Scapy sniff filter not functioning

Question

I am having trouble applying a filter to the sniff command in Scapy. In the simplest case, I can sniff 10 packets in the Scapy cli, like this:

Welcome to Scapy (2.3.3)
>>> pkts = sniff(count=10)
>>> for p in pkts: p.summary()
... 
'IP / TCP xx.xx.xx.xx:ssh > xx.xx.xx.xx:53128 PA / Raw'
'IP / TCP xx.xx.xx.xx:60661 > xx.xx.xx.xx:http_alt PA / Raw'
'IP / TCP xx.xx.xx.xx:http_alt > xx.xx.xx.xx:60661 A'
'IP / TCP xx.xx.xx.xx:32874 > xx.xx.xx.xx:http S'
'IP / TCP xx.xx.xx.xx:https > xx.xx.xx.xx:58026 PA / Raw'
'IP / TCP xx.xx.xx.xx:58026 > xx.xx.xx.xx:https A'
'IP / TCP xx.xx.xx.xx:60804 > xx.xx.xx.xx:http_alt A'
'IP / TCP xx.xx.xx.xx:63244 > xx.xx.xx.xx:http_alt PA / Raw'
'IP / TCP xx.xx.xx.xx:http_alt > xx.xx.xx.xx:63244 A'
'IP / TCP xx.xx.xx.xx:43843 > xx.xx.xx.xx:http_alt A'

but when I try:

pkts = sniff(count=10, filter='tcp')

It never finishes, just waits for packets.

I'm on a rented VPS running Ubuntu 16.04 server and I know there some limited capabilities around networking. For instance, I'm not able to use linux traffic control (tc).

Any ideas on how this could be the case?

edit: BPF filters do function correctly for tcpdump.

FYI: my workaround is to create a pcap file using the filtered tcpdump and then read that file into python/scapy. — Sergio Alonso, Dec 26 '17 at 16:46
also [this answer](https://stackoverflow.com/a/37964206/9141316) for sniffing form large pcap files — Sergio Alonso, Dec 30 '17 at 12:01

score 1 · Accepted Answer · answered Dec 26 '17 at 14:24

1

This might be because the BPF filter is not compiled for the correct interface. You should get the current development version of Scapy (from https://github.com/secdev/scapy) and specify the interface in your sniff() call:

pkts = sniff(count=10, filter='tcp', iface='eth0')  # replace eth0 with your interface name

answered Dec 26 '17 at 14:24

Pierre

6,047
1
30
49

Thanks Pierre. If I'm reading Github correctly, 2.3.3 is the current release. But adding the iface doesn't resolve the issue. I get the same behavior – Sergio Alonso Dec 26 '17 at 15:01
2.3.3 is the current release, but the current development version includes a lot of fixes that might help you. That's why I said "you should get the current development version of Scapy". – Pierre Dec 27 '17 at 14:27
you're right. switching to dev branch fixes all sorts of things – Sergio Alonso Dec 30 '17 at 21:05

Scapy sniff filter not functioning

1 Answers1