Search code examples
pythonscapy

Scapy unable to properly parse packets in monitor mode

I'm currently trying to scan over all available channels while in monitor mode to find IP traffic on open networks around me. I noticed that IP in sniffed_packet was never true, and after some debugging, found that frames aren't being parsed properly.

I'm sniffing using this:

ps = sniff(iface="<MyInterfaceName>, timeout=5)

After poking through it, I found a packet I was looking for:

<RadioTap  version=0 pad=0 len=21 present=Flags+Channel+dBm_AntSignal+Antenna+RXFlags+MCS Flags=FCS ChannelFrequency=2422 ChannelFlags=2GHz+Dynamic_CCK_OFDM dBm_AntSignal=-17 dBm Antenna=0 RXFlags= knownMCS=guard_interval+HT_format Ness_LSB=1 STBC_streams=0 FEC_type=BCC HT_format=greenfield guard_interval=Long_GI MCS_bandwidth=20MHz MCS_index=9 notdecoded='' |<Dot11FCS  subtype=Reassociation Response type=Management proto=0 <redacted> |<Dot11ReassoResp  cap=res9+res11+DSSS-OFDM+res15+IBSS+CFP-req+short-preamble+agility status=3 AID=0 |<Dot11Elt  ID=8 len=0 info='' |<Dot11Elt  ID=69 len=0 info='' |<Dot11Elt  ID=SSID len=75 info='E\\x88@\x00@\x11\\xadc\\xc0\\xa8cd\\xc0\\xa8c\x01\\x95\\xd4\x005\x007S\\xa2\\xa7\\xce\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x11connectivitycheck\x07gstatic\x03com\x00\x00\x01\x00\x01' |>>>>>>

Note the connectivitycheck\x07gstatic\x03com near the end. This corresponds to (roughly) this traffic that I found using Wireshark:

Wireshark Capture Sample

Which means that the DNS datagram was mis-parsed as a tagged parameter of a reassociation frame. Just as a double check, I filtered for reassociation frames in Wireshark, and none were captured during that time.

Since I know what traffic I'm looking for, I might be able to extract the raw bytes out of sniffed packets, then force scapy to reinterpret them as the traffic I'm looking for, but I'd prefer to avoid that.

Is there any way to have scapy parse this traffic properly?

Solution

  • This was a bug in Scapy. I reported it, and it was just fixed.

    If you're having this issue, make sure to run the following to get the most recent version of Scapy:

    pip install --upgrade git+git://github.com/secdev/scapy