers using Python and Scapy. If we receive a SYN packet, we need to respond with a SYN/ACK. Alternatively, a honeypot receiving a DNS request might want to log the request or send a response pointing to another honeypot server.

Defining actions for particular packets

Scapy’s sniff function uses BPF filters to define packets of interest. However, all packets are sent to the same function for processing. If we want to monitor multiple types of traffic, then additional processing needs to be performed within the analysis function itself.

Scapy’s haslayer function is a good starting point for defining actions for particular types of packets. The following code block shows an example of using haslayer to extract only packets containing an HTTP request.