Filter options for sniff function in scapy

python linux networking ethernet scapy
Venkat Ramana picture Venkat Ramana · May 26, 2016 · Viewed 27.5k times · Source

I'm working on a scapy based tool where at a point I need to sniff a packet based on protocol and the ip address of the destination

I'd like to know about the ways in which filter option in sniff() function can be used. I tried using format in documentation but most of the times it results in problems like this. the filter of sniff function in scapy does not work properly .

The one which I used was 

a=sniff(filter="host 172.16.18.69 and tcp port 80",prn = comp_pkt,count = 1)

Thanks in advance!

Answer

Jeff Bencteux picture Jeff Bencteux · May 26, 2016

sniff() uses Berkeley Packet Filter (BPF) syntax (the same one as tcpdump), here are some examples:

Packets from or to host:

host x.x.x.x

Only TCP SYN segments:

tcp[tcpflags] & tcp-syn != 0

Everything ICMP but echo requests/replies:

icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Related questions

Getting MAC Address

I need a cross platform method of determining the MAC address of a computer at run time. For windows the 'wmi' module can be used and the only method under Linux I could find was to run ifconfig and run …

Read More
How to close a socket left open by a killed program?

I have a Python application which opens a simple TCP socket to communicate with another Python application on a separate host. Sometimes the program will either error or I will directly kill it, and in either case the socket may …

Read More
Get local network interface addresses using only proc?

How can I obtain the (IPv4) addresses for all network interfaces using only proc? After some extensive investigation I've discovered the following: ifconfig makes use of SIOCGIFADDR, which requires open sockets and advance knowledge of all the interface names. It …

Read More