10

It seems that the filter of sniff function does not work properly.

I m executing the sniff with the following filter

a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010")

But some time the sniff catch an UDP packet like this:

>>> a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010")
>>> a
<Sniffed: TCP:0 UDP:1 ICMP:0 Other:0>

And some time the sniff catch a TCP packet with wrong ports:

>>> a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010")
>>> a
<Sniffed: TCP:1 UDP:0 ICMP:0 Other:0>
>>> a[0]
<Ether  dst=00:26:55:cb:3b:10 src=00:22:64:55:c8:89 type=0x800 |<IP  version=4L ihl=5L tos=0x10 len=92 id=8683 flags=DF frag=0L ttl=64 proto=tcp chksum=0x9484 src=192.168.1.71 dst=192.168.1.133 options=[] |<TCP  sport=ssh dport=1874 seq=350107599 ack=2484345720 dataofs=5L reserved=0L flags=PA window=254 chksum=0x846b urgptr=0 options=[] |<Raw  load="yn\x01\x9d\xfca\xc9V-8\x18|\xc4\t\xf1\xc4\xd8\xd3\xc6\x95E\x19'h\xc0\x89\xf1\x08g\xa3\x9a\xa9\xf51RF\xc2\x1f\xe5a\xac\x83M\xc9\x0b\x80\x85\x1b\xcf\xb6f\xcc" |>>>>

And some time the sniff catch an ARP packet like this:

>>> a=sniff(count=1,filter="tcp and host 192.168.10.55 and port 14010")
>>> a
<Sniffed: TCP:0 UDP:0 ICMP:0 Other:1>
>>> a[0]
<Ether  dst=ff:ff:ff:ff:ff:ff src=00:22:07:2c:53:97 type=0x806 |<ARP  hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=who-has hwsrc=00:22:07:2c:53:97 psrc=192.168.1.178 hwdst=ff:ff:ff:ff:ff:ff pdst=192.168.1.179 |<Padding  load='\x00\x07\x00\x00\x00\x00\x00\x00p\x00\x00\x00\x00\x00\x01\x14\x00\x00' |>>>

Am I missing something in my filter? How I can avoid this problem?

MOHAMED
  • 41,599
  • 58
  • 163
  • 268
  • Wild guess: Do you have any unusual network interfaces on the machine where you run scapy? I'm thinking along the lines of virtual machine (such as Virtualbox or VMWare) interfaces, tun/tap or so. Does it work if you add `iface=eth0` (or whatever your primary ethernet interface is called) to the `sniff` parameter list? Note that some TCP packets can be categorized under `Other`, so use `a.summary()` instead of `a` to inspect the result. – Wintermute May 07 '15 at 09:08
  • @Wintermute I used `iface="eth0"`, but always I got the same problems – MOHAMED May 07 '15 at 09:24
  • 1
    Do you have `tcpdump` installed? Also, does `scapy -d` give any warnings? – Wintermute May 07 '15 at 09:31
  • @Wintermute I have the tcpdump installed and I have the wireshark running in parallel – MOHAMED May 07 '15 at 09:44
  • @Wintermute `scapy -d` return only 1 warning: `WARNING: No route found for IPv6 destination :: (no default route?)` – MOHAMED May 07 '15 at 09:44
  • Hm. I don't think running `wireshark` and `tcpdump` (which `scapy` uses for this) in parallel should be a problem since they use different sockets, but I suppose it's worth a try to stop `wireshark` while doing this. I'm afraid that's all the ideas I have; I'd tell you to open a ticket on the `scapy` bugtracker, but it appears to be defunct. Good luck. – Wintermute May 07 '15 at 09:54
  • @Wintermute I m running only Wireshark and not tcpdump – MOHAMED May 07 '15 at 10:11
  • `scapy` uses `tcpdump` for packet filtering. – Wintermute May 07 '15 at 10:14
  • Instead of 'filter=tcp and host x.x.x.x and port 14010' try 'filter=host x.x.x.x and tcp port 14010'. This worked for me. – Thomas Wagenaar May 15 '15 at 21:48
  • Installing tcpdump fixed it for me, thanks @Wintermute – anderspitman Feb 16 '18 at 20:03

5 Answers5

2

I had the same or similar problem - the sniff filter did not work.

Installing tcpdump solved the problem for me.

elotic
  • 61
  • 2
  • Even if downvoted, this answer is also correct. There are actually several causes for this bug: tcpdump is not installed, the filter isn’t a correct BPF format or your socket implementation doesn’t support it (e.g. an outdated libpcap version if you have `conf.use_pcap=True`) – Cukic0d Sep 28 '18 at 15:45
1

You can check into the syntax of filters in the following site http://biot.com/capstats/bpf.html. I was facing similar kinds of problems and it worked for me.

You might like to refer to this question: https://stackoverflow.com/questions/37453283/filter-options-for-sniff-function-in-scapy#=

You can also try to test your program by opening the required ports before running code.

Community
  • 1
  • 1
Venkat Ramana
  • 508
  • 1
  • 6
  • 16
1

the sniff function need tcpdump to apply "filter". If there is no tcpdump, scapy reports a warning but doesn't throw. You can enable logging to check it.

import logging
import sys
logging.getLogger("scapy").setLevel(1)
logging.basicConfig(stream=sys.stdout, level=logging.INFO)

from scapy.all import *
zsq
  • 29
  • 3
0

I had the same problem with Centos on VM. I used ip host for filter instead of host. That seem to have fixed the issue in my case.

Wrong Filter#

>>> packets = sniff (filter = "host 176.96.135.80", count =2, iface = "eth0", timeout =10)
>>> packets.summary()
Ether / IP / UDP 172.7.198.136:netbios_ns > 172.7.199.255:netbios_ns / NBNSQueryRequest
Ether / IP / TCP 176.96.135.80:53527 > 172.7.19.58:ssh A / Padding

Fix#

>>> packets = sniff (filter = "ip host 176.96.135.80", count =2, iface = "eth0", timeout =10)

Did not have any issues after this.

Adrian Sanguineti
  • 2,455
  • 1
  • 27
  • 29
KKS
  • 1
  • 1
0

There are known bugs with the filter function (especially when using the local loopback network!). It is advised to use lfilter (and depending on your needs also a stop_filter):

Example usage: lfilter=lambda p: any(proto in [14010]) for proto in [TCP]), stop_filter =lambda x: x.haslayer(TCP)

For more details on the lfilter see also: https://home.regit.org/2012/06/using-scapy-lfilter/

Tobias O
  • 101
  • 5
  • Those issues were mostly fixed in recent Scapy versions. `lfilter` works great when you don't want to waste time figuring the BPF filter, but is eventually less memory efficient. – Cukic0d Oct 16 '19 at 13:40