scapy icon indicating copy to clipboard operation
scapy copied to clipboard
verified publisher icon secdev

tcpdump() function will hang for forever if dump=True is passed to it without use_tempfile=True argument.

Open viz-prakash opened this issue 5 years ago • 3 comments

https://github.com/secdev/scapy/blob/ae6b93b9263cab4319be463527b92d1edf13ce43/scapy/utils.py#L1774

Call to tcpdump() function will hang for forever if dump=True is passed to it without use_tempfile=True argument.

I have tested it with prog=conf.prog.tshark, but I think problem will be reproduced with any other program because issue lies in the fact that wrpcap(file_descriptor, pkts) will try to close the file_descriptor passed to it and it will result in error at line 1774 because stdin can't be closed I guess, as per wrpcap() docstring:

wrpcap?
Signature: wrpcap(filename, pkt, *args, **kargs)
Docstring:
Write a list of packets to a pcap file

filename: the name of the file to write packets to, or an open,
          writable file-like object. The file descriptor will be
          closed at the end of the call, so do not use an object you
          do not want to close (e.g., running wrpcap(sys.stdout, [])
          in interactive mode will crash Scapy).

it's mentioned here that running wrpcap(sys.stdout, []) in interactive mode will crash Scapy.

  • Scapy version: 2.4.3
  • Python version: 3.6.9
  • Operating System: macOS Mojave

How to reproduce

from scapy.all import *
pkts = rdpcap("input.pcap")
res = tcpdump(pkts, dump=True, prog=conf.prog.tshark, args=["-T", "json"])

Expected result

Same output bellow snippets, except instead of displaying output it should be returned as string:

tcpdump(pkts, prog=conf.prog.tshark, args=["-T", "json"])

or exactly same as:

res = tcpdump(pkts, dump=True, use_tempfile=True, prog=conf.prog.tshark, args=["-T", "json"])

viz-prakash avatar Jan 23 '20 21:01 viz-prakash

Works fine on my Ubuntu.

>>> a = tcpdump(Ether()/IP(), prog=conf.prog.tshark, dump=True, args=["-T", "json"])
>>> print(a)
[
  {
    "_index": "packets-2020-01-23",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
[...]

The real issue lies in the fact that MacOS has glitchy support of the - output / input.

We probably just need to make this always on on DARWIN: https://github.com/secdev/scapy/blob/ae6b93b9263cab4319be463527b92d1edf13ce43/scapy/utils.py#L1714-L1717

gpotter2 avatar Jan 23 '20 23:01 gpotter2

@gpotter2 You are not wrong, though I would like mention another case when using - for reading from stdin for tshark does works all the time on macOS, even wihtout use_tempfile=True.

tcpdump(pkts, dump=True, prog=conf.prog.tshark, args=["-w", "output.pcap"])

So I guess there is something else going on, I wasn't able to find out what's causing this issue but simply - is not the only reason behind this problem.

viz-prakash avatar Jan 24 '20 01:01 viz-prakash

Fixed in #2426

guedou avatar Sep 28 '22 05:09 guedou