Sniffing UDP packets using scapy in Mac

2
votes

I am trying to sniff UDP packets using scapy sniff function, I send the packets in the Looback interface, the sending code is simple as follows:

from socket import *

IPv4 = "127.0.0.1"
Port = 45943

ClientSock = socket(AF_INET, SOCK_DGRAM) 

while True:
    MESSAGE = raw_input()
    ClientSock.sendto(MESSAGE, (IPv4, Port))

However when i run (in another terminal tab after importing scapy):

a = sniff(iface="lo0", count = 5)

I get the following result:

>>> a.nsummary()
0000 Raw
0001 Raw
0002 Raw
0003 Raw
0004 Raw

whereas i am supposed to get UDP packets!, can any one point out to anything that i am missing here. thanks

2
pythonsocketspacket-sniffersscapy
Is anything listening on port 45943? Otherwise, the raw packets you're seeing might by PORT UNREACHABLE ICMP messages.robertklep
I did not set up a server socket in the other side, but i can see the Message (the text sent) appears at the end of the packet such as this: ###[ Raw ]### load= '\x02\x00\x00\x00E\x00\x00,\x00\xff\x00\x00@\x11\x00\x00\x7f\x00\x00\x01\x7f\x00\x00\x01\x825\x9cE\x00\x18\x83\xe1helllllllllllllo'OiaSam
@robertklep i run a server listening on that port, but the result is the same, forgot to mention this message also appears: WARNING: Unable to guess datalink type (interface=lo0 linktype=0). Using RawOiaSam
ah heh that might be the problem ;) not sure what's causing it (not familiar with scapy), but perhaps you can force the linktype somehow?robertklep

2 Answers

3
votes

Unable to guess datalink type (interface=lo0 linktype=0)

That message translates as "Scapy doesn't understand the DLT_NULL link-layer header type, as used on the loopback device in *BSD and OS X, so it doesn't support the loopback device on *BSD and OS X".

So you're out of luck if you want to use Scapy on OS X to capture on the loopback device, unless and until Scapy is enhanced to handle DLT_NULL. (DLT_NULL is not that hard to handle, so presumably the only reason it's not handled is that most of the people using it on a loopback device are doing so on Linux, where the link-layer header type value on the loopback device is DLT_EN10MB, i.e. Ethernet, so nobody's bothered to fix it. I'll see if I can get it working and, if so, send them a patch.)

0
votes

Some suggestions.

Instead of a.nsummary(), you can print out more information on individual packets using something like

a[1].show()
a[1].show2()
hexdump(a[1])

to examine the first packet. 2) You can force the protocol decoding to a particular type of packet format. For instance, a RAW_IP packet capture (link layer header type = 101) can be forced to be IPv6 using

conf.l2types.register(101, IPv6)

If you want to add a new layer on top of UDP, you can add a new dissector based on the port used.