Scapy sniff() doesn't seem to capture TCP packets, only shows ethernet frames

2
votes

I have tcpdump and scapy running sniff() on the same interface. There is a scp file transfer happening.

tcpdump: I see the tcp packets with the seq and acks going over.

scapy sniff() returned list: All I see in each packet summary() is (MAC addr1 ) > (Mac addr 2) (0x800) / Raw. Even in the packet .show(), all I see is a link layer stuff with "## [ Ethernet ] ##", src and dst.

I ran this with a timeout of 30 so I know I would capture the scp transfer of an empty text file so I know I timed it right.

There are definitely TCP packets going over, but none of them are being detected. Is there an issue with Scapy?

Thank you

1
pythonnetworkingtcpscapy
TCP is encapsulated in IP, which is encapsulated in ethernet. The IP packets are the payload of the ethernet frames, and the TCP segments are the payload of the IP packets. You simply are not decoding deep enough.Ron Maupin
Please report the output of sniff() and of a pkt.show().Pierre

1 Answers

1
votes

There is probably a bug that prevents Scapy from processing the ethernet payload.

You can try to set conf.debug_dissector = True to debug the issue.

You can also get the current development version of Scapy (from the repository), since this may be an already fixed bug (we had a bug similar to what you are seeing with Python 3 until very recently).

If the bug still exists after updating to the current development version, please report it!