Scapy sniff function filter not working properly

Question

Scapy sniff function filter not working properly

The filter of sniff function seems to be working incorrectly.

I am running sniff with the following filter

 a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010")

But for a while, sniff will catch the UDP packet as follows:

 >>> a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010") >>> a <Sniffed: TCP:0 UDP:1 ICMP:0 Other:0>

And for a while sniff will catch a TCP packet with the wrong ports:

 >>> a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010") >>> a <Sniffed: TCP:1 UDP:0 ICMP:0 Other:0> >>> a[0] <Ether dst=00:26:55:cb:3b:10 src=00:22:64:55:c8:89 type=0x800 |<IP version=4L ihl=5L tos=0x10 len=92 id=8683 flags=DF frag=0L ttl=64 proto=tcp chksum=0x9484 src=192.168.1.71 dst=192.168.1.133 options=[] |<TCP sport=ssh dport=1874 seq=350107599 ack=2484345720 dataofs=5L reserved=0L flags=PA window=254 chksum=0x846b urgptr=0 options=[] |<Raw load="yn\x01\x9d\xfca\xc9V-8\x18|\xc4\t\xf1\xc4\xd8\xd3\xc6\x95E\x19'h\xc0\x89\xf1\x08g\xa3\x9a\xa9\xf51RF\xc2\x1f\xe5a\xac\x83M\xc9\x0b\x80\x85\x1b\xcf\xb6f\xcc" |>>>>

And for a while sniff will catch the ARP packet as follows:

 >>> a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010") >>> a <Sniffed: TCP:0 UDP:0 ICMP:0 Other:1> >>> a[0] <Ether dst=ff:ff:ff:ff:ff:ff src=00:22:07:2c:53:97 type=0x806 |<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=who-has hwsrc=00:22:07:2c:53:97 psrc=192.168.1.178 hwdst=ff:ff:ff:ff:ff:ff pdst=192.168.1.179 |<Padding load='\x00\x07\x00\x00\x00\x00\x00\x00p\x00\x00\x00\x00\x00\x01\x14\x00\x00' |>>>

Am I missing something in my filter? How can I avoid this problem?

+10

python linux networking tcp scapy

Mohammed May 07 '15 at 8:28

source share

5 answers

elotic · Answer 1 · 2015-06-25T13:18:04+0000

I had the same or similar problem - the sniff filter did not work.

Installing tcpdump solved the problem for me.

Venkat ramana · Answer 2 · 2016-05-27T08:35:25+0000

You can check the syntax of the filters at the following website http://biot.com/capstats/bpf.html . I ran into similar issues and it worked for me.

You could turn to this question: https://stackoverflow.com/a/312960/

You can also try testing your program by opening the necessary ports before running the code.

Kamala Kannan · Answer 3 · 2016-11-24T01:56:12+0000

I had the same issue with Centos on VM. I used ip host for the filter instead of the host. This seems to fix the problem in my case.

Invalid filter

 >>> packets = sniff (filter = "host 176.96.135.80", count =2, iface = "eth0", timeout =10) >>> packets.summary() Ether / IP / UDP 172.7.198.136:netbios_ns > 172.7.199.255:netbios_ns / NBNSQueryRequest Ether / IP / TCP 176.96.135.80:53527 > 172.7.19.58:ssh A / Padding

Fix #

 >>> packets = sniff (filter = "ip host 176.96.135.80", count =2, iface = "eth0", timeout =10)

After that there were no problems.

user10429883 · Answer 4 · 2018-09-28T14:14:00+0000

The sniff function needs tcpdump to apply a filter. If tcpdump is not present, scapy issues a warning, but does not. You can enable logging to check this.

 import logging import sys logging.getLogger("scapy").setLevel(1) logging.basicConfig(stream=sys.stdout, level=logging.INFO) from scapy.all import *

Tobias o · Answer 5 · 2019-10-16T11:04:56+0000

There are known errors with the filter function (especially when using a local loop network!). It is recommended to use lfilter (and also stop_filter depending on your needs):

Example usage: lfilter=lambda p: any(proto in [14010]) for proto in [TCP]), stop_filter =lambda x: x.haslayer(TCP)

See lfilter for more details: https://home.regit.org/2012/06/using-scapy-lfilter/

Scapy sniff function filter not working properly

More articles: