Viewing Packet Contents

Learn how to view the contents of packet captures in Scapy.

We'll cover the following

Loading packet captures in Scapy

We’ve loaded a traffic capture file into Scapy and verified that it loaded successfully. Now, we can start using Scapy to analyze these packets.

The following code sample loads the packets into Scapy and attempts to view their contents by printing one of the packets in the list:

Press + to interact
from scapy.all import *
packets = rdpcap('http.cap')
print(packets[0])

While the code works, it only attempts to interpret the packet’s contents as a printable string. In fact, the code includes a warning claiming that this operation makes no sense.

Displaying packet contents with show()

Scapy can interpret the contents of a packet and print them in a human-readable format. To do so, we need to use the show() command, as shown in the code sample below:

Press + to interact
from scapy.all import *
packets = rdpcap('http.cap')
packets[0].show()

Running this code provides a much more human-friendly representation of the packet’s contents. Scapy dissects the Ethernet, IP, and TCP headers and labels each field value. If we scroll down to the TCP header section, the value of the flags field indicates that this is a TCP SYN packet.

Inspecting a DNS packet

However, while this packet is much more comprehensible with show(), it isn’t very interesting. Try displaying the contents of the DNS packet located at offset 12 within the packets variable.

Press + to interact
from scapy.all import *



packets = rdpcap('http.cap')



## Please add the command as advised above

Printing the contents of this packet shows a full DNS request, including the type of request (a record) and the target domain. From reading the contents of the packet, we can go on to modify them.