Scapy 使用 sniff() 函数进行过滤
我正在使用 scapy 函数 sniff() 进行数据包捕获。我只想捕获 EAP 数据包。我可以使用以下过滤器使用 tcpdump 过滤 EAP 数据包:
# tcpdump -i mon0 -p ether proto 0x888e tcpdump: WARNING: mon0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes 13:04:41.949446 80847234901us tsft 48.0 Mb/s 2437 MHz 11g -16dB signal antenna 1 [bit 14] EAP packet (0) v1, len 5 13:04:46.545776 80851831746us tsft 54.0 Mb/s 2437 MHz 11g -13dB signal antenna 1 [bit 14] EAP packet (0) v1, len 5
同时我使用相同的过滤器运行 sniff() 函数,但该函数不捕获任何 EAP 数据包:
sniff(filter="ether proto 0x888e",iface="mon0", count = 1)
为什么 sniff() 函数不捕获任何 EAP 数据包?
编辑:
抱歉我反应迟了,我尝试了您建议的方法:
> conf.iface = 'mon0'
> pkts = sniff(filter="wlan proto 0x888e", count = 1)
tcpdump: WARNING: mon0: no IPv4 address assigned
> pkts
Sniffed: TCP:0 UDP:0 ICMP:0 Other:1
> EAP in pkts[0]
False
但这仍然无法捕获EAP数据包:(
I'm using scapy function sniff() for packet capturing. I want to capture only EAP packets. I can filter EAP packets with tcpdump with following filter:
# tcpdump -i mon0 -p ether proto 0x888e tcpdump: WARNING: mon0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes 13:04:41.949446 80847234901us tsft 48.0 Mb/s 2437 MHz 11g -16dB signal antenna 1 [bit 14] EAP packet (0) v1, len 5 13:04:46.545776 80851831746us tsft 54.0 Mb/s 2437 MHz 11g -13dB signal antenna 1 [bit 14] EAP packet (0) v1, len 5
At the same time I have sniff() function running with the same filter, but function doesn't capture any EAP packets:
sniff(filter="ether proto 0x888e",iface="mon0", count = 1)
Why sniff() function doesn't capture any EAP packets?
EDIT:
Sorry for my late reaction, I tried what you proposed:
> conf.iface = 'mon0'
> pkts = sniff(filter="wlan proto 0x888e", count = 1)
tcpdump: WARNING: mon0: no IPv4 address assigned
> pkts
Sniffed: TCP:0 UDP:0 ICMP:0 Other:1
> EAP in pkts[0]
False
But this does not still capture EAP packet :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我知道这是一年多后的事了,但为了其他人查看这个问题的利益,答案是他捕获了 EAPOL 数据包,而不是 EAP 数据包。使用命令
0x888e 指的是以太网协议中的 EAPOL,它需要使用 ether proto,而不是 wlan proto。我不确定 0888e 是否可以引用 wlan proto 中的任何内容,但是在做了与操作几乎相同的操作(除了用“ether”替换“wlan”)之后,我得到了
但是当我输入时,
我相信 OP 捕获了他的代码正在寻找(2 个 EAPOL 数据包),但他没有捕获他认为正在寻找的东西 - 2 个 EAP 数据包。
编辑 - 即使当我用 wlan 替换 ether 时,我仍然认为 EAP 为 false,而 EAPOL 为 true。
I know this is over a year later, but for the benefit of anyone else looking at this question the answer is that he captured EAPOL packets, not EAP packets. By using the command
0x888e refers to EAPOL in ethernet protocol, which requires the use of the ether proto, not the wlan proto. I'm not sure if 0888e can be referred to anything in wlan proto, but after doing almost the identical thing as the op (except replacing 'wlan' with 'ether') I got
However when I enter
I believe OP captured what his code was looking for (2 EAPOL packets), but he didn't capture what he thought he was looking for - 2 EAP packets.
Edit - Even when I replace ether with wlan I still come up with EAP as false and EAPOL as true.
我认为这些都是部分答案,加起来对我有用。我这样做了:
然后,我通过手动断开设备与 WPA 网络的连接来生成 EAPOL 交换。当它尝试重新关联时,我捕获了 4 路 EAPOL 交换。计数>4,因为可能会发生帧重传。 AFAIK,scapy 不会解码 KEY 数据,因此它被转储为十六进制字符串。
I think these are all partial answers, together it worked for me. I did:
Then I generated an EAPOL exchange by manually disconnecting a device from the WPA network. When it tried to re-associated, I captured the 4-way EAPOL exchange. Do a count>4 because there will likely be frame retransmissions. AFAIK, scapy does not decode the KEY data, so it is dumped as a hex string.
您可能会遇到几个问题,所以让我解决一下我今天刚刚遇到的问题。
首先,如以下错误报告所示: http://trac.secdev.org/scapy/ticket /537 -- Scapy 不支持 sniff 函数中的 iface 参数。因此,要正确设置 iface,您必须使用:
希望这将允许您添加过滤器并实际通过网络获取数据包。
如果您正在嗅探 mon0,并且它是一个无线接口,您可能想尝试 wlan proto 而不是 ether proto,但我没有网络来测试 EAP 数据包以提供进一步帮助。
You could have several issues here, so let me address the one that I just came across today.
First, as seen in the following bug report: http://trac.secdev.org/scapy/ticket/537 -- Scapy doesn't honor the iface parameter in the sniff function. So to set the iface correctly, you'll have to use:
Hopefully this will allow you to add the filter and actually get packets across the wire.
If you're sniffing on mon0, and it's a wireless interface, you might want to try wlan proto instead of ether proto, but I don't have a network to test EAP packets on to help further.
您是否与 scapy sniff 同时运行 tcpdump?
Scapy 可以很好地模拟 TCPDUMP。一次只运行一个。
Are you are running tcpdump at same time as scapy sniff?
Scapy can emulate TCPDUMP just fine. Just run them one at a time.