0

我想检测是否有人在网络上执行 ARP 扫描并显示源 IP。意外的 ARP 请求数量足以检测 ARP 扫描。这是我的代码-

import pyshark

cap = pyshark.FileCapture('arpscan.pcap',display_filter='arp.opcode==1 && arp.dst.hw_mac==00:00:00:00:00:00',only_summaries=True)
count=0
for pkt in cap:
    count=count+1

if count>10:
    print (" ")
    print ("Someone is scanning your network!\n\n")
    print ("For Attacker's Ip, visit 'Tell' section in summary below\n\n ")
    print("----Further details----")
    print "No of ARP Request Packet Received: ", count
    print("----Summary of ARP packet Received---")
    for pkt in cap:
        print (pkt)
else: 
    print ("No ARP scan identified!")

我想在数据包的tell部分提取源IP,即IP。我没有这样做。有人可以告诉我如何在我的情况下显示源 IP 吗?

4

1 回答 1

0

我找到了解决方案。这可以使用 scapy 而不是 pyshark 来完成!

from scapy.all import *


packets = sniff(offline=filename,filter='arp')
source='' 
source_mac=''
count=0

for pkt in packets:
    if pkt[ARP].op==1:
        count=count+1
        if count==5:
            source = pkt.sprintf("%ARP.psrc%")
            source_mac = pkt.sprintf("%ARP.hwsrc%")


if count>10:
    print "\nSomeone is scanning your network!"
    print "Source (IP): ",source
    print "Mac Address of Attacker: ",source_mac

else:
    print ("No Scan Identified!")

此外,我们可以使用 scapy as 访问is_atTell字段:

operation = packet.sprintf("%ARP.op%")
if operation=="is_at":
   #do stuff
于 2018-03-28T05:48:30.487 回答