Scapy does not transmit / inject wifi packets - sniffing works

[marc-y-marc]

Brief description

The issue is that Scapy does not send any packets. No errors appear. I've tried 2 examples (beacons + answering machine) and both do not seem to work. Receiving in scapy works.

My adapter does support monitor mode & injection. If i run aireplay-ng and i perform a death attack or any other option, i can see the broadcasted packets using my second adapter as sniffer.

Environment

• Scapy version: 2.4.3rc1 (also tried others)
• Python version: 3.5
• Operating System: Raspbian, 4.19.46-v7+
• Wifi dongle / driver: https://github.com/aircrack-ng/rtl8812au

How to reproduce

• Install clean raspbian on RPI3B+
• Install driver (see above)
• Put adapters in montitor mode using iwconfig / ifconfig
• Install python3 via apt-get
• Install pip3 via apt-get,
• update pip using sudo python3 -m pip install --upgrade pip
• install scapy[basic] using sudo python3 -m pip install --pre scapy[basic]

Example 1: Beacons

`
#!/usr/bin/python3

from scapy.all import *

netSSID = 'testSSID'    #Network name here
iface = 'wlan1'         #Interface name here

conf.use_pcap = True

dot11 = Dot11FCS(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33')
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00'                 #RSN Version 1
'\x00\x0f\xac\x02'         #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00'                 #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04'         #AES Cipher
'\x00\x0f\xac\x02'         #TKIP Cipher
'\x01\x00'                 #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02'         #Pre-Shared Key
'\x00\x00'))               #RSN Capabilities (no extra capabilities)

frame = RadioTap()/dot11/beacon/essid/rsn

frame.show()
print("\nHexdump of frame:")
hexdump(frame)

input("\nPress enter to start\n")

sendp(frame, iface=iface, inter=0.100, loop=1, monitor=True)
`

I tried to play with the conf.use_pcap=True and the sendp(monitor=True). However they don't seem to have any influence.

Actual result

###[ RadioTap dummy ]###
version = 0
pad = 0
len = None
present = Flags
Flags = FCS
notdecoded= ''
###[ 802.11-FCS ]###
subtype = 8
type = Management
proto = 0
FCfield =
ID = 0
addr1 = ff:ff:ff:ff:ff:ff
addr2 = 22:22:22:22:22:22
addr3 = 33:33:33:33:33:33
SC = 0
fcs = None
###[ 802.11 Beacon ]###
timestamp = 0
beacon_interval= 100
cap = ESS+privacy
###[ 802.11 Information Element ]###
ID = SSID
len = 8
info = 'testSSID'
###[ 802.11 Information Element ]###
ID = RSNinfo
len = None
info = '\x01\x00\x00\x0f\xc2\xac\x02\x02\x00\x00\x0f\xc2\xac\x04\x00\x0f\xc2\xac\x02\x01\x00\x00\x0f\xc2\xac\x02\x00\x00'

Hexdump of frame:
0000 00 00 09 00 02 00 00 00 10 80 00 00 00 FF FF FF ................
0010 FF FF FF 22 22 22 22 22 22 33 33 33 33 33 33 00 ...""""""333333.
0020 00 00 00 00 00 00 00 00 00 64 00 11 00 00 08 74 .........d.....t
0030 65 73 74 53 53 49 44 30 1C 01 00 00 0F C2 AC 02 estSSID0........
0040 02 00 00 0F C2 AC 04 00 0F C2 AC 02 01 00 00 0F ................
0050 C2 AC 02 00 00 64 0C 04 AC .....d...

Expected result

Expected that the packetis sent using wlan1 - so it can be sniffed with wlan2 operating both on the same channel. However they are not broadcasted. No error occurs when i pressed enter to start the transmit.

[gpotter2]

Thanks for the very complete report !

I see that you figured out the conf.use_pcap yourself. If libpcap can't send packets, we probably won't be able to support it :/

I don't know how the aircrack driver works, for instance if special calls should be used. Maybe you could ask there.

Maybe retry against master ? It has dropped the need to have pcapy, pypcap... install, but I don't except it to fix anything :/

[guedou]

This RPI as embedded Wi-Fi. Did you select the correct interface while trying to inject packets? What is the output of conf.iface and conf.routes ?

[marc-y-marc]

Thanks for both replies!
@gpotter2 : is there a way to test what's wrong with libpcap? And is there a specific version of libpcap i need? Sometimes the raspbian repo can be very outdated. Currently on libpcap0.8-dev. E.g. is it possible to send a raw packet without scapy so i can test that part of the chain?
I'll try against the master and let you know if it changes anything.

edit: see below -> i tried to add it to my Python evt using Pip. It get's a newer version but results remain.

@guedou : yes - i selected the correct one. wlan0 is the onboard, wlan1 and wlan2 are my external which are in monitor mode.

conf.iface = wlan1 (i changed my code a bit after your comment so i dont use iface=wlan1 but conf.iface=wlan1 from now on)

Below the full config:

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x7582e970>
BTsocket = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
L3socket6 = functools.partial(<L3PacketSocket: read/write packets at layer ...
USBsocket = None
auto_crop_tables = True
auto_fragment = 1
cache_iflist = {}
checkIPID = 0
checkIPaddr = 1
checkIPinIP = True
checkIPsrc = 1
check_TCPerror_seqack = 0
color_theme =
commands = IPID_count : Identify IP id values classes in a list of packets...
contribs = {}
crypto_valid = True
crypto_valid_advanced = True
crypto_valid_recent = True
debug_dissector = 0
debug_match = 0
debug_tls = 0
default_l2 = <class 'scapy.packet.Raw'>
dot15d4_protocol = None
emph = <Emphasize []>
ethertypes = </etc/ethertypes - 3 elements>
except_filter = ''
extensions_paths = '.'
fancy_prompt = True
geoip_city = None
histfile = '/root/.scapy_history'
iface = 'wlan1'
iface6 = 'lo'
interactive = False
interactive_shell = ''
ipv6_enabled = True
l2types = 0x0 -> Loopback (Loopback) 0x1 <- Dot3 (802.3) 0x1 <-> Ether (E...
l3types = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->...
layers = Packet : <member 'name' of 'Packet' objects> NoPayload : <membe...
load_layers = ['bluetooth', 'bluetooth4LE', 'dhcp', 'dhcp6', 'dns', 'dot11',...
logLevel = 30
manufdb = </usr/share/wireshark/manuf - 36220 elements>
mib = <MIB - 343 elements>
min_pkt_size = 60
neighbor = Ether -> IPv6 Dot3 -> SNAP Ether -> ARP Ether -> IP Dot3 -> IP ...
netcache = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it...
noenum = <Resolve []>
padding = 1
padding_layer = <class 'scapy.packet.Padding'>
prog = display = 'display' dot = 'dot' hexedit = 'hexer' ifconfig = 'i...
promisc = 1
prompt = '>>> '
protocols = </etc/protocols - 56 elements>
raw_layer = <class 'scapy.packet.Raw'>
raw_summary = False
recv_poll_rate = 0.05
resolve = <Resolve []>
route = Network Netmask Gateway Iface Output IP Metric 0.0.0.0 0.0.0.0 ...
route6 = Destination Next Hop Iface Src candidates Metric fe80::/64 :: w...
services_tcp = </etc/services-tcp - 316 elements>
services_udp = </etc/services-udp - 217 elements>
session = ''
sniff_promisc = 1
stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la...
stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye...
stealth = 'not implemented'
temp_files = []
teredoPrefix = '2001::'
teredoServerPort = 3544
use_bpf = False
use_dnet = False
use_npcap = False
use_pcap = False
use_pypy = False
use_winpcapy = False
verb = 2
version = '2.4.3rc1'
warning_threshold = 5
wepkey = ''

[marc-y-marc]

Now looking at it... the strange thing is that use_pcap is set to False while in my code i explicitly set it to True.

[marc-y-marc]

I tried adding libpcap to my Python environment, so not using apt-get but:
sudo python3 -m pip install libpcap

No difference, the use_pcap value remains False.

I do think we are on to something here.

edit: if i set use_pypy = True this actually works. So the real issue is that i can't set use_pcap to True

[gpotter2]

@marc-y-marc conf.use_pcap remains True only if it actually worked.
Have you turned off the warnings ? It will display one when it fails.
If you hop in into a scapy shell, and try it, what do you get ?

If the issue is something like "pcapy not installed", please retry against master

[marc-y-marc]

I did not turn of warnings, so its weird that it did not show me any. Anyway, i hopped into the scapy shell using sudo pyhton3 -m scapy.

i got:

>>> conf.use_pcap = True
ERROR: Unable to import any of the pcap modules: No module named 'pcapy'/No module named 'pcap'
WARNING: No pcap provider available ! pcap won't be used

So now i managed to resolve that issue in 2 ways:

• I installed pcapy using sudo pyhton3 pip install pcapy. Now the value is changing.. however.. still no result in transmitting.
• I downloaded / installed the master branch (using pip again).

Now i can change the conf.use_pcap without errors :-)

The problem however that i cannot transmit packets is still there. See next post.

[marc-y-marc]

When i added the 'monitor=True' to sendp() it gives me the following:

Master branch:

Traceback (most recent call last):
  File "./wifi-beacons.py", line 38, in <module>
    sendp(frame, monitor=True, iface=conf.iface, inter=0.100, loop=1)
  File "/usr/local/lib/python3.5/dist-packages/scapy/sendrecv.py", line 342, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 314, in __init__
    monitor=monitor)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 261, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_winpcap(*args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 207, in __init__
    raise OSError("Could not activate the pcap handler")
OSError: Could not activate the pcap handler

Back to 2.4.3rc1 sort of the same:

  File "./wifi-beacons.py", line 37, in <module>
    sendp(frame, iface=conf.iface, monitor=True, inter=0.100, loop=1)
  File "/usr/local/lib/python3.5/dist-packages/scapy/sendrecv.py", line 334, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 472, in __init__
    self.ins = open_pcap(iface, MTU, self.promisc, 100, monitor=monitor)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 417, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pcapy(*args, **kargs)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 375, in __init__
    raise OSError("Could not activate the pcap handler")   # noqa: E501
OSError: Could not activate the pcap handler

[marc-y-marc]

I also see the sockets have changed in my config object, so that part seems to function now.

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x741484f0>
BTsocket   = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen   = <L2pcapListenSocket: read packets at layer 2 using libpcap>
L2socket   = <L2pcapSocket: read/write packets at layer 2 using only libpcap>
L3socket   = <L3pcapSocket: read/write packets at layer 3 using only libpcap>
L3socket6  = functools.partial(<L3pcapSocket: read/write packets at layer 3 ...
USBsocket  = None

[marc-y-marc]

OK - I just tried to use a diffrent library (pypcap) - so i uninstalled pcapy - and i got an error from this library that gave some more detail then the pcapy library.

Error using pypcap

Traceback (most recent call last):
  File "./wifi-beacons.py", line 37, in <module>
    sendp(frame, iface=conf.iface, monitor=True, inter=0.100, loop=1)
  File "/usr/local/lib/python3.5/dist-packages/scapy/sendrecv.py", line 334, in sendp
    socket = socket or conf.L2socket(iface=iface, *args, **kargs)
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 472, in __init__
    self.ins = open_pcap(iface, MTU, self.promisc, 100, monitor=monitor)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 323, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pypcap(*args, **kargs)  # noqa: E501
  File "/usr/local/lib/python3.5/dist-packages/scapy/arch/pcapdnet.py", line 290, in __init__
    self.pcap = pcap.pcap(device, snaplen, promisc, immediate=1, timeout_ms=to_ms, rfmon=monitor)  # noqa: E501
  File "pcap.pyx", line 231, in pcap.pcap.__init__
OSError: Activateing packet capture failed. Error returned by packet capture library was b'wlan0: SIOCGIWPRIV: Argument list too long'

[mattmart3]

Same issue here. I am using an AWUS036ACH adapter with the same chipset and driver reported by @marc-y-marc . The injection test with aireplay-ng works but on USB2.0 only. Injection also works with the mdk3 tool (tested in beacon flood mode). With scapy I have no error reported by the script which starts fine but I see no beacon frames captured from another adapter.

Environment

• Scapy version: 2.4.2
• Python version: 3.7.3
• Operating System: Arch Linux
• Wifi dongle / driver: https://github.com/aircrack-ng/rtl8812au
• Kernel: 5.1.7-arch1-1-ARCH

I have tested the same example script used by @marc-y-marc

Here's the output:

###[ RadioTap dummy ]### 
  version   = 0
  pad       = 0
  len       = None
  present   = None
  notdecoded= ''
###[ 802.11-FCS ]### 
     subtype   = 8
     type      = Management
     proto     = 0
     FCfield   = 
     ID        = 0
     addr1     = ff:ff:ff:ff:ff:ff
     addr2     = 22:22:22:22:22:22
     addr3     = 33:33:33:33:33:33
     SC        = 0
     fcs       = None
###[ 802.11 Beacon ]### 
        timestamp = 0
        beacon_interval= 100
        cap       = ESS+privacy
###[ 802.11 Information Element ]### 
           ID        = SSID
           len       = 8
           info      = 'testSSID'
###[ 802.11 Information Element ]### 
              ID        = RSNinfo
              len       = None
              info      = '\x01\x00\x00\x0f\xc2\xac\x02\x02\x00\x00\x0f\xc2\xac\x04\x00\x0f\xc2\xac\x02\x01\x00\x00\x0f\xc2\xac\x02\x00\x00'


Hexdump of frame:
0000  00 00 08 00 00 00 00 00 80 00 00 00 FF FF FF FF  ................
0010  FF FF 22 22 22 22 22 22 33 33 33 33 33 33 00 00  ..""""""333333..
0020  00 00 00 00 00 00 00 00 64 00 11 00 00 08 74 65  ........d.....te
0030  73 74 53 53 49 44 30 1C 01 00 00 0F C2 AC 02 02  stSSID0.........
0040  00 00 0F C2 AC 04 00 0F C2 AC 02 01 00 00 0F C2  ................
0050  AC 02 00 00 F0 48 B8 7C                          .....H.|
Press enter to start

..............................................................................^C

Here's the config:

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x7f429d2ad828>
BTsocket   = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen   = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket   = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket   = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
USBsocket  = None
auto_crop_tables = True
auto_fragment = 1
cache_iflist = {}
cache_in6_getifaddr = []
cache_ipaddrs = {}
checkIPID  = 0
checkIPaddr = 1
checkIPinIP = True
checkIPsrc = 1
check_TCPerror_seqack = 0
color_theme = <NoTheme>
commands   = IPID_count : Identify IP id values classes in a list of packets...
contribs   = {}
crypto_valid = False
crypto_valid_advanced = False
crypto_valid_recent = False
debug_dissector = 0
debug_match = 0
debug_tls  = 0
default_l2 = <class 'scapy.packet.Raw'>
dot15d4_protocol = None
emph       = <Emphasize []>
ethertypes = </etc/ethertypes - 31 elements>
except_filter = ''
extensions_paths = '.'
fancy_prompt = True
geoip_city = None
histfile   = '/root/.scapy_history'
iface      = 'eno1'
iface6     = 'lo'
interactive = False
interactive_shell = ''
ipv6_enabled = True
l2types    = 0x0 -> Loopback (Loopback) 0x1 <- Dot3 (802.3) 0x1 <-> Ether (E...
l3types    = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->...
layers     = Packet : <member 'name' of 'Packet' objects> NoPayload : <membe...
load_layers = ['bluetooth', 'bluetooth4LE', 'dhcp', 'dhcp6', 'dns', 'dot11',...
logLevel   = 30
manufdb    = </usr/share/wireshark/manuf - 36837 elements>
mib        = <MIB - 343 elements>
min_pkt_size = 60
neighbor   = Ether -> LLC Dot3 -> LLC Dot3 -> SNAP Ether -> Dot1Q Ether -> A...
netcache   = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it...
noenum     = <Resolve []>
padding    = 1
padding_layer = <class 'scapy.packet.Padding'>
prog       = display = 'display' dot = 'dot' hexedit = 'hexer' ifconfig = 'i...
promisc    = 1
prompt     = '>>> '
protocols  = </etc/protocols - 135 elements>
raw_layer  = <class 'scapy.packet.Raw'>
raw_summary = False
recv_poll_rate = 0.05
resolve    = <Resolve []>
route      = Network Netmask Gateway Iface Output IP Metric 0.0.0.0 0.0.0.0 ...
route6     = Destination Next Hop Iface Src candidates Metric ::1/128 :: lo ...
services_tcp = </etc/services-tcp - 5810 elements>
services_udp = </etc/services-udp - 5462 elements>
session    = ''
sniff_promisc = 1
stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la...
stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye...
stealth    = 'not implemented'
temp_files = []
teredoPrefix = '2001::'
teredoServerPort = 3544
use_bpf    = False
use_dnet   = False
use_npcap  = False
use_pcap   = False
use_pypy   = False
use_winpcapy = False
verb       = 2
version    = '2.4.2'
warning_threshold = 5
wepkey     = ''

However, the same script is working fine with another adapter TL-WN722N (ath9k_htc driver). The scapy configuration printed out before the sendp instruction is exactly the same.

[marc-y-marc]

@matteomartelli : I see you are running on 2.4.2. Can you install the master branch of scapy? Or install pypcap using pip? I see in your config:

use_pcap = False

The script should set it to True but it fails if you dont have pypcap or the latest master which doesnt need it anymore.

[mattmart3]

I have just tested with the latest version from master (2.4.3rc1.dev223) and I have the same issue. I also tried installing pypcap and nothing changed. Running the script from the scapy shell I noticed that use_pcap is correctly set to True. Still, my other adapter works fine, thus I believe the issue is related to something more deeper and closer to the raw socket and the driver. @marc-y-marc is it fixed for you? Do you see your injected beacons?