Scapy-packet sniffer that triggers an action for each prune
I use scapy with python to sniff live traffic.
capture=sniff(iface="<My Interface>", filter="tcp") But this sniffs every package and adds it to the capture list, which can be processed later.
I want to process the package and display several fields of the package as soon as it sniffs. that is, after sniffing the package, it will call a function where I can analyze this package. And this will continue for several packages.
I have a function that I use with a captured list of packages. But I canβt use it for every live package.
How to do it? Is this possible with scapy or do I need to install some other package?
The parameters of the sniff function must match the code below:
from scapy.all import * def pkt_callback(pkt): pkt.show() # debug statement sniff(iface="<My Interface>", prn=pkt_callback, filter="tcp", store=0) store=0 says not to store the received packet, and prn says to send pkt to pkt_callback .
As pointed out by Yoel , if only one action is required, lambda can be used with prn instead of a new function, as in this case
sniff(iface="<My Interface>", prn = lambda x: x.show(), filter="tcp", store=0) This can be done using the prn argument of the sniff function. Scapy The tutorial has a simple example here . Scapy official API documentation indicates:
sniff(prn=None, lfilter=None, count=0, store=1, offline=None, L2socket=None, timeout=None)...
prn: function applied to each package. If something returns, it is displayed. For example, you can useprn = lambda x: x.summary().
...
EDIT:
The accepted answer states that the store argument must be set to 0 to call prn to call. However, setting store=0 has no such effect. Scapy own examples do not set store=0 and the official API documentation does not mention such a requirement. In fact, scapy source code checking does not detect any connection between store and prn arguments. Here is a snippet of the corresponding code:
... if store: lst.append(p) c += 1 if prn: r = prn(p) if r is not None: print r ... Running a few simple test cases also supports this conclusion.