使用 python 检测 ARP 扫描
Detect ARP scan using python
我想检测是否有人在网络上进行ARP扫描并显示源IP。意外的没有足够的 ARP 请求来检测 ARP 扫描。这是我的代码--
import pyshark
cap = pyshark.FileCapture('arpscan.pcap',display_filter='arp.opcode==1 && arp.dst.hw_mac==00:00:00:00:00:00',only_summaries=True)
count=0
for pkt in cap:
count=count+1
if count>10:
print (" ")
print ("Someone is scanning your network!\n\n")
print ("For Attacker's Ip, visit 'Tell' section in summary below\n\n ")
print("----Further details----")
print "No of ARP Request Packet Received: ", count
print("----Summary of ARP packet Received---")
for pkt in cap:
print (pkt)
else:
print ("No ARP scan identified!")
我想提取源 IP,即数据包 tell 部分中的 IP。我没能做到。有人可以告诉我如何在我的案例中显示源 IP 吗?
我找到了解决办法。这可以使用 scapy 而不是 pyshark 来完成!
from scapy.all import *
packets = sniff(offline=filename,filter='arp')
source=''
source_mac=''
count=0
for pkt in packets:
if pkt[ARP].op==1:
count=count+1
if count==5:
source = pkt.sprintf("%ARP.psrc%")
source_mac = pkt.sprintf("%ARP.hwsrc%")
if count>10:
print "\nSomeone is scanning your network!"
print "Source (IP): ",source
print "Mac Address of Attacker: ",source_mac
else:
print ("No Scan Identified!")
此外,我们可以使用 scapy 访问 is_at 和 Tell 字段:
operation = packet.sprintf("%ARP.op%")
if operation=="is_at":
#do stuff
我想检测是否有人在网络上进行ARP扫描并显示源IP。意外的没有足够的 ARP 请求来检测 ARP 扫描。这是我的代码--
import pyshark
cap = pyshark.FileCapture('arpscan.pcap',display_filter='arp.opcode==1 && arp.dst.hw_mac==00:00:00:00:00:00',only_summaries=True)
count=0
for pkt in cap:
count=count+1
if count>10:
print (" ")
print ("Someone is scanning your network!\n\n")
print ("For Attacker's Ip, visit 'Tell' section in summary below\n\n ")
print("----Further details----")
print "No of ARP Request Packet Received: ", count
print("----Summary of ARP packet Received---")
for pkt in cap:
print (pkt)
else:
print ("No ARP scan identified!")
我想提取源 IP,即数据包 tell 部分中的 IP。我没能做到。有人可以告诉我如何在我的案例中显示源 IP 吗?
我找到了解决办法。这可以使用 scapy 而不是 pyshark 来完成!
from scapy.all import *
packets = sniff(offline=filename,filter='arp')
source=''
source_mac=''
count=0
for pkt in packets:
if pkt[ARP].op==1:
count=count+1
if count==5:
source = pkt.sprintf("%ARP.psrc%")
source_mac = pkt.sprintf("%ARP.hwsrc%")
if count>10:
print "\nSomeone is scanning your network!"
print "Source (IP): ",source
print "Mac Address of Attacker: ",source_mac
else:
print ("No Scan Identified!")
此外,我们可以使用 scapy 访问 is_at 和 Tell 字段:
operation = packet.sprintf("%ARP.op%")
if operation=="is_at":
#do stuff