Scapy
Interactive packet manipulation library — creates, sends, captures, and dissects network packets. Scapy features: packet layer construction (IP()/TCP()/UDP()/ICMP()/DNS()), send() and sendp() for packet injection, sniff() for packet capture with filters, rdpcap()/wrpcap() for PCAP file I/O, traceroute() and arping() built-in, packet dissection (ls(IP()), show()), fuzzing with fuzz(), sr() for send-receive with matching, AsyncSniffer for non-blocking capture, and support for 300+ protocols (Ethernet, WiFi, TLS, DHCP, BGP). Primary Python library for network security testing, protocol analysis, and custom packet generation for agent network intelligence tools.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Dual-use security tool — requires explicit authorization for use on networks you don't own. Raw socket access and packet injection can cause network disruption. Agent Scapy tools must validate target scope before packet injection. GPL license requires source disclosure for distributed tools. Store PCAP captures securely as they may contain sensitive data.
⚡ Reliability
Best When
Security testing, protocol research, or network troubleshooting requiring custom packet creation and analysis — Scapy's Python API enables agent network intelligence tools to craft, send, receive, and dissect packets with full protocol awareness.
Avoid When
You need high-throughput packet processing (>10K pps), production-scale monitoring, or don't have root privileges.
Use Cases
- • Agent network scanning — answered, unanswered = sr(IP(dst='10.0.0.0/24')/ICMP(), timeout=2, verbose=0) — ICMP ping sweep of /24 subnet; agent discovers live hosts; sr() returns matched request-response pairs; ARP scan: Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst='10.0.0.0/24')
- • Agent PCAP analysis — pkts = rdpcap('capture.pcap'); dns_queries = [p for p in pkts if p.haslayer(DNS) and p[DNS].qr == 0] — parse network capture file; agent analyzes DNS queries from traffic; Scapy dissects all protocol layers including nested protocols
- • Agent traceroute — ans, unans = traceroute(['8.8.8.8'], maxttl=30) — identify network path; agent maps route to target; ans.show() displays hop-by-hop RTT; traceroute returns both answered and unanswered probes
- • Agent protocol fuzzing — fuzz(IP()/TCP(dport=80)/HTTP()) — generate random valid packet fields; agent tests service robustness with malformed packets; fuzz() replaces fields with random valid values while maintaining protocol structure
- • Agent packet sniffing — def process_packet(pkt): if pkt.haslayer(HTTP): print(pkt[HTTP].Host); sniff(iface='eth0', prn=process_packet, filter='tcp port 80', store=False) — live packet capture with callback; agent monitors HTTP traffic; filter uses BPF syntax; store=False prevents memory accumulation
Not For
- • High-speed packet capture — Scapy Python overhead limits to ~10K pps; for high-speed use libpcap directly or dpdk
- • Production network monitoring — use tshark, Zeek, or Suricata for production-scale packet analysis; Scapy for targeted analysis and testing
- • Passive monitoring without root — Scapy requires root/admin privileges for raw socket access; agent code without elevated privileges cannot send or capture packets
Interface
Authentication
No auth — local packet manipulation. Requires root/admin OS privileges for raw socket access.
Pricing
Scapy is GPL-2.0 licensed. Free for all use. GPL may affect distribution of closed-source tools that import Scapy.
Agent Metadata
Known Gotchas
- ⚠ Scapy requires root privileges — from scapy.all import * works without root but send(), sniff(), sr() raise PermissionError; agent security tools must run as root or with CAP_NET_RAW capability; Docker containers need --cap-add=NET_RAW,NET_ADMIN for agent Scapy containers
- ⚠ p.haslayer() vs p[Layer] differ — p.haslayer(DNS) safely checks if layer present; p[DNS] raises IndexError if DNS not in packet; agent code must use p.haslayer(DNS) before p[DNS] access; alternatively use p.getlayer(DNS) which returns None if absent
- ⚠ sniff() blocks by default — sniff(count=10) returns after 10 packets; sniff() without count/timeout runs forever; agent code must set count=N or timeout=T; for non-blocking use AsyncSniffer: sniffer = AsyncSniffer(iface='eth0', prn=callback); sniffer.start(); ...; sniffer.stop()
- ⚠ Interface names are OS-specific — sniff(iface='eth0') on Linux; sniff(iface='en0') on macOS; sniff(iface='Ethernet') on Windows; agent cross-platform code must detect interface name dynamically with conf.iface for default or get_if_list() for available interfaces
- ⚠ Scapy import loads all protocols — from scapy.all import * imports hundreds of protocol modules and takes 2-5 seconds; agent code starting frequently must use selective imports: from scapy.layers.inet import IP, TCP, ICMP; selective import starts in <100ms
- ⚠ GPL-2.0 license requires source disclosure — Scapy is GPL-2.0; agent tools that import Scapy and are distributed to users must release source code under GPL; closed-source agent security tools must use alternative (libpcap via ctypes, dpkt for PCAP parsing) or obtain commercial permission
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Scapy.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-06.