Use scapy with npcap on Windows

Question

I am using scapy 2.4.5 with Python 3.9.5 on Windows 11. I have npcap version 1.55 install.

I have some Wireshark packet captures that I am trying to use scapy's sniff function on the file and filter out various packets.

However, when I use filter="udp" with sniff I get an exception about tcpdump not being available.

Below is the script I am currently trying to use.

from scapy.all import *


conf.use_pcap = True

pcap_file_path = r"C:\8OCT21_DDL_00001_20211008214804"

packets = sniff(offline=pcap_file_path, 
                count=10,
                filter="udp")
packets.summary()

However I get this exception:

File "C:\Python39\lib\site-packages\scapy\sendrecv.py", line 1263, in sniff
    sniffer._run(*args, **kwargs)
  File "C:\Python39\lib\site-packages\scapy\sendrecv.py", line 1072, in _run
    sniff_sockets.update((PcapReader(
  File "C:\Python39\lib\site-packages\scapy\sendrecv.py", line 1074, in <genexpr>
    tcpdump(fname,
  File "C:\Python39\lib\site-packages\scapy\utils.py", line 2095, in tcpdump
    raise Scapy_Exception(
scapy.error.Scapy_Exception: tcpdump is not available

Any idea on how to use scapy sniff on Windows with npcap instead of tcpdump?

Answer 1

The problem is not your filter, rather it's the "offline" option in sniff function. You can perform live sniff of packets, or use rdpcap() function to first load pcap in RAM, and then do what you want to do.

from scapy.all import rdpcap
from scapy.layers.inet import UDP

scapy_cap = rdpcap("responses.pcap")
for pck in PCAP:
    if pck[UDP]:
        print(pck.summary())

This is not a solution to why it throws tcpdump exception, but more of a workaround to get something out of your pcap. Keep in mind that large pcap files will eat RAM like nothing else if you try to load them with rdpcap().