I've recently discovered Scapy & it looks wonderful
I'm trying to look at simple traffic over a physical loopback module / stub on my NIC.
But Scapy sniff doesn't give anything
What I'm doing to send a packet is:
payload = 'data'*10
snf = sniff(filter="icmp", iface="eth0")
for x in xrange(1, 10):sendp(Ether(dst=src_mac, src=spoof_src_mac)/IP(dst=dst_ip, src=spoof_src_ip)/ICMP()/payload, iface=ifname)f.open('scapylog.log', 'w')
f.write(str(snf))
with src_mac = my mac address & dsp_ip my ip address. the "spoof" fields are just random (valid) mac & ip values.
The resulting sniff / logfile is empty. nothing to report
I can see that traffic is going in the network through the ifconfig stats of the interfaces that increment each time I call this script - so traffic is flowing...
If someone has an idea why I'm not seeing my traffic I'd be happy to hear :)
Thanks!
Just stumbled across your question while looking for a similar solution myself. I found this on the Scapy Troubleshooting page:
The loopback interface is a very special interface. Packets going through it are not really assembled and dissassembled. The kernel routes the packet to its destination while it is still stored an internal structure. What you see with tcpdump -i lo is only a fake to make you think everything is normal. The kernel is not aware of what Scapy is doing behind his back, so what you see on the loopback interface is also a fake. Except this one did not come from a local structure. Thus the kernel will never receive it.
In order to speak to local applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems than Linux):
>>> conf.L3socket
<class __main__.L3PacketSocket at 0xb7bdf5fc>
>>> conf.L3socket=L3RawSocket
>>> sr1(IP(dst="127.0.0.1")/ICMP())
<IP version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>