Detect ARP scan using python

Question

I want to detect whether someone is performing ARP scan on network and display source IP. Unexpected no of ARP requests is sufficient to detect ARP scan. Here is my code--

import pyshark

cap = pyshark.FileCapture('arpscan.pcap',display_filter='arp.opcode==1 && arp.dst.hw_mac==00:00:00:00:00:00',only_summaries=True)
count=0
for pkt in cap:
    count=count+1

if count>10:
    print (" ")
    print ("Someone is scanning your network!\n\n")
    print ("For Attacker's Ip, visit 'Tell' section in summary below\n\n ")
    print("----Further details----")
    print "No of ARP Request Packet Received: ", count
    print("----Summary of ARP packet Received---")
    for pkt in cap:
        print (pkt)
else: 
    print ("No ARP scan identified!")

I want to extract source IP ie IP in the tell section of packet. I failed to do that. Can somebody tell me how to display source IP in my case?

Answer 1

I found a solution. This can be done using scapy instead of pyshark!

from scapy.all import *


packets = sniff(offline=filename,filter='arp')
source='' 
source_mac=''
count=0

for pkt in packets:
    if pkt[ARP].op==1:
        count=count+1
        if count==5:
            source = pkt.sprintf("%ARP.psrc%")
            source_mac = pkt.sprintf("%ARP.hwsrc%")


if count>10:
    print "\nSomeone is scanning your network!"
    print "Source (IP): ",source
    print "Mac Address of Attacker: ",source_mac

else:
    print ("No Scan Identified!")

Also, we can access is_at and Tell field using scapy as :

operation = packet.sprintf("%ARP.op%")
if operation=="is_at":
   #do stuff