How to see all packets in the air with scapy on Windows?

2
votes

I am trying to sniff some packets in python 3.4 in scapy.

I am using Windows 8.1, and I know that the socket module does not have a PF_PACKET or something like on Windows to sniff packets, so i used the scapy.sniff function. I have already installed WinPcap 4.1.3 .

I tried to sniff and was surprised that it only sniffs packets from the wireless network that I am connected to right now, so if i am not connected to any network it will not sniff anything (I have been waiting for 10 mins, and it didn't print anything). The code:

from scapy.all import sniff, tshark
pkts = sniff(count=30) # iface does not work

tshark is the same as sniff, gives the same results.

I have an ALFA wireless realtek interface card, it supports monitor mode.

Is there a solution here? Does wspy (wireshark in python) work in Windows? Does it support WiFi monitor mode?

1
pythonwifiscapysniffing
"only sniffs packets from the network that i am connected to right now , so if i am not connected to any network it will not sniff anything" -- how is that unexpected? Naturally, you can only get packets that your network card physically receives.ivan_pozdeev
so, how am i going to see all the packets that are in the air near my PC ? i want to sniff all the packets that are in the air .Hasan Shadi

1 Answers

1
votes

Scapy has support for monitor mode, but it requires several things:

  • Use the latest development scapy version. To download it, get https://github.com/secdev/scapy/archive/master.zip and install it via python setup.py install
  • Use Npcap instead of Winpcap. You will need to uninstall Winpcap first (Winpcap has been abandoned, and Nmap took the project back). Download it at https://nmap.org/npcap/
  • Call sniff([...], monitor=True). It will be safer to specify the interface. You can print the list with IFACES.show() in scapy’s console. (Note: the interface name iface= argument allows full interface name. For instance “RaLink Adapter (R) Wi-Fi” as prompted by the previous command)

The monitor argument is important, as it triggers new sniffing mechanics.

Wireshark will also requires Npcap (Winpcap has no support for monitor mode) to sniff in monitor mode