interruptable sniff() function

Discussion:

chris

2010-02-16 13:58:05 UTC

Hi list,
scapy-developers,

I found old posts from October 2008 ("sniffing, thread and signal ?")
where somebody extended the sniff() function to be interruptable. The
code was put on the Wiki:

http://trac.secdev.org/scapy/wiki/PatchSelectStopperTimeout

Since I ran into the same problems than the franck34 in his post, I
followed a similar (light-weight) approach. I deliver an abortion
function as parameter to the sniff() method that is checked as break
condition in the outer while loop (instead of 'while true'). If this
function returns false, sniff() will return.

Actually this code is just a small change to the scapy code and yet very
useful, in particular if you aim at proper exit handling. I'd be glad if
you could re-consider including the following snippet in one of the next
scapy versions:

522c522,523
<
---

return True

525c526
< def sniff(count=0, store=1, offline=None, prn = None, lfilter=None,
L2socket=None, timeout=None, opened_socket=None, *arg, **karg):
---

def sniff(count=0, store=1, offline=None, prn = None, lfilter=None,

L2socket=None, timeout=None, opened_socket=None, keepRunning=yes, *arg,
**karg):
558c559
< while 1:
---
I don't think that this causes too much performance overhead to the
sniff() function (and maybe there is even a better solution than the
work-around with the yes() function that returns always True).

Thanks in advance!

Best regards,
Chris

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org

Dirk Loss

2010-02-16 19:06:25 UTC

Permalink

Post by chris
Since I ran into the same problems than the franck34 in his post, I
followed a similar (light-weight) approach. I deliver an abortion
function as parameter to the sniff() method that is checked as break
condition in the outer while loop (instead of 'while true'). If this
function returns false, sniff() will return.

In newer versions of Scapy, sniff() has a "stop_filter" argument that
seems to do what you want:

stop_filter: python function applied to each packet to determine
if we have to stop the capture after this packet
ex: stop_filter = lambda x: x.haslayer(TCP)

http://hg.secdev.org/scapy/rev/253e15b8a97c

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org

chris

2010-02-17 06:49:28 UTC

Permalink

Dirk,

Post by Dirk Loss
In newer versions of Scapy, sniff() has a "stop_filter" argument that
stop_filter: python function applied to each packet to determine
if we have to stop the capture after this packet
ex: stop_filter = lambda x: x.haslayer(TCP)

Thanks a lot for this hint, *exactly* what I was looking for.

Do you know already when there will be an updated Scapy version that
includes this patch already? Unfortunately, the current stable version
2.1.0 was released just a couple of weeks before this patch.

Regards,
Chris

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org

Dirk Loss

2010-02-17 07:20:55 UTC

Permalink

Post by chris
Dirk,

Just use the development version:
http://hg.secdev.org/scapy/archive/tip.zip

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org

chris

2010-03-01 11:32:17 UTC

Permalink

Hi Dirk,

Post by Dirk Loss
http://hg.secdev.org/scapy/archive/tip.zip

I tried to, but bumped into the following error:

WARNING: Failed to execute tcpdump. Check it is installed and in the PATH
Traceback (most recent call last):
File "FlowExtractor.py", line 6, in <module>
from scapy.all import *
File "/opt/python2.6/lib/python2.6/site-packages/scapy/all.py", line
37, in <module>
from layers.all import *
File "/opt/python2.6/lib/python2.6/site-packages/scapy/layers/all.py",
line 16, in <module>
_import_star(_l)
File "/opt/python2.6/lib/python2.6/site-packages/scapy/layers/all.py",
line 10, in _import_star
mod = __import__(m, globals(), locals())
File
"/opt/python2.6/lib/python2.6/site-packages/scapy/layers/sctp.py", line
13, in <module>
from scapy.layers.inet6 import IP6Field
File
"/opt/python2.6/lib/python2.6/site-packages/scapy/layers/inet6.py", line
25, in <module>
raise socket.error("can't use AF_INET6, IPv6 is disabled")
socket.error: can't use AF_INET6, IPv6 is disabled

The error occured with the following statement (first line of code):

from scapy.all import *

Obviously, IPv6 is disabled on my system. In config.py also ipv6_enabled
is set to False (socket.has_ipv6 is also False).

I copied the sendrecv.py however into my scapy-2.1 folder, reinstalled
and am happy with the new sniff() method!

Regards,
Chris

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org

Dirk Loss

2010-03-01 19:11:18 UTC

Permalink

On 01.03.10 12:32, chris wrote:
[...]

Post by chris
File
"/opt/python2.6/lib/python2.6/site-packages/scapy/layers/sctp.py", line
13, in<module>
from scapy.layers.inet6 import IP6Field
File
"/opt/python2.6/lib/python2.6/site-packages/scapy/layers/inet6.py", line
25, in<module>
raise socket.error("can't use AF_INET6, IPv6 is disabled")
socket.error: can't use AF_INET6, IPv6 is disabled
from scapy.all import *
Obviously, IPv6 is disabled on my system. In config.py also ipv6_enabled
is set to False (socket.has_ipv6 is also False).

I can reproduce this when I manually set socket.has_ipv6=False before
importing from scapy.all

I have just created a ticket:
http://trac.secdev.org/scapy/ticket/338

My spontaneous suggestion would be to remove lines 24 and 25 from
inet6.py, but maybe there's a better solution.

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org