the filter of sniff function in scapy does not work properly

Question

It seems that the filter of sniff function does not work properly.

I m executing the sniff with the following filter

a=sniff(co         


        

Answer 1

I had the same problem with Centos on VM. I used ip host for filter instead of host. That seem to have fixed the issue in my case.

Wrong Filter#

>>> packets = sniff (filter = "host 176.96.135.80", count =2, iface = "eth0", timeout =10)
>>> packets.summary()
Ether / IP / UDP 172.7.198.136:netbios_ns > 172.7.199.255:netbios_ns / NBNSQueryRequest
Ether / IP / TCP 176.96.135.80:53527 > 172.7.19.58:ssh A / Padding

Fix#

>>> packets = sniff (filter = "ip host 176.96.135.80", count =2, iface = "eth0", timeout =10)

Did not have any issues after this.

Answer 2

You can check into the syntax of filters in the following site http://biot.com/capstats/bpf.html. I was facing similar kinds of problems and it worked for me.

You might like to refer to this question: https://stackoverflow.com/questions/37453283/filter-options-for-sniff-function-in-scapy#=

You can also try to test your program by opening the required ports before running code.

Answer 3

the sniff function need tcpdump to apply "filter". If there is no tcpdump, scapy reports a warning but doesn't throw. You can enable logging to check it.

import logging
import sys
logging.getLogger("scapy").setLevel(1)
logging.basicConfig(stream=sys.stdout, level=logging.INFO)

from scapy.all import *

Answer 4

I had the same or similar problem - the sniff filter did not work.

Installing tcpdump solved the problem for me.

Answer 5

There are known bugs with the filter function (especially when using the local loopback network!). It is advised to use lfilter (and depending on your needs also a stop_filter):

Example usage: lfilter=lambda p: any(proto in [14010]) for proto in [TCP]), stop_filter =lambda x: x.haslayer(TCP)

For more details on the lfilter see also: https://home.regit.org/2012/06/using-scapy-lfilter/