ARP layer 2 discovery is possible in Scapy by employing the use of the sr1() (send/receive one) function. This function injects a packet, as defined by the supplied argument, and then waits to receive a single response. In this case, a single ARP request is broadcast, and the function will return the response. The Scapy library makes it possible to easily integrate this technique into a script and enables the testing of multiple systems.

ICMP layer 3 discovery was performed here with Scapy by crafting a request that includes both an IP layer and an appended ICMP request. The IP layer allowed the packet to be routed outside the local network, and the ICMP request was used to solicit a response from the remote system. Using this technique in a Python script, this task can be performed in sequence to scan multiple systems or entire network ranges.

TCP and UDP layer 4 discovery methods were used by Scapy to craft custom requests to identify live hosts using each of these protocols. In the case of TCP, the custom ACK packets were constructed and sent to an arbitrary port on each target system. If an RST reply was received, the system was identified as alive. Alternatively, empty UDP requests were sent to arbitrary ports to attempt to solicit an ICMP port unreachable response. Responses were used as an indication of a live system. Each of these techniques can be used in a Python script to perform discovery against multiple hosts or against a range of addresses.