2

I tried to sniff packets on Win10 using python. However, i find a lot of packets are actually dropped by scapy.

For example, I download a file of 2 MB from ftp, the wiresharks captures nearly 2000 packets and the scapy only captures 500.

I have tried pypcap and the result is almost the same, more than half of the packets are dropped, especially on downloading.

Is there a solution to avoid such loss and make scapy perform the same as wireshark, or there is no library on python capable of buffering a lot of packets in short time?

user6456568
  • 579
  • 9
  • 23

1 Answers1

1

You can have Scapy use tcpdump (or windump under Windows) to sniff the packets for you, using for example:

sniff(opened_socket=L2ListenTcpdump())
Pierre
  • 6,047
  • 1
  • 30
  • 49
  • 1
    Thank you for the help! I've downloaded windump but it seems like a console? I don't know how to use it. And an error occurs:`a=sniff(opened_socket=L2ListenTcpdump(),iface="Killer E2200 Gigabit Ethernet Controller") NameError: name 'L2ListenTcpdump' is not defined` – user6456568 Dec 04 '17 at 12:38
  • Once windump is installed, you can use the `sniff()` command from Scapy. You need scapy's latest version from https://github.com/secdev/scapy. – Pierre Dec 04 '17 at 14:17
  • I do use the latest one, and other functions are fine, just cannot `sniff(opened_socket=L2ListenTcpdump())`. – user6456568 Dec 04 '17 at 15:56
  • By "latest one", do you mean latest stable release (2.3.3)? If so, get the development version. If you already have the development version, `L2ListenTcpdump` should exist, that's weird. – Pierre Dec 04 '17 at 16:10
  • @Now it finally found `L2ListenTcpdump` , but another error occurs:`File "D:\Python36\lib\subprocess.py", line 966, in _execute_child args = list2cmdline(args) File "D:\Python36\lib\subprocess.py", line 461, in list2cmdline needquote = (" " in arg) or ("\t" in arg) or not arg TypeError: argument of type 'NoneType' is not iterable` – user6456568 Dec 05 '17 at 01:15
  • 1
    You need to have windump installed in a folder in the PATH (e.g copy it to Windows/system32). Note that there is a different version to use if you are using Npcap. Scapy will tell you if you do so – Cukic0d Jan 08 '19 at 18:07