Open in app

Sign in

Write

Sign in

ARP spoof detector in Python

technicalhayden
2 min readAug 4, 2022

--

HOW DOES AN ARP SPOOF DETECTOR WORK?

If we look at how our ARP spoofer program works, we will be able to notice that we created a function to send ARP responses that used to poison the ARP table of the victim machine. We will be making some changes in that function and edit it so that if the packets have a layer of spoofed ARP, the program could detect it. We will use the following code in order to do so :

import scapy.all as scapy

def sniff(interface):
    scapy.sniff(iface=interface, store=False, prn=process_sniffed_packet)

def process_sniffed_packet(packet):
    if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
        print(packet.show())


sniff("eth0")

Function for getting the MAC address :

def mac(ipadd):
    arp_request = scapy.ARP(pdst=ipadd)
    br = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_req_br = br / arp_request
    list_1 = scapy.srp(arp_req_br, timeout=5, verbose=False)[0]
    return list_1[0][1].hwsrc

Function to process the sniffed packet and get the values of old MAC in “originalmac” variable and the value of MAC in the response as “responsemac” variable.

def process_sniffed_packet(packet):
    if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
        originalmac = mac(packet[scapy.ARP].psrc)
        responsemac = packet[scapy.ARP].hwsrc

Now we will compare both the values to check whether they are similar or not, if not then it is obvious that the values have been spoofed.

if originalmac != responsemac:
    print("[*] ALERT!! You are under attack, the ARP table is being poisoned.!")

After performing the above steps, our code will look like this :

import scapy.all as scapy def mac(ipadd): arp_request = scapy.ARP(pdst=ipadd) br = scapy.Ether(dst=”ff:ff:ff:ff:ff:ff”) arp_req_br = br / arp_request list_1 = scapy.srp(arp_req_br, timeout=5, verbose=False)[0] return list_1[0][1].hwsrc def sniff(interface): scapy.sniff(iface=interface, store=False, prn=process_sniffed_packet) def process_sniffed_packet(packet): if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2: originalmac = mac(packet[scapy.ARP].psrc) responsemac = packet[scapy.ARP].hwsrc if originalmac != responsemac: print(“[*] ALERT!! You are under attack, the ARP table is being poisoned.!”)

sniff(“eth0”)

view raw arpspoof-detector.py hosted with ❤technicalhayden

Arp Spoofing

--

--

technicalhayden

Written by technicalhayden

18 Followers

Error user not found

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams