[python]Understanding the fields of Ether and ARP in Scapy

To find out the fields of Ether
There is a ls method which can be used to show the fields of Ether.
This ls method is used to find out the fields that i can put in values.
This shows there are three fields, to send a broadcast frame, I need to put in ff:ff:ff:ff:ff:ff to the dst field.
There are two ways to do it.
First way is to create an Ether object, then pass in the broadcast value into dst like this:
The show method will show the contents of the ethernet frame:
As noticed from the output the src field is automatically filled in with my current interface mac address.

Another way is to directly put in the broadcast while creating the ether object.
scapy.all has a constant known as ETHER_BROADCAST which is the “ff:ff:ff:ff:ff:ff”.
The result is the same:

To find out fields of ARP
The method is the same for finding out the available fields for ARP.
Which will give the below fields:
What we are interested to put value in is pdst which is the target ip address, if we are to query then pdst will need to put in

The method to fill in the pdst is the same as with Ether, so I can first create an ARP object, then put in the pdst later.
which yields this result:
As noticed, the hwsrc and the psrc are automatically filled with my interface’s ip address and mac address.

Another method is to directly create an ARP object with the pdst defined.
Which yields the same result.

Concatenate Ether and ARP
scapy.all uses “/” to concatenate Ether and ARP which is a division operator, it works though it is kind of weird in my opinion…
The concatenated packet is:


One thought on “[python]Understanding the fields of Ether and ARP in Scapy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s