Filter options for sniff function in scapy

Venkat Ramana picture Venkat Ramana · May 26, 2016 · Viewed 27.5k times · Source

I'm working on a scapy based tool where at a point I need to sniff a packet based on protocol and the ip address of the destination

I'd like to know about the ways in which filter option in sniff() function can be used. I tried using format in documentation but most of the times it results in problems like this. the filter of sniff function in scapy does not work properly .

The one which I used was

a=sniff(filter="host 172.16.18.69 and tcp port 80",prn = comp_pkt,count = 1)

Thanks in advance!

Answer

Jeff Bencteux picture Jeff Bencteux · May 26, 2016

sniff() uses Berkeley Packet Filter (BPF) syntax (the same one as tcpdump), here are some examples:

Packets from or to host:

host x.x.x.x

Only TCP SYN segments:

tcp[tcpflags] & tcp-syn != 0

Everything ICMP but echo requests/replies:

icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply