Jun 072012
Scapy BPF filtering is not working when some exotic interface are used. This includes Virtualbox interface such as vboxnet. For example, the following code will not work if the interface is a virtualbox interface:
build_filter = "src host %s and src port 21"
sniff(iface=iface, prn=callback, filter=build_filter)
To fix this, you can use the lfilter option. The filtering is now done inside Scapy. This is powerful but less efficient. The code can be modified like this:
build_lfilter = lambda (r): TCP in r and r[TCP].sport == 21 and r[IP].src == ip
sniff(iface=iface, prn=callback, lfilter=build_lfilter)
Tanks a lot to Guillaume Valadon for the tips!

  One Response to “Using Scapy lfilter”

  1. Hi
    Does scapy filter work on interface of virtual machines? For example I have an Ubuntu vm on my physical server using VMWare ESXi. It has an Ethernet interface named “eth0”. Does scapy filter work on “eth0”?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>