Scapy filtering with sniff() function

4
votes

I'm using scapy function sniff() for packet capturing. I want to capture only EAP packets. I can filter EAP packets with tcpdump with following filter:

# tcpdump -i mon0 -p ether proto 0x888e
tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes
13:04:41.949446 80847234901us tsft 48.0 Mb/s 2437 MHz 11g -16dB signal antenna 1 [bit 14] EAP packet (0) v1, len 5
13:04:46.545776 80851831746us tsft 54.0 Mb/s 2437 MHz 11g -13dB signal antenna 1 [bit 14] EAP packet (0) v1, len 5

At the same time I have sniff() function running with the same filter, but function doesn't capture any EAP packets:

sniff(filter="ether proto 0x888e",iface="mon0", count = 1)

Why sniff() function doesn't capture any EAP packets?

EDIT:

Sorry for my late reaction, I tried what you proposed:

> conf.iface = 'mon0'
> pkts = sniff(filter="wlan proto 0x888e", count = 1)
tcpdump: WARNING: mon0: no IPv4 address assigned
> pkts
Sniffed: TCP:0 UDP:0 ICMP:0 Other:1
> EAP in pkts[0]
False

But this does not still capture EAP packet :(

4
pythonscapy
As this is an old question I'll leave it as a comment: Probably you DID capture the packet. However, your test is wrong, EAP is a class in python, not by far a packet, so it will never be in pkts (which is a list of objects, probably of class Ether). The statement should have been something like pkts[0].haslayer(EAP), or more likely pkts[0].haslayer(EAPOL)KillianDS

4 Answers

5
votes

I know this is over a year later, but for the benefit of anyone else looking at this question the answer is that he captured EAPOL packets, not EAP packets. By using the command

sniff(filter="ether proto 0x888e", count=4)

0x888e refers to EAPOL in ethernet protocol, which requires the use of the ether proto, not the wlan proto. I'm not sure if 0888e can be referred to anything in wlan proto, but after doing almost the identical thing as the op (except replacing 'wlan' with 'ether') I got

>>> EAP in b[0]
False

However when I enter

>>> EAPOL in b[0]
True

I believe OP captured what his code was looking for (2 EAPOL packets), but he didn't capture what he thought he was looking for - 2 EAP packets.

Edit - Even when I replace ether with wlan I still come up with EAP as false and EAPOL as true.

2
votes

I think these are all partial answers, together it worked for me. I did:

conf.iface='wlan0.mon'
a=sniff(filter='ether proto 0x888e', prn=lambda x: x.summary(),
  count=100, store=1)

Then I generated an EAPOL exchange by manually disconnecting a device from the WPA network. When it tried to re-associated, I captured the 4-way EAPOL exchange. Do a count>4 because there will likely be frame retransmissions. AFAIK, scapy does not decode the KEY data, so it is dumped as a hex string.

1
votes

You could have several issues here, so let me address the one that I just came across today.

First, as seen in the following bug report: http://trac.secdev.org/scapy/ticket/537 -- Scapy doesn't honor the iface parameter in the sniff function. So to set the iface correctly, you'll have to use:

conf.iface = 'mon0'

Hopefully this will allow you to add the filter and actually get packets across the wire.

If you're sniffing on mon0, and it's a wireless interface, you might want to try wlan proto instead of ether proto, but I don't have a network to test EAP packets on to help further.

1
votes

Are you are running tcpdump at same time as scapy sniff?

Scapy can emulate TCPDUMP just fine. Just run them one at a time.