SARPDET: a simple tool for detecting intruders in your network (ARP spoofing)
Once an intruder gets access to our local area network (LAN), a common technique is to become a “Man in the Middle” (MITM) so as to intercept all relevant traffic. A typical way to achieve this is via ARP spoofing.
ARP (Address Resolution Protocol) is how devices on a network find out the physical MAC addresses of each other based on the local IP addresses so they can communicate directly. When a spoofing attack happens, the attacker tricks the network into believing its device has a different MAC address corresponding to that of the rightful machine at a certain IP, so that all traffic for that IP, from then on, will be sent to him instead.
A straightforward way of detecting ARP spoofing attacks in a network involves comparing the MAC addresses of devices to detect any inconsistencies, and this is exactly what the following simple Python tool, sarpdet (“Simple ARP DEtector Tool”. I love acronyms :P) does.
import csv
import argparse
from scapy.all import ARP, Ether, sniff
def print_intro():
print("========================================")
print("= =")
print("= sarpdet v.0.1.0 =")
print("= Simple ARP Detection Tool =")
print("= by Roberto Dillon =")
print("= https://github.com/rdillon73 =")
print("= =")
print("========================================")
def detect_arp_spoofing(log_filename, sniff_duration=60):
detected_devices = {}
def arp_monitor_callback(pkt):
if ARP in pkt and Ether in pkt:
source_mac = pkt[Ether].src
source_ip = pkt[ARP].psrc
if source_mac not in detected_devices:
detected_devices[source_mac] = source_ip
else:
if detected_devices[source_mac] != source_ip:
print(f"Warning: ARP spoofing detected for MAC {source_mac} (IP {source_ip})")
print("ARP Spoofing Detection Started...")
# Start sniffing ARP packets in the network with a timeout
sniff(prn=arp_monitor_callback, filter="arp", store=0, timeout=sniff_duration)
# Write the results to a CSV log file
with open(log_filename, mode='w', newline='') as log_file:
fieldnames = ['MAC Address', 'IP Address']
writer = csv.DictWriter(log_file, fieldnames=fieldnames)
writer.writeheader()
for mac, ip in detected_devices.items():
writer.writerow({'MAC Address': mac, 'IP Address': ip})
print(f"Detection completed. Results saved to '{log_filename}'.")
if __name__ == "__main__":
print_intro()
parser = argparse.ArgumentParser()
parser.add_argument("log_filename", help="Name of the CSV log file to save results")
parser.add_argument("--time", type=int, default=60,
help="Duration (in seconds) for ARP packet sniffing (default: 60 seconds)")
args = parser.parse_args()
detect_arp_spoofing(args.log_filename, args.time)The tool uses the library scapy to sniff packets and extract the MAC and IP addresses. Do install it if needed with something like:
pip install scapyThen, when an ARP packet is intercepted, it checks whether the request is coming from a new machine (i.e. new MAC). If the device has already been listed, i.e. its MAC is already in the Python dictionary detected_devices{} the tool is building by checking the network traffic, we may have something suspicious going on, and a warning is printed out.
The tool logs all found devices, along with their MAC and corresponding IP addresses, in a CSV file for later reference. The name of the file is an input parameter, along with the time, in seconds, we want our tool to run (default value is 60). Input parameters are handled via the argparse library.
The tool can be launched with the following command:
python sarpdet.py log_filename.csv --time 120Do note that the wifi adapter needs to be in promiscuous mode to sniff packets and that admin rights on the local machine are required too.
The project can be found at https://github.com/rdillon73/SARPDET
