21 January 2009

ARP Ping Using Scapy

here's a quick script i whipped up a while ago.
it uses scapy to perform an ARP ping of a network, and provides a CSV report of any MAC addresses it finds, along with the associated IP's.

It requires tcpdump to be installed and in the $PATH, as well as root privs to run.

#!/usr/bin/env python
# note that this script requires tcpdump to be installed
# additionally, it requires root privs to run.
# ----
# Portions of this code can be attributed to the book
# Python for Unix and Linux System Administration
# by Noah Gift and Jeremy M. Jones. 
# Copyright 2008 Noah Gift and Jeremy M. Jones
# ISBN-13: 978-0-596-51582-9
# ----

import sys
if len(sys.argv) != 2:
    print "Usage: pingarp \n  eg: pingarp"

from scapy import srp,Ether,ARP,conf

print r"MAC,IP"
for snd,rcv in ans:
    print rcv.sprintf(r"%Ether.src%,%ARP.psrc%")

here's sample output:
$ sudo ./pingarp


  1. Added interval "inter=0.1" to srp() since scapy couldn't send fast enough and skipped packets (didn't scan whole range if range given)


  2. This script was used in Python for Linux and Sytem Administrators in section 5.5. They might owe you royalties if this is your script.

    Pub. Date: August 22, 2008
    Print ISBN-13: 978-0-596-51582-9

    1. Hi Jeffrey,
      Thanks for pointing this out! I can't find a book called "Python for Linux and System Administrators", the closest thing to it I can find is "Python for Unix and Linux System Administration". The ISBN-13 on that book matches what you posted, so I presume that's what you meant.

      The publish date of that book precedes this blog post by about 1 year, so they definitely had arp ping in scapy before I did. Looking at the code though (found it on pages 175 & 176 using the Amazon "search inside this book" feature), it looks like their code is different than mine in several ways:

      * They create python functions where I don't
      * They don't take the ip range to be scanned as a parameter, it's hardcoded into the script
      * They push the scapy results into an array, where I don't

      The basic scapy functions in my code (lines 11-13, and 16-17) pretty much match what they have exactly though.

      Since my coding style is often more or less "Google for stuff I need to do, then cobble the bits together to make a whole thing that does what i want it to and nothing more" I'd guess that wherever I learned from probably used the examples in that book.

      FWIW, looking at the introduction in Google books, the authors have a pretty permissive policy on code use (see: http://is.gd/nDD1vB). Looks like they also have the code hosted on Google Code with an MIT license (https://code.google.com/p/py4sa/) so I think it's OK that my script has parts of theirs in it. Now that I know about it though, I'm updating the script to provide attribution.

      Thanks again for pointing this out so that I can provide credit where it's due.