Search code examples
pythonmacosscapypacket-snifferssniffing

OS X Scapy Promiscuous Mode

I am using scapy to try to list all of the http host headers sent on my network. The code I currently have is this:

#!/usr/bin/env python
import sys
sys.path.append("/usr/local/lib/python2.7/site-packages")
import re
from scapy.all import *
import os
import urllib


conf.sniff_promisc=True

HOST_REGEX = "(?<=\r\nHost\: )([A-Za-z\.]){4,40}(?=\r\n)"

def print_host_header(pckt):
  if pckt:
    raw = pckt.getlayer(Raw)
    if raw:
      raw_pckt_data = raw.load
      host_results = re.search(HOST_REGEX, raw_pckt_data)
      if host_results:
        print "[*] Request to: "+str(host_results.group(0))
if __name__ == "__main__":
  if os.getuid()!=0:
    print "[!] Not running as root."
    exit(1)
  sniff(filter='tcp', prn=print_host_header, store=0)

This works very well (obviously it can't read traffic that's been encrypted with ssl/tls), but I do not seem to be capturing any packets not from my laptop (which is the computer running the script). I set conf.promisc to true and according to ifconfig I am in promiscuous mode:

735Tesla # ifconfig en1
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 60:c5[...]
    inet6 fe80::62c5:47ff:fe8b:3768%en1 prefixlen 64 scopeid 0x5 
    inet 192.168.1.8 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=1<PERFORMNUD>
    media: autoselect
    status: active
735Tesla #

Is there another reason I would not be able to capture packets destined for other computers?

I am running OS X 10.9.1 (I really should update or patch goto fail I suppose :P)

Solution

  • If en1 is an Ethernet adapter, what are the other machines on the network into which it's plugged? Is en1 plugged into a switch? If it is, see the Wireshark Wiki page about capturing on Ethernet networks.

    If en1 is a Wi-Fi adapter, you will need to capture in monitor mode; I don't know what Scapy supports for turning monitor mode on, but you may have to set the link-layer header type to "802.11 with radiotap headers" to go into monitor mode. In monitor mode, if the network is a "protected" network (using WEP or WPA/WPA2 encryption), you will also have to decrypt the packets at the link layer - Scapy might not have any support for that.