Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scapy ARP issues #4219

Open
giovanni-bellini-argo opened this issue Jan 17, 2024 · 4 comments
Open

scapy ARP issues #4219

giovanni-bellini-argo opened this issue Jan 17, 2024 · 4 comments

Comments

@giovanni-bellini-argo
Copy link

Brief description

when i execute an arp scan (code below) some machines answers are not collected

def arp_scan(
        network: str
) -> list[IPmanager]:
    arp = ARP(pdst=network)
    ether = Ether(dst='ff:ff:ff:ff:ff:ff')
    packet: Packet = ether/arp

    ans, unans = srp(packet, timeout=3)

    return [(packet[1].psrc, packet[1].hwsrc) for packet in ans]

but when i do the exact same request, one ip at a time, suddenly those machines appear:

def arp_scan_single_ip(
    network: IPv4Network
) -> list[IPmanager]:
    result = []
    ether = Ether(dst='ff:ff:ff:ff:ff:ff')

    for ip in network:
        arp = ARP(pdst=str(ip))
        packet: Packet = ether/arp

        answered = srp1(
            packet,
            timeout=0.1,
            verbose=verb_level
        )

        if answered:
            result.append((answered.psrc, answered.hwsrc))
    return result

as in all the documentation the netwrok address is passed along with the cidr notation, aka "192.168.97.0/24".

i did a fair check on my testing network but couldn't find anything that could cause this problem, i believe this to be a scapy bug.

Scapy version

2.5.0

Python version

3.10.12

Operating system

Ubuntu 22.04.2 LTS

Additional environment information

No response

How to reproduce

execute the two functions in the description and compare the results

Actual result

No response

Expected result

No response

Related resources

No response
@gpotter2
Copy link
Member

Could you share a network trace (pcap file) of the two cases? You can filter it to ARP only if required.

@giovanni-bellini-argo
Copy link
Author

pcapfilezip.zip

in file1 u find the execution of the first fuc, file2 of the second.

i also tryed to raise the timeout without any success.

@gpotter2
Copy link
Member

You should try and see if there are answers seen by wireshark but not by scapy. This doesn't appear to be the case in the pcaps you provided, so it seems like a congestion issue, or some sort of rate limiter.

@giovanni-bellini-argo
Copy link
Author

i tought of something similar too but i don't seem to find anything of sort

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gpotter2 @giovanni-bellini-argo