Detecting network scans via arp requests

#little poc that traps arp requests to detect network scans
#requires tshark and of course: python

 

import os
from datetime import datetime

#def (seen, mac, ip, requestcount, answercount)
def validate_networkscan(item, arr):
    result = -1
    for i in arr:
        if (i[0]==item[0] and i[1]==item[1] and item[1]== ‘0x0001’):
            timediff= item[5]-i[5] #return time since last seen
            if(timediff.seconds<=3):
                i[6]=i[6] + 1 #update counter
                result = i[6]
            else: i[6] = 1 #reset counter
            for field in range(0,5): i[field]=item[field]
        
    
    if (result==-1): arr.append(item)
    return result

def sink(interface):
    tshark = os.popen(‘tshark -i ‘+ interface + ‘ -f arp -T fields -e arp.src.proto_ipv4 -e arp.opcode -e arp.dst.proto_ipv4 -e eth.src -e eth.dst -E separator=#’)
    hits_scanner=[]
    while 1:
        stdout = tshark.readline().replace(‘\n’,”)
        if not stdout: break
        arp_info = stdout.split(‘#’)
        arp_info.append(datetime.now())
        arp_info.append(0)
        if (len(arp_info)==7):
            attack_count=validate_networkscan(arp_info,hits_scanner)
            if (attack_count == 25):
                print arp_info[0]+ ”   is scanning “
            
                
    

sink(“wlan0”)