Detect ARP scan using python

Question

I want to detect whether someone is performing ARP scan on network and display source IP. Unexpected no of ARP requests is sufficient to detect ARP scan. Here is my code--

import pyshark

cap = pyshark.FileCapture('arpscan.pcap',display_filter='arp.opcode==1 && arp.dst.hw_mac==00:00:00:00:00:00',only_summaries=True)
count=0
for pkt in cap:
    count=count+1

if count>10:
    print (" ")
    print ("Someone is scanning your network!\n\n")
    print ("For Attacker's Ip, visit 'Tell' section in summary below\n\n ")
    print("----Further details----")
    print "No of ARP Request Packet Received: ", count
    print("----Summary of ARP packet Received---")
    for pkt in cap:
        print (pkt)
else: 
    print ("No ARP scan identified!")

I want to extract source IP i.e IP in the tell section of packet. I failed to do that. Can somebody tell me how to display source IP in my case?

pkt.ip.src gives attribute error since these are arp packets, they don't have IP layer. Can you suggest any other solution? — goldy mata, Mar 27 '18 at 04:23
@pchaigno your solution works absolutely fine with scapy! Thanks for help. — goldy mata, Mar 28 '18 at 06:02

score 0 · Accepted Answer · edited Mar 30 '18 at 17:43

I found a solution. This can be done using scapy instead of pyshark!

from scapy.all import *


packets = sniff(offline=filename,filter='arp')
source='' 
source_mac=''
count=0

for pkt in packets:
    if pkt[ARP].op==1:
        count=count+1
        if count==5:
            source = pkt.sprintf("%ARP.psrc%")
            source_mac = pkt.sprintf("%ARP.hwsrc%")


if count>10:
    print "\nSomeone is scanning your network!"
    print "Source (IP): ",source
    print "Mac Address of Attacker: ",source_mac

else:
    print ("No Scan Identified!")

Also, we can access is_at and Tell field using scapy as :

operation = packet.sprintf("%ARP.op%")
if operation=="is_at":
   #do stuff

Detect ARP scan using python

1 Answers1