I need to generate and STP traffic using scapy and when I visualize it via wireshark
I get an output similar to the caption shown below:
when I run this code:
from scapy.all import STP
import scapy
from scapy.all import *
data='STP'
sendp(Ether(dst="01:80:c2:00:00:00")/LLC(dsap=0xaa, ssap=0xaa)/STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)/data, iface="eth1", count=200)
this is my wireshark output
I don't know how to change the organization code to 00:00:0c, because I believe it's the one who is making this problem
you forgot the layer SNAP
here are 2 exemples taht helped me debug:
for both exemples:
from scapy.layers.inet import SNAP
from scapy.layers.l2 import Ether, LLC, STP
data = "STP"
exemple number1:
packet = (
Ether(dst="01:80:c2:00:00:00")
/ LLC(dsap=0xAA, ssap=0xAA)
/ STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)
/ data
)
packet.show2()
output:
###[ Ethernet ]###
dst = 01:80:c2:00:00:00
src = 4c:d9:8f:77:3b:33
type = 0x8870
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x1
###[ 802.3 ]###
dst = 00:00:00:00:00:00
src = 00:00:00:00:00:00
len = 0
###[ Padding ]###
load = '\x00\x00\x00\x00\x00\x00\x80\x02\x01\x00\x14\x00\x02\x00\x0f\x00STP'
Do you see how scapy decode a layer named SNAP right after the LLC layer? that makes the decoding all wrong after
so let's add it, so all the decoding will true:
exemple 2: add the SNAP layer
packet = (
Ether(dst="01:80:c2:00:00:00")
/ LLC(dsap=0xAA, ssap=0xAA)
/ SNAP()
/ STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)
/ data
)
packet.show2()
output:
###[ Ethernet ]###
dst = 01:80:c2:00:00:00
src = 4c:d9:8f:77:3b:33
type = 0x8870
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x10b
###[ Spanning Tree Protocol ]###
proto = 0
version = 0
bpdutype = 0
bpduflags = 1
rootid = 0
rootmac = 00:00:00:00:00:00
pathcost = 0
bridgeid = 0
bridgemac = 00:00:00:00:00:00
portid = 32770
age = 1.0
maxage = 20.0
hellotime = 2.0
fwddelay = 15.0
###[ Raw ]###
load = 'STP'
it seems to look a lot better. I didn't try with wireshark, but at the least scapy seems happy with it.