Detecting ARP Poisoning

When you have timeouts, sluggish dns, and feel someone is misbehaving within the network by poisoning the requests to sniff your data. This script will identify if there is an arp poisoning happening..

python arpattacker.py
Potential ARP poisoning detected:
IP: 192.168.56.1 Original MAC: 0a:00:27:00:00:00 New MAC: 08:00:27:3d:27:5d
IP: 192.168.56.103 Original MAC: 08:00:27:10:b8:d0 New MAC: 08:00:27:3d:27:5d
Attacker IP: 192.168.56.103 Attacker MAC: 08:00:27:3d:27:5d

from scapy.all import *

def analyze_pcap(pcap_file):
    packets = rdpcap(pcap_file)
    arp_packets = [pkt for pkt in packets if ARP in pkt]

    ip_mac_mapping = {}
    duplicate_mappings = []
    attacker_mac = None
    attacker_ip = None

    for pkt in arp_packets:
        ip = pkt[ARP].psrc
        mac = pkt[ARP].hwsrc

        if ip in ip_mac_mapping:
            if ip_mac_mapping[ip] != mac:
                duplicate_mappings.append((ip, ip_mac_mapping[ip], mac))
                attacker_ip = ip
                attacker_mac = mac
        else:
            ip_mac_mapping[ip] = mac

    if duplicate_mappings:
        print("Potential ARP poisoning detected:")
        for ip, orig_mac, new_mac in duplicate_mappings:
            print("IP: {}  Original MAC: {}  New MAC: {}".format(ip, orig_mac, new_mac))
        print("Attacker IP: {}  Attacker MAC: {}".format(attacker_ip, attacker_mac))
    else:
        print("No evidence of ARP poisoning in the pcap file.")

# Provide the path to your pcap file
pcap_file = "SBT-PCAP3.pcapng"

analyze_pcap(pcap_file)