I am using scapy to sniff a IPv6 packet with a specific source ip /dest ip.
Example:
filter1 ="tcp port "+`port`+ " and ip6 host 2001::4 and tcp[tcpflags] & tcp-syn !=0 and !icmp and !arp and not host "+host_ip
a= sniff(count =1,filter=filter1,iface=eth)
This throws an exception as shown below: scapy.error.Scapy_Exception: Filter parse error
I've never used scapy, but I noticed in your filter1
expression that you have:
+`port`+
... yet you have:
+host_ip
Maybe you need the back-tiks around the host_ip
?
If that's not the problem, you can also try to validate capture filters using tools such as tcpdump , eg, tcpdump -d ${filter1}
or dumpcap , eg, dumpcap -d ${filter1}
before attempting to use them in scapy.
For complex filters, scapy allows you the use of a python function as a filter:
desiredip = "2001::4"
undesiredip = host_ip
def isMyPacket (pkt):
if IPv6 in pkt:
pktip6 = pkt[IPv6]
if pktip6.src == desiredip or pktip6.dst == desiredip:
if pktip6.src != undesiredip and pktip6.dst != undesiredip:
if TCP in pktip6:
if pktip6[TCP].flags & 0x02: #Check if it is a SYN
return True #If all conditions are met
return False
a= sniff(count =1,lfilter=isMyPacket,iface=eth)
Anyway, you don't need to check whether it is arp or icmp: If it is TCP you know for sure that it is not arp nor icmp.
More about TCP flags in scapy: Get TCP Flags with Scapy
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.