Scapy sniff filter not functioning

Question

I am having trouble applying a filter to the sniff command in Scapy. In the simplest case, I can sniff 10 packets in the Scapy cli, like this:

Welcome to Scapy (2.3.3)
>>> pkts = sniff(count=10)
>>> for p in pkts: p.summary()
... 
'IP / TCP xx.xx.xx.xx:ssh > xx.xx.xx.xx:53128 PA / Raw'
'IP / TCP xx.xx.xx.xx:60661 > xx.xx.xx.xx:http_alt PA / Raw'
'IP / TCP xx.xx.xx.xx:http_alt > xx.xx.xx.xx:60661 A'
'IP / TCP xx.xx.xx.xx:32874 > xx.xx.xx.xx:http S'
'IP / TCP xx.xx.xx.xx:https > xx.xx.xx.xx:58026 PA / Raw'
'IP / TCP xx.xx.xx.xx:58026 > xx.xx.xx.xx:https A'
'IP / TCP xx.xx.xx.xx:60804 > xx.xx.xx.xx:http_alt A'
'IP / TCP xx.xx.xx.xx:63244 > xx.xx.xx.xx:http_alt PA / Raw'
'IP / TCP xx.xx.xx.xx:http_alt > xx.xx.xx.xx:63244 A'
'IP / TCP xx.xx.xx.xx:43843 > xx.xx.xx.xx:http_alt A'

but when I try:

pkts = sniff(count=10, filter='tcp')

It never finishes, just waits for packets.

I'm on a rented VPS running Ubuntu 16.04 server and I know there some limited capabilities around networking. For instance, I'm not able to use linux traffic control (tc).

Any ideas on how this could be the case?

edit: BPF filters do function correctly for tcpdump.

Answer 1

This might be because the BPF filter is not compiled for the correct interface. You should get the current development version of Scapy (from https://github.com/secdev/scapy) and specify the interface in your sniff() call:

pkts = sniff(count=10, filter='tcp', iface='eth0')  # replace eth0 with your interface name