IPv6 filter in Scapy

Question

I am using scapy to sniff a IPv6 packet with a specific source ip /dest ip.

Example:

filter1 ="tcp port "+`port`+ " and ip6 host 2001::4 and tcp[tcpflags] & tcp-syn !=0 and !icmp and !arp and not host "+host_ip

            a= sniff(count =1,filter=filter1,iface=eth)

This throws an exception as shown below: scapy.error.Scapy_Exception: Filter parse error

Answer 1

I've never used scapy, but I noticed in your filter1 expression that you have:

+`port`+

... yet you have:

+host_ip

Maybe you need the back-tiks around the host_ip ?

If that's not the problem, you can also try to validate capture filters using tools such as tcpdump , eg, tcpdump -d ${filter1} or dumpcap , eg, dumpcap -d ${filter1} before attempting to use them in scapy.

Answer 2

For complex filters, scapy allows you the use of a python function as a filter:

desiredip = "2001::4"
undesiredip = host_ip

def isMyPacket (pkt):
    if IPv6 in pkt:
        pktip6 = pkt[IPv6]
        if pktip6.src == desiredip or pktip6.dst == desiredip:
            if pktip6.src != undesiredip and pktip6.dst != undesiredip:
                if TCP in pktip6:
                    if pktip6[TCP].flags & 0x02: #Check if it is a SYN
                        return True #If all conditions are met
    return False


a= sniff(count =1,lfilter=isMyPacket,iface=eth)

Anyway, you don't need to check whether it is arp or icmp: If it is TCP you know for sure that it is not arp nor icmp.

More about TCP flags in scapy: Get TCP Flags with Scapy