Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scapy ignoring filter argument to sniff() function #393

Closed
nyov opened this issue Dec 15, 2016 · 8 comments · Fixed by #394
Closed

Scapy ignoring filter argument to sniff() function #393

nyov opened this issue Dec 15, 2016 · 8 comments · Fixed by #394
Labels
bug

Comments

@nyov
Copy link

nyov commented Dec 15, 2016

Reopening bitbucket issue nr. 747, https://bitbucket.org/secdev/scapy/issues/747/scapy-ignoring-filter-argument-to-sniff

Scapy seems to ignore the filter argument to sniff() in my installation, scapy 2.3.2 on debian.

I believe I can exclude tcpdump from being the issue as I moved it out of the way for this test, using an offline pcap file:

In [1]: from scapy.all import *
WARNING: Failed to execute tcpdump. Check it is installed and in the PATH

In [2]: pkts = sniff(offline="/tmp/some.pcap", filter="udp and host 7.7.7.7", prn=lambda x: x.summary())
Ether / IP / TCP 192.5.XXX.XXX:33658 > 85.XX.XX.XX:8020 S
Ether / IP / TCP 85.XX.XX.XX:8020 > 192.5.XXX.XXX:33658 SA
...

As can be seen, the udp filter is ignored while listing all kinds of other packets (tcp, icmp etc., any source or destination).
@p-l-
Copy link
Member

p-l- commented Dec 15, 2016

First of all, please update to Scapy's latest version when reporting issues.

Tcpdump is actually used to install the PCAP filter, that's why Scapy needs it.

Can you try again with Tcpdump installed and using the latest version? Thanks

@nyov
Copy link
Author

nyov commented Dec 15, 2016

Well certainly I have tried this the usual way first (with tcpdump).

And I don't necessarily see the point of running the latest version (which is 2.3.3, one point release later?) but here is the same running git master:

$ ./run_scapy 
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
WARNING: Combined crypto modes not available for IPsec (pycrypto 2.7a1 required).
Welcome to Scapy (2.3.3.dev61)
>>> pkts = sniff(offline="/tmp/some.pcap", filter="udp and host 7.7.7.7", prn=lambda x: x.summary())
Ether / IP / TCP 192.5.XXX.XXX:33658 > 85.XX.XX.XX:8020 S
Ether / IP / TCP 85.XX.XX.XX:8020 > 192.5.XXX.XXX:33658 SA
Ether / IP / TCP 192.5.XXX.XXX:33658 > 85.XX.XX.XX:8020 A
...

@p-l-
Copy link
Member

p-l- commented Dec 15, 2016
edited
Loading

The point is to avoid trying to fix an issue if it has already been fixed, so that's perfect if you've been able to reproduce the issue with current Git master. For tcpdump, that was not clear in your initial message, so I had to ask, sorry about that (since testing without tcpdump does not make any sense, really).

@p-l- p-l- added the bug label Dec 15, 2016
@p-l- p-l- mentioned this issue Dec 15, 2016
Merged
@p-l-
Copy link
Member

p-l- commented Dec 16, 2016

Could you check the patch from #394 and let us know if it works for you?

@nyov
Copy link
Author

nyov commented Dec 16, 2016

Sorry, that was rude of me.
I assumed changes between point releases would be slight and fixes memorable.

Thank you for the work, I'll check out the patch (looks good).

p-l- added a commit to p-l-/scapy that referenced this issue Dec 19, 2016
@p-l-
Support (BPF) filter in sniff() with offline parameter set
e243418 
Fixes secdev#393
Also, fixes secdev#355
guedou pushed a commit that referenced this issue Dec 20, 2016
@p-l- @guedou
Support (BPF) filter in sniff() with offline parameter set (#394)
7ec0af2 
* Support (BPF) filter in sniff() with offline parameter set

Fixes #393
Also, fixes #355

* Add tests for wrpcap() and sniff(offline=)

as suggested by Guillaume.

Also, cleanup regression.uts since it was a pain to find a place
to add those tests.

* Fix PATH for tcpdump with non-root user

* Do not run tcpdump tests when tcpdump is not available

* Appveyor tests: install WinDump.exe

Thanks @gpotter2
@scherma
Copy link

scherma commented Mar 16, 2018

Looking forward to seeing this in stable release! Just downloaded 2.4.0rc5 and glad to see it's working there :)

@theastropath theastropath mentioned this issue Aug 18, 2018
Open
@inBleakmidwinter
Copy link

i want to filter broadcast file in destination from the offline pcap file.?
is there any command

@inBleakmidwinter
Copy link

or a specific file in Destination?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support (BPF) filter in sniff() with offline parameter set p-l-/scapy
4 participants
@nyov @scherma @p-l- @inBleakmidwinter