Sniffing UDP packets using scapy in Mac

Question

I am trying to sniff UDP packets using scapy sniff function, I send the packets in the Looback interface, the sending code is simple as follows:

from socket import *

IPv4 = "127.0.0.1"
Port = 45943

ClientSock = socket(AF_INET, SOCK_DGRAM) 

while True:
    MESSAGE = raw_input()
    ClientSock.sendto(MESSAGE, (IPv4, Port))

However when i run (in another terminal tab after importing scapy):

a = sniff(iface="lo0", count = 5)

I get the following result:

>>> a.nsummary()
0000 Raw
0001 Raw
0002 Raw
0003 Raw
0004 Raw

whereas i am supposed to get UDP packets!, can any one point out to anything that i am missing here. thanks

Answer 1

Some suggestions.

Instead of a.nsummary(), you can print out more information on individual packets using something like

a[1].show()
a[1].show2()
hexdump(a[1])

to examine the first packet. 2) You can force the protocol decoding to a particular type of packet format. For instance, a RAW_IP packet capture (link layer header type = 101) can be forced to be IPv6 using

conf.l2types.register(101, IPv6)

If you want to add a new layer on top of UDP, you can add a new dissector based on the port used.

Answer 2

Unable to guess datalink type (interface=lo0 linktype=0)

That message translates as "Scapy doesn't understand the DLT_NULL link-layer header type, as used on the loopback device in *BSD and OS X, so it doesn't support the loopback device on *BSD and OS X".

So you're out of luck if you want to use Scapy on OS X to capture on the loopback device, unless and until Scapy is enhanced to handle DLT_NULL. (DLT_NULL is not that hard to handle, so presumably the only reason it's not handled is that most of the people using it on a loopback device are doing so on Linux, where the link-layer header type value on the loopback device is DLT_EN10MB, i.e. Ethernet, so nobody's bothered to fix it. I'll see if I can get it working and, if so, send them a patch.)