I have captured some traffic and stored on a .pcap file. In there, an ARP poisoning attack occured.
Is there a way of detecting the attacker's IP and MAC adress and victim's IP and MAC adress using scapy in a python script?
I believe a script like this one would do the job
#! /usr/bin/python
from scapy.all import *
pkts = rdpcap('capture2.pcap')
#these are from wireshark
for p in pkts:
if p.haslayer(ARP):
#find a packet where p.dst and p.pdst isn't a valid pair
if p.dst != 'ff:ff:ff:ff:ff:ff':
if not(( ipadr[0]==p.pdst and macadr[0]==p.dst ) or ( ipadr[1]==p.pdst and macadr[1]==p.dst) or ( ipadr[2]==p.pdst and macadr[2]==p.dst ) or ( ipadr[3]==p.pdst and macadr[3]==p.dst )) :
print 'packet data ' +p.psrc +" "+p.src+" " + p.pdst + " " + p.dst +" "+str(c)
print 'packet number = ' + str(c)
print 'MAC of attacker = ' + p.dst
print 'IP of attacker = ' + ipadr[macadr.index(p.dst)]
print 'MAC of target = ' + p.src
print 'IP of target = ' + p.psrc