4

I would like to implement a new secure ARP protocol that is immune to ARP poisoning. The new "SecureArp" will hold a signature field that can be checked against an agreed upon hmac function. The scapy definition is as follows:

  class SecureArp(Packet):
  name = "SecureARP"
  fields_desc = [IPField("srcip", None),
               MACField("srcmac", None),
               IPField("dstip", None),
               MACField("dstmac", "00:00:00:00:00:00"),
               IntEnumField("opcode", 1, { 1: "request", 2: "response" }),
               StrFixedLenField("challenge", "", length=24),
               StrFixedLenField("signature", "", length=20)]

The problem I encounter is that when receiving such SecureArp message scapy doesn't parse it at all and leaves the data as "Raw". I read the SecDev documentation about extending to a new protocol and its very unclear. What steps should i take so a SecureArp packet received would be automatically parsed? Thanks

vito
  • 323
  • 1
  • 10

1 Answers1

4

You'll have to bind your layer to another one in order for scapy to auto dissect it.

Also see scapys ARP implementation.

bind_layers( Ether,         ARP,           type=2054)
tintin
  • 3,176
  • 31
  • 34
  • Thanks for the reply. The thing is I used bind_layers for a new type (lets say 1337). When creating the packet I use Ethernet with type=1337 and underneath it the new layer and when sniffing at the other end the Layer 2 is displayed as Dot3 instead of Ether so no auto dissection is done. I've tried sending it both with send() and sendp() but it always interpreted as Dot3 for some reason. Any thoughts? – vito Feb 21 '16 at 11:14
  • 1
    Well thats the answer alright. You need to bind the layers... The problem i encountered was that i defined the type value to be lower than 1500 and that resulted in scapy casting it to a Dot3. after increasing the value to 1800 the problem was solved. Thanks! – vito Feb 21 '16 at 13:51