Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

4.3 ARP-Watcher

Next we write a tiny tool to report all newly connected devices to our network therefore it has to remember all IP to MAC resolutions. Additionally it can detect if a device suddenly changes its MAC address.

1 #!/usr/bin/python

2

3 from scapy.all import sniff, ARP

4 from signal import signal, SIGINT

5 import sys

6

7 arp_watcher_db_file = "/var/cache/arp-watcher.db"

8 ip_mac = {}

9

10 # Save ARP table on shutdown

11 def sig_int_handler(signum, frame):

12 print "Got SIGINT. Saving ARP database..."

13 try:

14 f = open(arp_watcher_db_file, "w")

15

16 for (ip, mac) in ip_mac.items():

17 f.write(ip + " " + mac + " ")

18

19 f.close()

20 print "Done."

21 except IOError:

22 print "Cannot write file " + arp_watcher_db_file

23 sys.exit(1)

24

25

26 def watch_arp(pkt):

27 # got is-at pkt (ARP response)

28 if pkt[ARP].op == 2:

29 print pkt[ARP].hwsrc + " " + pkt[ARP].psrc

30

31 # Device is new. Remember it.

32 if ip_mac.get(pkt[ARP].psrc) == None:

33 print "Found new device " +

34 pkt[ARP].hwsrc + " " +

35 pkt[ARP].psrc

36 ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc

37

38 # Device is known but has a different IP

39 elif ip_mac.get(pkt[ARP].psrc) and

40 ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:

41 print pkt[ARP].hwsrc +

42 " has got new ip " +

43 pkt[ARP].psrc +

44 " (old " + ip_mac[pkt[ARP].psrc] + ")"

45 ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc

46

47

48 signal(SIGINT, sig_int_handler)

49

50 if len(sys.argv) < 2:

51 print sys.argv[0] + " <iface>"

52 sys.exit(0)

53

54 try:

55 fh = open(arp_watcher_db_file, "r")

56 except IOError:

57 print "Cannot read file " + arp_watcher_db_file

58 sys.exit(1)

59

60 for line in fh:

61 line.chomp()

62 (ip, mac) = line.split(" ")

63 ip_mac[ip] = mac

64

65 sniff(prn=watch_arp,

66 filter="arp",

67 iface=sys.argv[1],

68 store=0)

At the start we define a signal handler in sig_int_handler() that gets called if the user interrupts the program. This function will save all known IP to MAC resolutions in the ip_mac dictionary to a file. Afterwards we read those ARP db file to initialize the program with all currently known resolutions or exit if the file cannot be read. Than we loop line by line through the files content and split each line into IP and MAC to save them in the ip_mac dictionary. Now we call the already known function sniff() that will invoke the callback function watch_arp for every received ARP packet.

The function watch_arp implements the real logic of the program. When the sniffed packet is a is-at packet and therefore an ARP response than we first check if the IP exists in the ip_mac dictionary. If we didn't find an entry the device is new and shows a message to the screen, otherwise we compare the MAC address with the MAC in our dictionary. If it differs the response is probably forged and we print a message to the screen. In both cases the dictionary gets updated with the new information.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >

Related Topics

Login Watcher
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel