Discussion:
Offline sniffing and BPF
Thomas Chopitea
2014-01-09 17:04:28 UTC
Permalink
Hello all,

I'm trying to get scapy to sniff a pcap file (with the 'offline' option),
and filter out unwanted packets using BPF syntax. Passing both options as
in

sniff(offline='dump.pcap', filter='tcp port 80', prn=lambda x: x.summary())

runs the prn for every packet in dump.pcap

I don't want to use an Lfilter unless of course I can derive or build it
from the BPF specified by the user.

Any ideas?

Cheers,
--
Thomas Chopitea
Serdar Metin
2014-01-09 17:22:24 UTC
Permalink
You can also sniff AND filter for the packets that has some layer inside the packet.

The following lines commands, if in a package a dhcp6 advertise message has been sniffed, it will go to the function.

sniff(iface='eth0', prn=GoToXfuntion , lfilter = lambda x: x.haslayer(DHCP6_Advertise))

GoToXfuntion():
........
........


Hope this helps

Cheers
Post by Thomas Chopitea
Hello all,
I'm trying to get scapy to sniff a pcap file (with the 'offline' option), and filter out unwanted packets using BPF syntax. Passing both options as in
sniff(offline='dump.pcap', filter='tcp port 80', prn=lambda x: x.summary())
runs the prn for every packet in dump.pcap
I don't want to use an Lfilter unless of course I can derive or build it from the BPF specified by the user.
Any ideas?
Cheers,
--
Thomas Chopitea
Thomas Chopitea
2014-01-09 17:32:53 UTC
Permalink
Hey Serdar, thanks for the tip.

I'm trying to do something similar, only that I'd like to have more
complexity than just filter over a layer. Since the filter is bound to
change, I'd like it to be represented in BPF syntax ('tcp port 80') rather
than x.haslayer(TCP) and x['TCP'].dport == 80
Post by Serdar Metin
You can also sniff AND filter for the packets that has some layer inside the packet.
The following lines commands, if in a package a dhcp6 advertise message
has been sniffed, it will go to the function.
x.haslayer(DHCP6_Advertise))
........
........
Hope this helps
Cheers
Hello all,
I'm trying to get scapy to sniff a pcap file (with the 'offline' option),
and filter out unwanted packets using BPF syntax. Passing both options as
in
sniff(offline='dump.pcap', filter='tcp port 80', prn=lambda x: x.summary())
runs the prn for every packet in dump.pcap
I don't want to use an Lfilter unless of course I can derive or build it
from the BPF specified by the user.
Any ideas?
Cheers,
--
Thomas Chopitea
--
Thomas Chopitea
Pentester
2014-01-11 15:01:26 UTC
Permalink
If you want to save traffic in a pcap-file, then whats wrong in using
tcpdump? Like:
tcpdump -w dump.cap 'tcp port 80'

/Zirro
Post by Thomas Chopitea
Hey Serdar, thanks for the tip.
I'm trying to do something similar, only that I'd like to have more
complexity than just filter over a layer. Since the filter is bound to
change, I'd like it to be represented in BPF syntax ('tcp port 80')
rather than x.haslayer(TCP) and x['TCP'].dport == 80
You can also sniff AND filter for the packets that has some layer
inside the packet.
The following lines commands, if in a package a dhcp6 advertise
message has been sniffed, it will go to the function.
x.haslayer(DHCP6_Advertise))
........
........
Hope this helps
Cheers
Post by Thomas Chopitea
Hello all,
I'm trying to get scapy to sniff a pcap file (with the 'offline'
option), and filter out unwanted packets using BPF syntax.
Passing both options as in
sniff(offline='dump.pcap', filter='tcp port 80', prn=lambda x: x.summary())
runs the prn for every packet in dump.pcap
I don't want to use an Lfilter unless of course I can derive or
build it from the BPF specified by the user.
Any ideas?
Cheers,
--
Thomas Chopitea
--
Thomas Chopitea
Thomas Chopitea
2014-01-11 16:41:21 UTC
Permalink
I actually want to *load* a pcap file from scapy, and apply a prn to each
packet. This works fine with scapy's *sniff* function using the
*offline*argument. But it doesn't seem to take into account the BPF
passed on in the
*filter* argument.
Post by Pentester
If you want to save traffic in a pcap-file, then whats wrong in using
tcpdump -w dump.cap 'tcp port 80'
/Zirro
Hey Serdar, thanks for the tip.
I'm trying to do something similar, only that I'd like to have more
complexity than just filter over a layer. Since the filter is bound to
change, I'd like it to be represented in BPF syntax ('tcp port 80')
rather than x.haslayer(TCP) and x['TCP'].dport == 80
Post by Serdar Metin
You can also sniff AND filter for the packets that has some layer inside the packet.
The following lines commands, if in a package a dhcp6 advertise message
has been sniffed, it will go to the function.
x.haslayer(DHCP6_Advertise))
........
........
Hope this helps
Cheers
Hello all,
I'm trying to get scapy to sniff a pcap file (with the 'offline'
option), and filter out unwanted packets using BPF syntax. Passing both
options as in
sniff(offline='dump.pcap', filter='tcp port 80', prn=lambda x: x.summary())
runs the prn for every packet in dump.pcap
I don't want to use an Lfilter unless of course I can derive or build
it from the BPF specified by the user.
Any ideas?
Cheers,
--
Thomas Chopitea
--
Thomas Chopitea
--
Thomas Chopitea
Loading...