Using Scapy lfilter

Scapy BPF filtering is not working when some exotic interface are used. This includes Virtualbox interface such as vboxnet.

For example, the following code will not work if the interface is a virtualbox interface:

build_filter = "src host %s and src port 21"
sniff(iface=iface, prn=callback, filter=build_filter)

To fix this, you can use the lfilter option. The filtering is now done inside Scapy. This is powerful but less efficient.

The code can be modified like this:

build_lfilter = lambda (r): TCP in r and r[TCP].sport == 21 and r[IP].src == ip
sniff(iface=iface, prn=callback, lfilter=build_lfilter)

Tanks a lot to Guillaume Valadon for the tips!

One thought on “Using Scapy lfilter”

  1. Hi
    Does scapy filter work on interface of virtual machines? For example I have an Ubuntu vm on my physical server using VMWare ESXi. It has an Ethernet interface named “eth0”. Does scapy filter work on “eth0”?

Leave a Reply

Your email address will not be published. Required fields are marked *