How can I filter an already existing pcap file using scapy?

Question

I'm trying to sniff an existing pcap file, filter it and save it to a new file, but I have this exceptions popping up when I'm running my code. How can I fix this?

Code:

from scapy.all import *

def write(pcap):
    for pkt in pcap:
        wrpcap('filtered.pcap', pkt, append=True)  
    else:
        pass

def load_pcap(path, filter_str):
    pcap = sniff(offline=path, filter=filter_str)
    write(pcap)


def main():
    load_pcap("file.pcap", 'icmp')

main()

Exceptions:

Traceback (most recent call last):
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\utils.py", line 1663, in tcpdump
    stderr=stderr,
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\subprocess.py", line 756, in __init__
    restore_signals, start_new_session)
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\subprocess.py", line 1100, in _execute_child
    args = list2cmdline(args)
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\subprocess.py", line 511, in list2cmdline
    needquote = (" " in arg) or ("\t" in arg) or not arg
TypeError: argument of type 'NoneType' is not iterable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "sharkscript.py", line 140, in <module>
    main()
  File "sharkscript.py", line 137, in main
    funcs()
  File "sharkscript.py", line 130, in funcs
    options()
  File "sharkscript.py", line 95, in options
    load_pcap(get_filter(), path)
  File "sharkscript.py", line 33, in load_pcap
    pcap = sniff(offline=path, filter=filter_str)
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\sendrecv.py", line 972, in sniff
    sniffer._run(*args, **kwargs)
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\sendrecv.py", line 824, in _run
    )] = offline
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\utils.py", line 1663, in tcpdump
    stderr=stderr,
  File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\utils.py", line 555, in __exit__
    raise OSError(msg)
OSError: Could not execute windump(), is it installed ?

I tried searching for windump and how to install it, but couldn't find anything. Is there another way to filter an 'offline' pcap?

Answer 1

I tried to run your code and got the same error. I think this is a bug in the sniff function, as removing the filter parameter made it work (and it seems to work to others in the past, for example here .

Anyway, if you know the filter in advance you can replace it with haslayer function, something like this-

def load_pcap(path):
    f = PcapWriter("out.pcap", append=True, sync=True)
    sniff(offline=path, prn=lambda p: f.write(p) if ICMP in p else None)

If you don't know the exact filter but it will be a simple protocol name you can make a mapping between string and Scapy layer, and use it in the same way.

If the filter is more complicated (for example something like tcp.srcport==1234 ) I'm afraid you'll need to get the parameters from the user separately (for example load_pcap(path, src_mac, dst_mac, src_ip, dst_ip, src_port, dst_port, protocol,...) or find a way to parse the BPF string into parameters.

Hope this helps :)