i want listen packets on interface of systema. since looks not see vast majority of incoming packets, used scapy in simplest form:
import scapy.all scapy def filtre(p): if p.haslayer(scapy.ip): print(p[scapy.ip].src) # disable scapy verbosity scapy.conf.verb = 0 scapy.sniff(iface="eth0", prn=filtre, store=0) this ran on systema output sent file.
at same time, run
tcpdumponsystema,systembnmap systema -p0onsystemb
the idea see how many packets, during nmap session leave systemband reach systema. results are
- according 2
tcpdump, 1000 packets leftsystemband reachedsystema - but there only 150 200 packets source ip of
systembregisteredscapyonsystema
i did several tests, tcpdump sessions , without (they did not change result afaict), , varying number of packets via scapy - in 150-200 range.
this on lan, systemb debian, systema rpi3. expect packet not registered not 80 90%. @ same time tcpdump systematically registers expected 1000 packets on both systems.
is there missing?
edit: same test 50 packets (nmap systema -p1-50 -p0) fine, scapy registers 50 packets.
might want try not use output (as can bottleneck). also, can use bpf filter in case have unwanted packets on wire. moreover, since don't need dissect ip payloads, can prevent scapy parsing whole packet layers.
from collections import counter import scapy.all scapy sources = counter() def count_pkts(p): global sources if scapy.ip in p: sources[p[scapy.ip].src] += 1 # disable scapy verbosity scapy.conf.verb = 0 # prevent scapy dissecting ip payloads scapy.ip.payload_guess = [] # optionally, use filter="ip , src x.y.z.t" scapy.sniff(iface="eth0", prn=count_pkts, store=0, filter="ip") print sources 
Comments
Post a Comment