tcpdump: expression rejects all packets

[tobsch]

Hi there,

any ideas on the following error?
It is a simple arp sniff that fails in a docker image:
sniff (prn=arp_handler, filter="arp", store=0)

2017-07-16 16:24:09,stdout,    raise Scapy_Exception("Filter parse error")
2017-07-16 16:24:09,stdout,"  File \"/usr/lib/python3.5/site-packages/scapy/arch/linux.py\", line 131, in attach_filter"
2017-07-16 16:24:09,stdout,"    attach_filter(self.ins, filter)"
2017-07-16 16:24:09,stdout,"  File \"/usr/lib/python3.5/site-packages/scapy/arch/linux.py\", line 479, in __init__"
2017-07-16 16:24:09,stdout,"    s = L2socket(type=ETH_P_ALL, *arg, **karg)"
2017-07-16 16:24:09,stdout,"  File \"/usr/lib/python3.5/site-packages/scapy/sendrecv.py\", line 574, in sniff"
2017-07-16 16:24:09,stdout,"    sniff(prn=arp_handler, filter=\"arp\", store=0)"
2017-07-16 16:24:09,stdout,"  File \"amazon_dash.py\", line 68, in main"
2017-07-16 16:24:09,stdout,    main()
2017-07-16 16:24:09,stdout,"  File \"amazon_dash.py\", line 72, in <module>"
2017-07-16 16:24:09,stdout,Traceback (most recent call last):
2017-07-16 16:24:09,stdout,tcpdump: expression rejects all packets

Many thanks,

Tobias

[ThomasFaivre]

Hi! You seem to be using python 3.5 which is not (yet) supported by scapy. Please try with python 2. If you really need python 3, you could try using the development version. If the problem still exists, we will be happy to look further into this issue ;) Le 16 juil. 2017 18:43, "Tobias Schlottke" <notifications@github.com> a écrit :

…

Hi there, any ideas on the following error? It is a simple arp sniff that fails in a docker image: sniff (prn=arp_handler, filter="arp", store=0) 2017-07-16 16:24:09,stdout, raise Scapy_Exception("Filter parse error") 2017-07-16 16:24:09,stdout," File \"/usr/lib/python3.5/site-packages/scapy/arch/linux.py\", line 131, in attach_filter" 2017-07-16 16:24:09,stdout," attach_filter(self.ins, filter)" 2017-07-16 16:24:09,stdout," File \"/usr/lib/python3.5/site-packages/scapy/arch/linux.py\", line 479, in __init__" 2017-07-16 16:24:09,stdout," s = L2socket(type=ETH_P_ALL, *arg, **karg)" 2017-07-16 16:24:09,stdout," File \"/usr/lib/python3.5/site-packages/scapy/sendrecv.py\", line 574, in sniff" 2017-07-16 16:24:09,stdout," sniff(prn=arp_handler, filter=\"arp\", store=0)" 2017-07-16 16:24:09,stdout," File \"amazon_dash.py\", line 68, in main" 2017-07-16 16:24:09,stdout, main() 2017-07-16 16:24:09,stdout," File \"amazon_dash.py\", line 72, in <module>" 2017-07-16 16:24:09,stdout,Traceback (most recent call last): 2017-07-16 16:24:09,stdout,tcpdump: expression rejects all packets Many thanks, Tobias — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#722>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFa0oyOH07Xv1KbzxlHe1JLxlIWCAniFks5sOj2TgaJpZM4OZWOx> .

[tobsch]

It's not my project (https://github.com/masterandrey/docker-amazon-dash-button-hack) but as the dockerfile explicitly states "scapy-python3", I guess it already uses the dev version?
Is that supposed to normally work then?

Tobias

[andgineer]

Actually this is scapy-python3
The docker container works fine on my Synology..

[gpotter2]

Dev version does not support python 3 yet :/
We're working on it...

Scapy-python3 is Ann unofficial fork of scapy.

[tobsch]

Update: Even with Python2 (ported the docker image) it all ends up in a similar error:

amazon_dash started, loaded 1 buttons
stdout
06:55:26
tcpdump: expression rejects all packets
stdout
06:55:26
Traceback (most recent call last):
stdout
06:55:26
  File "amazon_dash.py", line 72, in <module>
stdout
06:55:26
    main()
stdout
06:55:26
  File "amazon_dash.py", line 68, in main
stdout
06:55:26
    sniff(prn=arp_handler, filter="arp", store=0)
stdout
06:55:26
  File "/usr/lib/python2.7/site-packages/scapy/sendrecv.py", line 593, in sniff
stdout
06:55:26
    **karg)]
stdout
06:55:26
  File "/usr/lib/python2.7/site-packages/scapy/arch/linux.py", line 496, in __init__
stdout
06:55:26
    attach_filter(self.ins, filter, iface)
stdout
06:55:26
  File "/usr/lib/python2.7/site-packages/scapy/arch/linux.py", line 145, in attach_filter
stdout
06:55:26
    raise Scapy_Exception("Filter parse error")
stdout
06:55:26
scapy.error.Scapy_Exception: Filter parse error

As mentioned, it runs inside a docker image on alpine linux.
Any ideas?

Tobias

[andgineer]

To help I need to reproduce the bug - I do not know scapy and tcpdump filters well enough to understand whats going on theoretically :(

On my ubuntu machine

docker run --net host -it --name amazon_dash -v $PWD/amazon-dash-private:/amazon-dash-private:ro masterandrey/docker-amazon-dash-button-hack
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
amazon_dash started, loaded 1 buttons
ARP request from unknown MAC c8:60:00:ef:0f:b5

And as I said it works on my Synology (very old model from about 2007).
It doesnot work on my macbook but by different reason - it just do not see host network and catch no packets because docker on OS X works in virtual machine.

[p-l-]

Please reopen if you can reproduce this as a pure Scapy bug (outside the docker image, etc.).

[tobsch]

Hey @p-l- & @masterandrey,

I found out what it is: My server actually has a tun interface (tun0).
The tcpdump command executed by sniff if you don't pass an interface to it is

tcpdump -i tun0 -ddd -s 1600 'arp'

Which on the cmdline produces

tcpdump: expression rejects all packets

From my perspective it is a bug: I want it to listen to all interfaces, not only tun0.

What do you think?

Tobias

[ThomasFaivre]

Hi!

I believe there is an issue in the linux attach_filter function as it is not possible to use a filter on all interfaces:

        f = os.popen("%s -i %s -ddd -s 1600 '%s'" % (
            conf.prog.tcpdump,
            conf.iface if iface is None else iface,
            bpf_filter,
        ))

conf.iface is set to the first UP interface found, in your case that must be tun0