This article is mainly about ARP traffic monitoring, it is when an attacker use the LAN ARP poisoning, if the IP address and MAC address does not correspond to print out characters that do not correspond, or that there is no LAN IP address will Print is not the host. Monitoring can also be changed to TCP, UDP and other protocols, but relatively easy to elaborate ARP, ARP protocol because almost all the time sent. The article on the anti-hacker is a great effect when hackers send some weird datagram, we can use Python to the alarm, notify the administrator strange datagrams sent, and make the appropriate countermeasures. Although we have wireshark capture tool, but people always can not always staring at so many datagrams, always need computers against computers. Then Python would be the best choice, a very small amount of code, not only capture display, but also an alarm.
We need to use scapy module, if in the Windows system does not install this module can refer to ( https://blog.csdn.net/q759451733/article/details/84038114 ), if the Linux system is first installed Python, it You can enter pip install directly in the terminal ... then the installation was successful.
note! note! note! Try to use Linux systems run because Windows system may appear inexplicable error, such as: I do not know what happened actually can not use scapy module (it is wonderful, starting with the day before yesterday also comfortably the next day on the problem a). I am using kali Linux system, which comes with nmap. Try to run Python code with kali Linux systems, because whether or hackers hacking contest, which comes with the system is very much hacking software, it is very convenient to use.
Code area:
from scapy.all import *
= {arp_table "192.168.1.102": "00: 0c: 29: 63 is: 08: 6C", "192.168.1.1": "0c: D8: 6C: 65: C2: 52 is"} # define a dictionary, the dictionary IP address and MAC address stored
def telnet_monitor (points):
arp_table .get IF (PKT [the ARP] .psrc): # if the received datagram has an IP address corresponding arp_table performed
arp_table IF [PKT [the ARP] .psrc] == PKT [the ARP] .hwsrc: # if the received datagram with a MAC address corresponding arp_table MAC address, executed
Print (PKT [the ARP] .psrc + ':' + PKT [the ARP] + .hwsrc 'matching') # printing and IP address and MAC address matches the arp_table
the else: # if the received datagram is not the MAC address arp_table corresponding MAC address, executed
Print (PKT [the ARP] .psrc + ':' + PKT [the ARP] + .hwsrc 'Mismatching') # printing and IP address and MAC address does not match the arp_table
the else: # if the received datagram IP address corresponding arp_table not performed
Print (PKT [the ARP] .psrc + ':' + PKT [the ARP] + .hwsrc 'Host CAN Not Find') # print modified datagram IP address and MAC address of the host and shows no
if __name__ == '__main__':
= Sniff PTKS (PRN = telnet_monitor, filter = "ARP", store = 1, timeout = 15) # telnet_monitor functions performed after sniffing ARP packets, store = 1 is stored in the sniffed packets, timeout is 15
wrpcap ( "ARP.cap", PTKS) # In this Python code directory to store data reported as ARP.cap, mainly to run wireshark. In Windows, the file is stored want to the corresponding absolute path, for example: C: /Users/Administrator/Desktop/telnet.cap, Note: Yes / instead of \ in the file path a little way out.
Below is the result of execution of the code:
FIG follows that the gripping datagram, simple and clear, easy analysis.
Summary: This article using the sniff function in scapy, is extremely useful for company managers, not only can grab data storage report, but also for its alarm, such as setting a function to send email, etc., to inform the administrator there are special circumstances, so that it can respond the fastest. In fact, the ARP is used to sniff familiar with the power of real practical place to sniff or other protocols, such as telnet protocol, when someone wants to Telnet host, you can select an alarm or other print data input.
If there is any place to explain poorly, or ask questions you can comment in the comment section below yo!
