1

I am using scapy to sniff a IPv6 packet with a specific source ip /dest ip.

Example:

filter1 ="tcp port "+`port`+ " and ip6 host 2001::4 and tcp[tcpflags] & tcp-syn !=0 and !icmp and !arp and not host "+host_ip

            a= sniff(count =1,filter=filter1,iface=eth)

This throws an exception as shown below: scapy.error.Scapy_Exception: Filter parse error

Smrithi Komalan
  • 57
  • 1
  • 8

2 Answers2

1

I've never used scapy, but I noticed in your filter1 expression that you have:

+`port`+

... yet you have:

+host_ip

Maybe you need the back-tiks around the host_ip?

If that's not the problem, you can also try to validate capture filters using tools such as tcpdump, e.g., tcpdump -d ${filter1} or dumpcap, e.g., dumpcap -d ${filter1} before attempting to use them in scapy.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • backticks were used for port as python does not allow to concatenate interfer (port being an interger) with string, whereas host ip is a string – Smrithi Komalan Jul 11 '17 at 08:23
1

For complex filters, scapy allows you the use of a python function as a filter:

desiredip = "2001::4"
undesiredip = host_ip

def isMyPacket (pkt):
    if IPv6 in pkt:
        pktip6 = pkt[IPv6]
        if pktip6.src == desiredip or pktip6.dst == desiredip:
            if pktip6.src != undesiredip and pktip6.dst != undesiredip:
                if TCP in pktip6:
                    if pktip6[TCP].flags & 0x02: #Check if it is a SYN
                        return True #If all conditions are met
    return False


a= sniff(count =1,lfilter=isMyPacket,iface=eth)

Anyway, you don't need to check whether it is arp or icmp: If it is TCP you know for sure that it is not arp nor icmp.

More about TCP flags in scapy: Get TCP Flags with Scapy

Martín Gómez
  • 338
  • 2
  • 9