07-monitoring-arp.html

<!doctype html>
<html>
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="chrome=1">
    <title>Monitoring ARP</title>

    <link rel="stylesheet" href="stylesheets/styles.css">
    <link rel="stylesheet" href="stylesheets/pygment_trac.css">
    <link href="stylesheets/font-awesome.min.css" rel="stylesheet">
    <script src="javascripts/scale.fix.js"></script>
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">

    <!--[if lt IE 9]>
    <script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->
  </head>
  <body>
    <div class="wrapper">
      <header>
        <h1 class="header"><a href="index.html">Scapy for Network Tools</a></h1>
        <p class="header">Using the power of Python + Scapy to build network tools</p>

        <ul>
          <li class="download"><a class="buttons" href="https://github.com/thepacketgeek/building-network-tools-with-scapy/zipball/master">Download ZIP</a></li>
          <li class="download"><a class="buttons" href="https://github.com/thepacketgeek/building-network-tools-with-scapy/tarball/master">Download TAR</a></li>
          <li><a class="buttons github" href="https://github.com/thepacketgeek/building-network-tools-with-scapy">View On GitHub</a></li>
        </ul>

        <p class="header">This project is maintained by <a class="header name" href="https://github.com/thepacketgeek">thepacketgeek</a></p>


      </header>
      <section>
        <h3 id="01">
          07 - Monitoring ARP
        </h3>
        <h4>Using Scapy in a Python Script</h4>
        <p>So far we've been working with Scapy in interactive mode. It's very powerful but there are times when it would be easier to work with a Python script instead. In order to use Scapy, we have to import the Scapy module like this:</p>
        <pre><code>from scapy.all import *</code></pre>
        <p>This will import all Scapy functions, but if you know that you will only need a few of the functions, you can import them individually as well like this:</p>
        <pre><code>from scapy.all import sr1,IP,ICMP</code></pre>
        <p>The biggest different with running Scapy in a script is that the output may not be as verbose as interactive mode. If you're not getting all the output you need, make sure to try using the <code>print</code> command.  Here's an example with our previous ping example:</p>
        <script type="text/javascript" src="https://gist.github.com/thepacketgeek/6920022.js"></script>
        <pre><code>============================Console Output:===========================
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
IP / ICMP 4.2.2.1 > 172.16.20.40 echo-reply 0 / Padding</code></pre>
        
        <h4>Using Scapy to monitor ARP traffic</h4>
        <p>Let's pretend that there is concern about someone potentially trying to use an ARP poisoning attack on our network. Using Scapy, we want to write a script that will listen to packets and print out all ARP requests and responses.  We can do that very simply using the Scapy <code>sniff()</code> function and the <code>filter</code> argument like this:</p>
        <script type="text/javascript" src="https://gist.github.com/thepacketgeek/6919986.js"></script>
        <pre><code>============================Console Output:===========================
Ether / ARP who has 172.16.20.10 says 172.16.20.40 / Padding
Ether / ARP who has 172.16.20.92 says 172.16.20.2 / Padding
Ether / ARP who has 172.16.20.2 says 172.16.20.92 / Padding
Ether / ARP who has 172.16.20.203 says 172.16.20.200 / Padding
Ether / ARP is at 00:11:22:29:a6:85 says 172.16.20.203
Ether / ARP who has 172.16.20.2 says 172.16.20.103 / Padding
Ether / ARP who has 172.16.20.103 says 172.16.20.2 / Padding
Ether / ARP who has 172.16.20.150 says 172.16.20.15 / Padding
Ether / ARP who has 172.16.20.2 says 172.16.20.19 / Padding
Ether / ARP who has 172.16.20.19 says 172.16.20.2 / Padding</code></pre>
        <p>This is a very simple "1-liner" that gives us some good visibility to what's happening with ARP on our network. But what if we wanted to customize the output a little bit? Maybe we can get it in a format that would be easy to write to a file or send to some type of external monitoring server. </p>
        
        <h4>Using the prn Argument to Customize sniff() Output</h4>
        <p>I'm going to introduce the <code>prn</code> argument and show you how to do change what Scapy prints out for each packet:</p> 
        <script type="text/javascript" src="https://gist.github.com/thepacketgeek/6919284.js"></script>
        <pre><code>============================Console Output:===========================
Request: 172.16.20.168 is asking about 172.16.20.85
Request: 172.16.20.168 is asking about 172.16.20.229
Request: 172.16.20.2 is asking about 172.16.20.203
*Response: aa:bb:cc:29:a6:85 has address 172.16.20.203
Request: 172.16.20.200 is asking about 172.16.20.82
Request: 172.16.20.51 is asking about 172.16.20.254
Request: 172.16.20.15 is asking about 172.16.20.58
Request: 172.16.20.15 is asking about 172.16.20.58
Request: 172.16.20.200 is asking about 172.16.20.44
*Response: dd:ee:ff:a2:02:bf has address 172.16.20.44</code></pre>
        <p>Basically, what the <code>prn</code> argument lets us do is replace the default Scapy printout of the packet summary and run our own function to determine how Scapy prints out. That's really cool! It works by passing the packet object to the defined function, in this case <code>arp_display()</code>, each time a packet is sniffed that matches the specified filter.</p>

        <p>We can do a lot more with that <code>prn</code> argument and passing more than just the packet object to the custom defined function using nested functions. That's outside the scope of this guide but feel free to read about it here: <a target="_blank" href="http://thepacketgeek.com/series/scapy-sniffing-with-custom-actions/" title="Scapy Sniffing with Custom Actions">Scapy Sniffing with Custom Actions</a></p>


        
        
        <nav>
          <p class="previous"><a href="06-sending-and-receiving.html"><i class="icon-arrow-left"></i> Previous</a></p>
          <p class="next"><a href="08-making-xmas-tree-packet.html">Next <i class="icon-arrow-right"></i></a></p>
        </nav>
      </section>
    </div>
    <footer>
      <p>Hosted on GitHub Pages &mdash; Theme by <a href="https://github.com/orderedlist">orderedlist</a></p>
    </footer>
    <!--[if !IE]><script>fixScale(document);</script><![endif]-->
              <script type="text/javascript">
            var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
            document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
          </script>
          <script type="text/javascript">
            try {
              var pageTracker = _gat._getTracker("UA-44238008-3");
            pageTracker._trackPageview();
            } catch(err) {}
          </script>

  </body>
</html>