Add Scapy packet/field design skill with UTScapy, session, payload binding, and implementation-pattern guidance

[Copilot]

This PR adds a focused skill document that distills how Scapy Packet/Field abstractions are used across layers, and extends it with UTScapy usage so protocol work and regression coverage are documented in one place.

• What was added

  • New skill file: .github/skills/scapy-packet-fields/SKILL.md
  • Frontmatter metadata (name, description) so the skill is discoverable and purpose-scoped.

• Packet/Field implementation patterns captured

  • Layer authoring model (Packet subclasses + fields_desc).
  • Field conversion lifecycle (h2i, i2h, i2m, m2i, any2i).
  • Core extension points for protocol correctness:
    • post_build for deferred values (len/checksum/data offset),
    • extract_padding for explicit-length payload separation,
    • payload dispatch and binding guidance across guess_payload_class, bind_layers, bind_bottom_up, and bind_top_down.
  • Expanded specialized field coverage, including a complete scapy.fields catalog grouped by intended usage:
    • base/wrapper and control fields,
    • address/network identity fields,
    • integer and floating/scaled numeric fields,
    • string/bytes, packet/container, and length-coupling fields,
    • bit/flags/enum/time field families,
    • RawVal usage for intentional conversion bypass.

• Request/response and session behavior guidance added

  • hashret() usage for stable request/response correlation keys.
  • answers(other) usage for protocol-level reply matching.
  • Session reassembly guidance with IPSession, TCPSession, and tcp_reassemble(data, metadata, session) patterns.

• Payload dispatch patterns expanded

  • Clarifies default payload_guess-based dispatch and fallback behavior.
  • Documents the base-class dispatch pattern using dispatch_hook where a base layer decodes into a concrete sibling/subclass (e.g. Ether/Dot3).

• Additional implementation guidance integrated from protocol slides

  • Layer navigation patterns during packet inspection (pkt[Layer], .underlayer, .payload).
  • Field-family naming conventions (X*, LE*, Signed*, *Enum*).
  • Practical decoding patterns for PacketField and PacketListField.
  • Advanced hooks and behaviors:
    • post_dissect for post-parse mutation workflows,
    • extract_padding for explicit trailing-byte handling in variable-length decoding,
    • custom field implementation guidance across internal/machine/human states and addfield/getfield overrides.

• Layer usage references included

  • Concrete patterns drawn from:
    • scapy/packet.py
    • scapy/fields.py
    • scapy/layers/inet.py
    • scapy/layers/l2.py
    • scapy/sessions.py
    • doc/scapy/build_dissect.rst
    • scapy/contrib/mpls.py
    • scapy/layers/inet6.py
    • scapy/contrib/automotive/doip.py
    • scapy/layers/dot11.py
    • scapy/layers/tftp.py

• UTScapy section added

  • Campaign syntax model (%, +, =, ~, *) and result semantics (last expression truthiness).
  • High-signal CLI options (-t, -k, -K, -n, -c, -f, -R, -N) and intended usage.
  • Workflow guidance for coupling protocol changes with UTScapy regression cases.

class UDP(Packet):
    fields_desc = [
        ShortEnumField("sport", 53, UDP_SERVICES),
        ShortEnumField("dport", 53, UDP_SERVICES),
        ShortField("len", None),
        XShortField("chksum", None),
    ]

    def post_build(self, p, pay):
        p += pay
        if self.len is None:
            p = p[:4] + struct.pack("!H", len(p)) + p[6:]
        return p

[polybassa]

Add more information about specialised fields

[Copilot]

Added a dedicated expansion of specialized fields (length-coupled, bit-packed, conditional/variant typing, container/composition, enum/display helpers, and RawVal) with concrete layer examples in commit 14995ed.

[polybassa]

Add information about hashret and answers and session reassemble

[Copilot]

Added a new section covering hashret, answers, and session reassembly hooks (IPSession, TCPSession, and tcp_reassemble(data, metadata, session)) in commit 14995ed.

[polybassa]

Describe guess_payload and the pattern where a layer base class encodes the actual packets.

Add a list of all existing field types and their purpose and intended use.

Describe bind_layers and bind up and buttom

[Copilot]

Describe guess_payload and the pattern where a layer base class encodes the actual packets.

Add a list of all existing field types and their purpose and intended use. ...

Added guess_payload_class behavior, base-class dispatch_hook concrete-packet pattern, explicit bind_layers/bind_bottom_up/bind_top_down guidance, and a complete scapy.fields field-type catalog with intended usage in commit 161b061. Screenshot: not applicable (documentation-only change, no UI).

[polybassa]

https://github.com/guedou/guedou.github.io/blob/master/talks/2025_Scapy_Implementing_Protocols/slides.md

Study the slides and add further informations to the skill file

@copilot

[Copilot]

https://github.com/guedou/guedou.github.io/blob/master/talks/2025_Scapy_Implementing_Protocols/slides.md

Study the slides and add further informations to the skill file
...

Implemented in commits 0817223 and 4f01639: I studied the referenced slides and extended the skill with additional protocol implementation guidance (layer navigation, field variant families, dynamic PacketField/PacketListField decoding, post_dissect, extract_padding, and custom field state/conversion workflow), with repo references added. Screenshot: not applicable (documentation-only change, no UI).