21 January 2009

ARP Ping Using Scapy

here's a quick script i whipped up a while ago.
it uses scapy to perform an ARP ping of a network, and provides a CSV report of any MAC addresses it finds, along with the associated IP's.

It requires tcpdump to be installed and in the $PATH, as well as root privs to run.

#!/usr/bin/env python
# note that this script requires tcpdump to be installed
# additionally, it requires root privs to run.
# ----
# Portions of this code can be attributed to the book
# Python for Unix and Linux System Administration
# by Noah Gift and Jeremy M. Jones. 
# Copyright 2008 Noah Gift and Jeremy M. Jones
# ISBN-13: 978-0-596-51582-9
# ----

import sys
if len(sys.argv) != 2:
    print "Usage: pingarp \n  eg: pingarp 192.168.1.0/24"
    sys.exit(1)

from scapy import srp,Ether,ARP,conf
conf.verb=0
ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]),
              timeout=2)

print r"MAC,IP"
for snd,rcv in ans:
    print rcv.sprintf(r"%Ether.src%,%ARP.psrc%")


here's sample output:
$ sudo ./pingarp 192.168.11.0/24
MAC,IP
00:16:01:8b:54:4a,192.168.11.1
00:13:ce:e9:6e:95,192.168.11.3
00:40:ca:8a:72:48,192.168.11.6

4 comments:

  1. Added interval "inter=0.1" to srp() since scapy couldn't send fast enough and skipped packets (didn't scan whole range if range given)


    ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]),
    timeout=2,iface='eth0',inter=0.1)

    ReplyDelete
  2. This script was used in Python for Linux and Sytem Administrators in section 5.5. They might owe you royalties if this is your script.

    Pub. Date: August 22, 2008
    Print ISBN-13: 978-0-596-51582-9

    ReplyDelete
    Replies
    1. Hi Jeffrey,
      Thanks for pointing this out! I can't find a book called "Python for Linux and System Administrators", the closest thing to it I can find is "Python for Unix and Linux System Administration". The ISBN-13 on that book matches what you posted, so I presume that's what you meant.

      The publish date of that book precedes this blog post by about 1 year, so they definitely had arp ping in scapy before I did. Looking at the code though (found it on pages 175 & 176 using the Amazon "search inside this book" feature), it looks like their code is different than mine in several ways:

      * They create python functions where I don't
      * They don't take the ip range to be scanned as a parameter, it's hardcoded into the script
      * They push the scapy results into an array, where I don't

      The basic scapy functions in my code (lines 11-13, and 16-17) pretty much match what they have exactly though.

      Since my coding style is often more or less "Google for stuff I need to do, then cobble the bits together to make a whole thing that does what i want it to and nothing more" I'd guess that wherever I learned from probably used the examples in that book.

      FWIW, looking at the introduction in Google books, the authors have a pretty permissive policy on code use (see: http://is.gd/nDD1vB). Looks like they also have the code hosted on Google Code with an MIT license (https://code.google.com/p/py4sa/) so I think it's OK that my script has parts of theirs in it. Now that I know about it though, I'm updating the script to provide attribution.

      Thanks again for pointing this out so that I can provide credit where it's due.

      Delete