Filter Options for Sniff Function in Scapy

Filter options for sniff function in scapy

sniff() uses Berkeley Packet Filter (BPF) syntax (the same one as tcpdump), here are some examples:

Packets from or to host:

host x.x.x.x

Only TCP SYN segments:

tcp[tcpflags] & tcp-syn != 0

Everything ICMP but echo requests/replies:

icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Advantages of Scapy sniff's filter, versus filtering in packet handling method?

If you're using the filter= keyword argument from sniff, you're passing a BPF filter. This string filter is compiled into a C object by libpcap, then passed to the socket. It is then used by the kernel directly, i.e. it is much, much more performant than filtering in the callback.

This actually matters a lot when you're on heavy-loads: if you receive for instance 1 Go/s of packets, Scapy can't dissect that fast enough, so the socket it is using to receive those packets will have its buffer filled, and tons of packets will be dropped. On the other hand, if you're using a BPF "kernel-level" filter, only the filtered packets reach Scapy: that is a much more manageable packet stream.

If you are not experiencing issues with packet drops though (low rates... etc), it comes down to preference.

Scapy multiple sniff filters not working?

The filter you are using is simply not a valid PCAP filter (hence the syntax error message). On a Unix system, you can have a look at the pcap-filter(7) and the tcpdump(1) manpages for more information about the syntax you can use.

Something like this should work:

myfilter="tcp[tcpflags] & (tcp-syn|tcp-ack|tcp-push) == tcp-syn"
sniff(iface="myinter" , filter=myfilter, prn=mitm , count=1)

---

Related Topics