LMTV Sharkfest | Fundamentals of TCP/IP Networking (by DC Palter)
LMTV Interview | Drew Conry-Murray of Interop New York

Analyzing ARP Traffic with the Raspberry Pi (by Mike Pennachi)

Rasberry Pi meets T-Shark to view Address Resolution Protocol

In your network today!

Improperly configured devices can create all kinds of intermittent problems.  As part of maintaining a healthy network, it is important to identify these devices as quickly as possible and correct the configuration problems.  In this article, I will address how to identify some of these devices and the code that can be used to automate the process.

Before a device on the network can send an IP addressed packet to another device within the same broadcast domain, it must resolve the IP address to a MAC address.  This is accomplished using the Address Resolution Protocol (ARP).  The sender will transmit an ARP broadcast and the target will respond to that broadcast with its MAC address.

PI TShark ARP
If we see one device continually ARPing for another and never receiving a response, this would indicate the sending device is trying to reach a device that is no longer on the network.  With this information, we can review the configuration on the sending device and determine why it thinks it should be sending packets to the device that no longer exists.

In the past I have capture the ARP packets with Wireshark and exported them to Excel.  From there, I have run a variety of functions to summarize and count the number of ARP requests.  While this worked, it was not the best way to approach this task.

Recently, I decided it was time to move away from my tried and true Visual Basic programming to something that is portable across platforms and provides a way to automate some of these tasks related to packet capture and analysis.  My choice was Python.  Why? Because one of my trusted analysis buddies told me I should. Enjoy your ARP adventure -

This sent me on the path of finding those tools that work well with Python for packet analysis.  One of those tools is Scapy.  Scapy allows you to perform analysis on PCAP files and process the results.  As a simple starting program, I decided that I would attack this ARP monitoring problem and see if I could write some code that would capture, analyze, and report information I needed.

Let’s go through the steps required to get this up and running.  For this project, we are going to do everything through the command-line.

Step 1 – Install tshark

We are going to use tshark to do the packet capture port of this analysis.  Actually, we are going to use dumpcap that is installed as part of tshark to do the capture.  Why dumpcap?  It turns out that even if you specify the libpcap format when using tshark, it uses the pcapng format when saving the packets.  This resulted in me tearing out more of those few hairs on the top of my head.

Here is the command-line to install tshark:

sudo apt-get install tshark

Step 2 – Install Scapy

Scapy is going to allow us to read the trace file and extract packets from the file for anlaysis.  This module contains a number of functions for packet analysis.  We will only be using one for this project.

Here is the command-line to install Scapy

sudo apt-get install scapy

Step 3 – Write the code

Lucky for us, the Raspberry Pi comes with Python, so we are ready to go, once we write the code. 

Let’s create a directory to save the output files.  We are going to call it tracefiles.

cd /
sudo mkdir tracefiles

Next, we will change to the /usr/bin directory and create the python file

cd /usr/bin
sudo nano arpmonitor.sh

Now we will type or copy the following code into this file

#! /usr/bin/env python

from scapy.all import *

import csv

import subprocess

class Displayer:

     def readpcap(self, pcap):

        pktlist = rdpcap(pcap)

        #use dictionary to count the number of ARPs

        dic = {}

        for x in pktlist:

            #check for ARP

            if ARP in x and x[ARP].op in (1,2):

                    pkt = x[ARP]

                    pair = (pkt.psrc, pkt.pdst)

                    try:

                        dic[pair] += 1

                        #try if this pair has occured in dictionary

                    except KeyError:

                        #create new one

                        dic[pair] = 1

         #write csv:

        with open('arps.csv', 'wb') as csvfile:

            writer = csv.writer(csvfile, delimiter=',',quoting=csv.QUOTE_NONNUME                                                                                                                                                             RIC)

            writer.writerow(['source', 'target', 'value'])

            #output the dictionary

            for pair in dic:

                if dic[pair] > 1:

                        writer.writerow([pair[0], pair[1], dic[pair]])

 if __name__ == '__main__':

    dumpCall = ['/usr/bin/dumpcap', '-a', 'duration:30', '-i', 'eth0', '-w', '/tracefiles/arps.pcap']

    dumpProc = subprocess.call(dumpCall, stdout=subprocess.PIPE, stderr=None)

    Displayer().readpcap('/tracefiles/arps.pcap')

 Press ctrl-x to exit and save the file

 We need to change the attributes of the file so that we can run it

sudo chmod 777 arpmonitor.sh

 Step 4 – Run the program

 Now it is time to run the ARP monitor. 

 sudo arpmonitor.sh

This will capture packets for 30 seconds, as specified in the dumpCall line of the code.  This value can be increased, if desired.  30 seconds is a good start, so you can see the results quickly.  After capturing for 30 seconds, it will analyze the captured packets and produce a .csv file called arps.csv.  This will contain all of the ARP senders, ARP targets, and the number of ARPs sent.  Here is an example:

 "source","target","value"

"10.0.0.108","10.0.0.36",3

"10.0.0.134","10.0.0.200",20

"10.0.0.141","10.0.0.51",4

"10.0.0.72","10.0.0.200",2

"10.0.0.131","10.0.0.201",20

 We can then begin investigating those pairs that have the most ARPs.

 Conclusion:

It is not enough just to capture the packets, we must analyze this traffic to isolate the problem domains and troubleshoot the issues.  The use of programing languages, such as Python, will allow you to automate these tasks and more quickly locate the source of the problems.

Mike-Headshot-20percentMike Pennacchi is owner of Network Protocol Specialists, a network analysis and training company based in Seattle, Washington. His company specializes in analyzing network performance problems for companies throughout the United States. He has taught at Interop since 1997 and has received the event's Instructor Award as highest ranking instructor several of those years. Mike brings his experience as a network analyst into the classroom and assists students in understanding how to fix problems in their own networks.

Oldcommguy comment - Mike is a very long time friend and in my opinion one of the top 10 professional network Guru's and trainers.

Join him in some training at Interop New York, September 29 through October 3, 2014!

 

Comments