Detecting network scans via arp requests
April 21, 2012 1 Comment
#little poc that traps arp requests to detect network scans
#requires tshark and of course: python
import os
from datetime import datetime
#def (seen, mac, ip, requestcount, answercount)
def validate_networkscan(item, arr):
result = -1
for i in arr:
if (i[0]==item[0] and i[1]==item[1] and item[1]== ‘0x0001’):
timediff= item[5]-i[5] #return time since last seen
if(timediff.seconds<=3):
i[6]=i[6] + 1 #update counter
result = i[6]
else: i[6] = 1 #reset counter
for field in range(0,5): i[field]=item[field]
if (result==-1): arr.append(item)
return result
def sink(interface):
tshark = os.popen(‘tshark -i ‘+ interface + ‘ -f arp -T fields -e arp.src.proto_ipv4 -e arp.opcode -e arp.dst.proto_ipv4 -e eth.src -e eth.dst -E separator=#’)
hits_scanner=[]
while 1:
stdout = tshark.readline().replace(‘\n’,”)
if not stdout: break
arp_info = stdout.split(‘#’)
arp_info.append(datetime.now())
arp_info.append(0)
if (len(arp_info)==7):
attack_count=validate_networkscan(arp_info,hits_scanner)
if (attack_count == 25):
print arp_info[0]+ ” is scanning “
sink(“wlan0”)
for a more scientific aproach on the matter:
http://scholar.google.be/scholar?hl=nl&lr=&q=arp%20detect%20network%20scans