search

secdev / scapy

Scapy: the Python-based interactive packet manipulation program & library.
https://scapy.net
GNU General Public License v2.0
10.38k stars 1.99k forks source link

Difficulty to have live capture using sniff function to capture vlan tagged packets. #4029

Open Krisscut opened 1 year ago

Krisscut commented 1 year ago

Brief description

Using the sniff function in scapy, I'm not able to live capture packets that are vlan tagged using a filter.

Scapy version

2.5.0

Python version

3.9.14

Operating system

Rocky Linux 9.1

Additional environment information

NAME="Rocky Linux" VERSION="9.1 (Blue Onyx)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="9.1" PLATFORM_ID="platform:el9" PRETTY_NAME="Rocky Linux 9.1 (Blue Onyx)" ANSI_COLOR="0;32" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:rocky:rocky:9::baseos" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9" ROCKY_SUPPORT_PRODUCT_VERSION="9.1" REDHAT_SUPPORT_PRODUCT="Rocky Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.1"

Regarding the network setup, I'm running in a docker environment, and I have multiple interfaces setup but for this example only eth0 and eth0.295 (vlan tagged 295) are used. I try to capture the vlan tagged packets that are sent from another docker container.

How to reproduce

Have another application to send Vlan tagged packets with ID 295.

Using scapy, try to capture them with result = sniff(iface="eth0", count=1, timeout=60, filter="vlan 295")

Actual result

I will reach the timeout because no packets is captured unfortunately. image

Expected result

I should be able to retrieve packets when I use a filter which includes a vlan, for instance by using this command:

result = sniff(iface="eth0", count=1, timeout=60, filter="vlan 295")

Related resources

I made a pcap capture on the eth0 that I included in this ticket, see capture.zip.

capture.zip

It is worth noting that I'm able to load the capture in "offline" mode and detect the messages there with the filter: image

Same if I use the rdpcap function: image image

Also, I can capture packets by using the following filter without issue:

result = sniff(iface="eth0", count=1, timeout=60, filter="udp and src host 10.1.0.10 and not arp") result.nsummary() 0000 Ether / Dot1Q / IP / UDP 10.1.0.10:13100 > 10.1.0.1:13001 / Raw result[0].show()

[ Ethernet ]

dst = 02:42:ac:14:cf:03 src = 02:42:ac:14:cf:02 type = n_802_1Q

[ 802.1Q ]

prio = 2 id = 0 vlan = 295 type = IPv4

[ IP ]

version = 4 ihl = 5 tos = 0x48 len = 350 id = 58582 flags = DF frag = 0 ttl = 64 proto = udp chksum = 0x4064 src = 10.1.0.10 dst = 10.1.0.1 \options \

[ UDP ]

sport = 13100 dport = 13001 len = 330 chksum = 0x1568

[ Raw ]

load = '\x05\x97h\x84T\x00\x01\x00\x00E\x0162.0OBSAI_CM68vdubroker_1/RMOD_L_2/RU_L_1</SOAP-ENV:Header></SOAP-ENV:Body></SOAP-ENV:Envelope>'

It is also worth noting that a command like "src host and vlan 295 and udp and not arp" was working with a previous version of scapy (2.4.3) and Ubuntu.

gpotter2 commented 1 year ago

It is also worth noting that a command like "src host and vlan 295 and udp and not arp" was working with a previous version of scapy (2.4.3) and Ubuntu.

Are you sure of that?

Do you have the same issue with conf.use_pcap = True ?

Krisscut commented 11 months ago

Are you sure of that?

Yes it was used in continuous integration environment and following the upgrade it was 100% failing.

Do you have the same issue with conf.use_pcap = True ?

It doesn't seem to help to use conf.use_pcap = True , no packets was captured. (But since it seems to be a variable, I'm not sure if it is working with my kind of usage of scapy. I'm not using the syntax from scapy.all import *) image Sniffing is done through this: result = scapy.sniff(iface=eth, filter=filter, count=1, timeout=60)