Making a Ping Scanner Using Scapy

by Evangelos Atlasis

In this post I will show how easy it is to make a “ping-sweep” IPv4 scanner using Python and the powerful Scapy. Ping-sweep is an IP scanner than sends an ICMP Echo Request (aka “ping”) to a range of IP addresses and checks for responses to identify hosts that are present and respond to these pings. Effectively, this is the same as sending a ping from the command line.

The Code

The Python code for the program

First, we need to import Scapy, as well as the Python library ipaddress. The last one is used to automatically break down an IPv4 subnet (a set of IP addresses) to a list of IP addresses that comprise this subnet.

The user receives a prompt to input the IPv4 subnet he wants to scan (via the input command). Then, the try... except on lines 7 - 12 is used to ensure the input of a valid IPv4 subnet by the user while avoiding the program crashing. The try attempts to convert the input into a list of IPv4 addresses. If the process is successful the program continues. Otherwise, an exception is raised and a small explanatory message is displayed before the program exits.

The for loop in line 15 iterates the list of IPv4 addresses one by one. Firstly, the packet which will be sent as a ping is constructed with an IP and ICMP header type 8 (Echo). Inside the IP header, the destination of the packet is changed to the one of the current address. We do not need to put a layer-2 (MAC) header since this will be taken care of automatically from Scapy.

Function sr1() sends one packet and waits to receive for one response. The program waits for two seconds (to save some time) to receive a response for each address where the packet has been sent before moving on. Moreover, the verbosity has been set to 0 so that no excessive and unnecessary information will be displayed. The variable response in line 17 will store the response received from sr1(). If there is a response, the program checks for two types of ICMP headers: type 0 (Echo Reply) and type 3 (Destination Unreachable - More info about the ICMP codes here). In the former case, the message "Host is reachable" is displayed and in the latter "Destination is unreachable" is displayed instead. If no response is received, no message is displayed; meaning that either a host with the specific IP address is not up, or that the ICMP Echo Request is blocked and no answer (either positive or negative) is provided to the sender.

Capturing Traffic with Wireshark

The Wireshark screenshot below shows an outcome of the ping-sweep script in our home network.

Screenshot from Wireshark displaying the ping-sweep in our home net1`2wwwork

Next Steps

In the future, I will construct a while loop to allow the user to enter an input until it is a valid IPv4 network/address, instead of exiting the program. In addition, I will try to use multithreading or multiprocessing to make the running process shorter in length and hence less tedious.