Reputation: 13
How to filter ICMPv6 packets with scapy sniff-function?
I would like to only capture ICMPv6 Echo Request packets. I use the scapy sniff()-function that is using BPF-filters, same as tcpdump. The filter I use works with tcpdump and only captures ICMPv6 echo requests but when I use it in my python script it does not work at all and scapy captures all packets. Why is the filter not working in my script?
#!/usr/bin/env python
from scapy.all import *
a = sniff(filter="icmp6 && ip6[40] == 128", count=10)
a.summary()
The output:
Ether / IP / ICMP 192.168.1.74 > 192.168.1.84 echo-request 0 / Raw
Ether / IP / ICMP 192.168.1.84 > 192.168.1.74 echo-reply 0 / Raw
Ether / IPv6 / ICMPv6 Echo Request (id: 0x306 seq: 0x3bb)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x306 seq: 0x3bb)
Ether / IPv6 / ICMPv6 Echo Reply (id: 0x306 seq: 0x3bb)
Ether / IPv6 / ICMPv6 Echo Reply (id: 0x306 seq: 0x3bb)
Ether / IP / TCP 192.168.1.84:ssh > 192.168.1.74:61336 PA / Raw
Ether / IP / TCP 192.168.1.74:61336 > 192.168.1.84:ssh A
Ether / IP / ICMP 192.168.1.74 > 192.168.1.84 echo-request 0 / Raw
Ether / IP / ICMP 192.168.1.84 > 192.168.1.74 echo-reply 0 / Raw
Upvotes: 1
Views: 2658
Answers (2)
Reputation: 61
I had some issues getting this to run on my system, but that turned out to be a faulty v6 setup on one of my interfaces. scapy-python3 did seem to handle this issue better, it just ignored my config error and carried on execution instead of erroring out.
After I resolved that your code example works on both python 2.7 and 3.x without any issues for me. Both when I'm specifying the interface manually and when I don't.
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x190)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x191)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x192)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x193)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x194)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x195)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x196)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x197)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x198)
Ether / IPv6 / ICMPv6 Echo Request (id: 0x5d24 seq: 0x199)
If you have the possibility of testing this in python 3.x it might work better for you, but it feels like something in your setup is off. I've never used scapy before so I don't know if e.g. an 6to4 tunnel would confuse it.
I'm running:
Debian testing with kernel 4.11.0-1-amd64
scapy 2.3.3 on Python 2.7.13
scapy-python3 0.21 on Python 3.5.4
Upvotes: 1
Reputation: 6237
You should probably specify the interface. Scapy sometimes fails to apply BPF filters in some situations (including on PPP interfaces or when multiple interfaces are sniffed at the same time).
Another option could be to use a Python filter rather than a BPF filter. The main drawback is that it impacts the performances, since Scapy will receive (and parse) all the packets seen on the interface:
from scapy.all import *
a = sniff(lfilter=lambda pkt: ICMPv6EchoRequest in pkt, count=10)
a.summary()
Upvotes: 1
Related Questions
- Scapy fails to send ipv6 packets
- Scapy filtering with sniff() function
- the filter of sniff function in scapy does not work properly
- IPv6 filter in Scapy
- Scapy : IPv6 Packet is receiving as Raw Packet
- Scapy fails to filter certain packets
- How to sniff specific packets using python module Scapy?
- Sniffer that filters IPv6 packets
- Error in running Scapy Sniff function
- Scapy: no reply on raw ICMP packet