Parse geneve packet with scapy

Question

I am trying to use scapy to parse geneve packet from my pcap file but I am getting it as Raw only.

I git cloned scapy with geneve from here: https://github.com/p4lang/scapy-vxlan

And followed installation steps from README,

-bash-4.2$ scapy
Welcome to Scapy (2.2.0-dev)
>>> load_contrib('geneve')
>>> a=rdpcap("geneve.pcap")
>>> len(a)
15
>>> pkt=a[3]
>>> pkt.show()
###[ Ethernet ]###
  dst= 00:00:00:11:01:01
  src= 00:00:00:00:00:00
  type= n_802_1Q
###[ 802.1Q ]###
     prio= 0
     id= 0
     vlan= 1000
     type= IPv4
###[ IP ]###
        version= 4
        ihl= 5
        tos= 0x0
        len= 197
        id= 0
        flags= DF
        frag= 0
        ttl= 64
        proto= udp
        chksum= 0xe3fb
        src= 22.22.22.1
        dst= 21.21.21.1
        \options\
###[ UDP ]###
           sport= flirtmitmir
           dport= 6081
           len= 177
           chksum= 0x0
###[ Raw ]###
              load= '\t\x00eX\xe3\x03\xe8\x00\x01\x03\x02\x08\x00d\x00\x00\x06\x83\xc1\x9a\xb6;\x04\x00\x00\x00\x80\x00\x00\x00\x00\x02\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x02\x81\x00\x03\xe8\x08\x00E\x00\x00k\x00\x00\x00\x00@=zW\x00\x00\x00\x00\x00\x00\x00\x00\xa9-!\xd0`\x00\x00\x00\x08\t\n\x0b\x05\xa1H\x8e\x00C\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRST\xd8\xe9'
###[ Padding ]###
                 load= '`Jy\xa6'

Answer 1

You have hidden the interesting layers that could explain why your packet is not decoded as a GENEVE() layer.

Since this fork is based on a very old Scapy version, I would recommend that you get Scapy from the official repository ans simply add the contrib file from the repository you are using. If you need this protocol, you could also create a pull request in Scapy, so that this protocol would be integrated (and supported) with Scapy.