Scapy packet sniffer triggering an action up on each sniffed packet
Solution 1
The parameters to the sniff function should be like the below code.:
from scapy.all import *
def pkt_callback(pkt):
pkt.show() # debug statement
sniff(iface="<My Interface>", prn=pkt_callback, filter="tcp", store=0)
store=0 says not to store any packet received and prn says send the pkt to pkt_callback.
As mentioned by Yoel, if only one action is required, lambda can be used with prn instead of a new function like in this case:
sniff(iface="<My Interface>", prn = lambda x: x.show(), filter="tcp", store=0)
Solution 2
This can be done with the prn argument of the sniff function. Scapy's tutorial has a simple example here. Scapy's official API documentation specifies:
sniff(prn=None, lfilter=None, count=0, store=1, offline=None, L2socket=None, timeout=None)...
prn: function to apply to each packet. If something is returned, it is displayed. For instance you can useprn = lambda x: x.summary().
...
EDIT:
The accepted answer claims that the store argument must be set to 0 for the prn callback to be invoked. However, setting store=0 doesn't have any such effect. Scapy's own examples don't set store=0 and the official API documentation doesn't mention any such requirement. In fact, inspecting Scapy's source code reveals no connection whatsoever between the store and prn arguments. Here is an excerpt of the relevant code block:
...
if store:
lst.append(p)
c += 1
if prn:
r = prn(p)
if r is not None:
print r
...
Executing a few simple test cases supports this finding as well.
Comments
-
RatDon almost 2 years
I'm using
scapywithpythonto sniff live traffic.capture=sniff(iface="<My Interface>", filter="tcp")But this sniffs each packet and adds it to the list
capturewhich can be processed later.I want to process a packet and display few fields of the packet, as soon as it's sniffed. i.e. upon sniffing a packet, it'll trigger a function where I can analyse that packet. And this would continue for few packets.
I've the function ready which I'm using with the captured packet list. But I'm unable to use it for each live packet.
How to achieve that? Is it possible with
scapyor do I need to install any other package? -
RatDon over 9 yearsThanks. I've already found it and I've to set the
storeparameter to0I guess to process a live traffic. But everywhere it is mentioned that it's time consuming and hence, I'll try with some other means. Anyway thanks. -
Yoel over 9 yearsOh, that's surprising. I would expect settingstore=0would be more efficient, if anything. Where have you read this? -
Yoel about 9 yearsPlease read this answer regarding your claim on setting
store=0. -
RatDon about 9 years@Yoel It'll not have any impact on the execution of the program. But don't you think, appending each packet to a list (
store=1) is an extra overhead while we are processing each packet withprn. Do we really need to store those packets? -
Yoel about 9 yearsThat is not what you answer originally stated. I agree that setting
store=0would slightly improve space and time efficiency and I even argued that in a comment to my answer when you have actually claimed the opposite. Now that you have edited your answer, it is correct, though I fail to see what it adds to the discussion since my answer and its comments, that were posted long ago, have already stated all of the above. -
RatDon about 9 yearsI guess the example shows the extended use of
prnby calling a function and few of the parameters removed which, if absent, takes the default. And I never said your answer is wrong. The above one is more suitable for my question. -
Cukic0d about 4 yearsFTR, not setting
store=1means that you store each packet in a giant list. Usually this is used to sniff a few packets, but in the case you never stop sniffing (here: there is no timeout nor packet count), you will end up having a giant list when you ctrl^c -
Yoel about 4 years@Cukic0d, thanks for your input. However I think you probably meant "setting
store=1" or "not settingstore=0" rather than "not settingstore=1", right?
