IP packets stripped to 1600 when using `sniff()` + filter on Linux

Question

IP packets stripped to 1600 when using `sniff()` + filter on Linux

gelim opened this issue 7 years ago · comments

Hi,
I stumbled on something strange when using sniff() and receiving IP packets with len>1600: sniff() was returning packets trimmed to 1600. By digging a bit I see that when using sniff() with custom filter that line forces the tcpdump snaplen to 1600.

How to reproduce

Sniffing part

#!/usr/bin/env python

from scapy.all import sniff
from scapy.layers.inet import IP

p = sniff(count=1, filter="host 127.0.0.1 and port 1337")[0]
print "IP.len: %d, packet len: %d" % (p[IP].len, len(p))

Sending part

>>> send(IP(dst="127.0.0.1")/TCP(dport=1337)/Raw(load=5000*'A'))
.
Sent 1 packets.

First script will give:
IP.len: 5040, packet len: 1600

Fixing

My quick patch is using already existing variable MTU:

diff --git a/scapy/arch/linux.py b/scapy/arch/linux.py
index cb95e7a..8a85ad5 100644
--- a/scapy/arch/linux.py
+++ b/scapy/arch/linux.py
@@ -136,9 +136,10 @@ def attach_filter(s, bpf_filter, iface):
     if not TCPDUMP:
         return
     try:
-        f = os.popen("%s -i %s -ddd -s 1600 '%s'" % (
+        f = os.popen("%s -i %s -ddd -s %d '%s'" % (
             conf.prog.tcpdump,
             conf.iface if iface is None else iface,
+            MTU,
             bpf_filter,
         ))
     except OSError:

Cheers dans la casa,

--
Mathieu

Pierre · Answer 1 · Sat Oct 21 2017 03:14:32 GMT+0800 (China Standard Time)

Seems all right to me, Mathieu! Care to submit a PR?

Mathieu Geli · Answer 2 · Sat Oct 21 2017 19:03:33 GMT+0800 (China Standard Time)

sure, #903 is on its way

Mathieu Geli · Answer 3 · Tue Nov 07 2017 15:48:28 GMT+0800 (China Standard Time)

Thanks, I was not super reactive the last days but as PR #903 seems to be merged ok, I'm closing this issue.