Python Packet Sniffing / Packet Capture - pcapy not capturing packets

4
votes

I have my wireless interface in monitor mode, and I'm able to successfully sniff network packets and analyze them with Wireshark. I've been trying to implement something similar with pcapy and impacket. It looks as if pcapy is not capturing the same packets that Wireshark is. I'm currently running on Mac OS X 10.9 w/ a 2012 Macbook Pro, but noticed the same behavior on Ubuntu with the TP-LINK TL-WN722N wireless usb adapter.

Here's an example of a script I've written that is clearly not working. I'm picking up no Probe Requests with pcapy, even though I see them in Wireshark.

import pcapy
import impacket

DECODER = impacket.ImpactDecoder.RadioTapDecoder()


def packet_handler(header, data):
   radio_packet = DECODER.decode(data)
   dot11 = radio_packet.child()
   if dot11.get_subtype() == impacket.dot11.Dot11Types.DOT11_SUBTYPE_MANAGEMENT_PROBE_REQUEST:
       management_base = dot11.child()
       if management_base.__class__ == impacket.dot11.Dot11ManagementFrame:
           print management_base.get_source_address(), management_base.get_destination_address()


p = pcapy.open_live("your_interface_here", 2000, 0, 1000)
p.loop(-1, packet_handler)

In this example, en1 is in monitor mode. This works fine using a pcap file generated from Wireshark, simply changing open_live to open_offline:

p = open_offline('path_to_file')

Am I not setting up pcapy correctly?

1
pythonwifilibpcappacket-capturesniffing
I would consider using scapy instead of pcapy if your using python 2.7thecreator232
I was considering scapy, and while it resolves the monitor mode issue, I'm not able to capture as many packets for some reason. Not sure if you have any thoughts on that?Jordan Messina
well i have used scapy quite a bit , never on Mac OS. Can you write down the sniff command that you used capture ? and what do you mean by that it does not capture as many packets ?thecreator232
I wrote a Python/C library for libpcap, and I use it extensively for research on wifi. Perhaps it might be of use to you - pypcapKiran Bandla

1 Answers

1
votes

If you capture some packets but not all of the packets you see in Wireshark, try to enable promiscuous mode (should capture everything, even packets with bad checksums):

1) Setup promiscuous mode for pcapy

promiscuous = True
p = pcapy.open_live("your_interface_here", 2000, promiscuous, 1000)

2) Setup promiscuous mode for your interface. Not sure how to do it on Mac, on Linux it's:

os.system('sudo ifconfig eth0 promisc')

then shut down and shut up your interface.

Had the same problems with pcapy and copper Ethernet. The tricks above have solved the issue for me.