1

I'm trying to create a python script to detect ARP poisoning on WiFi networks. I'm using scapy and wireshark to check scapy's output. I'm stuck trying to see all ARP traffic on the network, I can only see packets sent by me and broadcasted ones. Is this correct or should I see all traffic? My intention is to see a ARP response saying IP 192.168.1.1 is at attackers_Mac and based on this, alert about attack.

Thank you.

ebdecastro
  • 97
  • 1
  • 7

1 Answers1

1

Yes, you are correct.

You will only be able to see ARP traffic sent to you or broadcast to FF:FF:FF:FF:FF:FF.

If you want to see ARP traffic over the whole network then this depends on the network architecture. Wireshark shows some ideas on how this could be achieved such as MiTM or using a hub.

If capturing WiFi traffic, your wireless adapter could be put into monitor mode where it would then capture all wireless traffic nearby.

Joe
  • 2,734
  • 2
  • 12
  • 22
  • Thank you for your answer. But when talking about WiFi network, every packet is sent it through the air and so anyone should be able to capture it. Am i wrong? – ebdecastro Jan 13 '18 at 12:12
  • Yep that's right. Use monitor mode and then you can capture all wireless traffic. – Joe Jan 13 '18 at 12:13
  • That's the point, if using monitor mode, I can only capture 802.11 packets. Is there any way to decrypt the traffic and analyze ARP packets or just (using mode monitor on WiFi) capture ARP traffic? – ebdecastro Jan 13 '18 at 12:15
  • If you use monitor mode you will need to know the WiFi passphrase to decrypt the traffic. Wireshark has a feature built in to do this. – Joe Jan 13 '18 at 12:45
  • Do you know any python library or bash script to decrypt it? Thank you. – ebdecastro Jan 13 '18 at 13:09
  • I haven't used anything personally, but I've just had a look around and found this [Python wrapper for tshark](https://github.com/KimiNewt/pyshark) which could be of use to decrypt 802.11 traffic. – Joe Jan 13 '18 at 13:20