I have a problem with capturing traffic.
My system is configured with two iterfaces - ethX and tunelX. tunelX is a tunneling iterface.
The scapy and tcpdump are capture different count of packets.
The problem is the tcpdump runs, if the "any" iterface was set, in cooked mode but scapy don't.
cooked mode means that the SOCK_DGRAM will be created instead the SOCK_RAW. It is nessesary because some data in "tunneling packtes" in link-layer might be missing or contain not enoght data to determinate type of the packet.
When I ran strace with my scapy sctipt I saw this.
927698 socket(PF_PACKET, SOCK_RAW, 768) = 4
927689 recvfrom(3, "..some-data..."..., 65535, 0, {sa_family=AF_INET6, sin6_port=htons(53), inet_pton(AF_INET6, "...some address...", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 105
927689 recvfrom(3, "..some-data..."..., 32767, 0, {sa_family=AF_PACKET, proto=0x86dd, if4, pkttype=PACKET_HOST, addr(6)={1, 30d17e75727f}, [18]) = 246
927689 recvfrom(3, "..some-data..."..., 32767, 0, {sa_family=AF_PACKET, proto=0x86dd, if4, pkttype=PACKET_HOST, addr(6)={1, 30d17e75727f}, [18]) = 86
927689 recvfrom(3, "..some-data..."..., 32767, 0, {sa_family=AF_PACKET, proto=0x86dd, if4, pkttype=PACKET_HOST, addr(6)={1, 30d17e75727f}, [18]) = 86
927689 recvfrom(3, "..some-data..."..., 32767, 0, {sa_family=AF_PACKET, proto=0x86dd, if4, pkttype=PACKET_OUTGOING, addr(6)={1, 90e2ba55f6e8}, [18]) = 271
The only last packet was added into dump.
The question is: Is my assumption right? :) How can I launch scapy in cooked mode? I couldn't find this in manual.
Thank you.
