4

I'm currently trying to send an IP packet to an interface using the send(pkt, iface="eth0") function and I'm getting the error:

WARNING: Mac address to reach destination not found. Using broadcast

The interface I am trying to send out on doesn't have an IP address, and thats the way I would prefer it. And if it makes a difference, the interface is a bridge (created with brctl)

There is an ARP entry for the host that is in the IP packet however it seems scapy isn't doing the lookup required to get the MAC from the ARP table...

Thoughts?!

geekscrap
  • 965
  • 2
  • 12
  • 26

2 Answers2

2

I would say this is normal, since making a valid ARP request requires an IP address (and Scapy maintains its own ARP table, independent from the OS one).

You can set the destination address yourself: srp(Ether(dst="[MAC address]")/[...]). If you need to get the MAC address first, create and send an ARP request the same way.

To query Scapy's ARP table, access the element conf.netcache.arp_cache, which is a Scapy-specific dict subclass (called CacheInstance).

For example, to add an entry for your host (and then use sr([...]) instead of srp(Ether(dst="[MAC address])/[...])), use:

conf.netcache.arp_cache['[IP address]'] = '[MAC address]'
Pierre
  • 6,047
  • 1
  • 30
  • 49
  • Ok, makes sense if it maintains its own table... However it should still work because I capture a packet from the host I'm sending to prior to try to do what I say above.... Is there a way to view and modify the scapy arp table? – geekscrap May 13 '15 at 12:04
  • Brilliant, thanks. What was the reason for not using the hosts table? Was it faster to keep scapys own? – geekscrap May 13 '15 at 21:51
  • I think the idea was that Scapy has/is its own IP stack, independent from the OS, so it maintains its own ARP table (and routing table, for that matter). The routing table is initialized with the system's one, the ARP table not, I honestly don't know why. – Pierre May 13 '15 at 22:17
  • I smell a feature request... :) are you guys taking any atm? And if so, where should I lodge it? – geekscrap May 14 '15 at 11:51
  • Main reason I ask this is because my app is using multiprocessing.processes (separate send and receive threads) and so the arp table is not shared (just testing that theory now though) – geekscrap May 14 '15 at 11:57
  • Please feel free to open an issue (even just to start the conversation) or submit a pull request here: https://bitbucket.org/secdev/scapy – Pierre May 14 '15 at 13:55
1

The default dst address (MAC address) of an Ethernet frame in scapy is broadcast. This warning is generated whenever you send an Ethernet frame to the broadcast address (ff:ff:ff:ff:ff:ff), as far as I'm concerned. You can see this by creating the packet like this:

Ether()/IP() or Ether()/ARP()

instead of just IP() or ARP().

FitzChivalry
  • 339
  • 2
  • 19