2019-11-27 19:24:12 +00:00
|
|
|
package arp
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2019-11-29 13:32:07 +00:00
|
|
|
"git.darknebu.la/maride/pancap/common"
|
2019-12-03 22:51:03 +00:00
|
|
|
"git.darknebu.la/maride/pancap/output"
|
2019-11-27 19:24:12 +00:00
|
|
|
"github.com/google/gopacket"
|
|
|
|
|
"github.com/google/gopacket/layers"
|
|
|
|
|
"log"
|
|
|
|
|
"net"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
arpStatsList []arpStats
|
|
|
|
|
devices []arpDevice
|
2019-12-14 10:31:52 +00:00
|
|
|
linkLocalBlock = net.IPNet{
|
|
|
|
|
IP: net.IPv4(169, 254, 0, 0),
|
|
|
|
|
Mask: net.IPv4Mask(255, 255, 0, 0),
|
|
|
|
|
}
|
2019-11-27 19:24:12 +00:00
|
|
|
)
|
|
|
|
|
|
2019-12-09 11:14:01 +00:00
|
|
|
type Protocol struct {}
|
|
|
|
|
|
|
|
|
|
// Checks if the given packet is an ARP packet we can process
|
|
|
|
|
func (p *Protocol) CanAnalyze(packet gopacket.Packet) bool {
|
|
|
|
|
return packet.Layer(layers.LayerTypeARP) != nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Analyzes the given ARP packet
|
|
|
|
|
func (p *Protocol) Analyze(packet gopacket.Packet) error {
|
2019-11-27 19:24:12 +00:00
|
|
|
var arppacket layers.ARP
|
|
|
|
|
|
|
|
|
|
// Decode raw packet into ARP
|
|
|
|
|
decodeErr := arppacket.DecodeFromBytes(packet.Layer(layers.LayerTypeARP).LayerContents(), gopacket.NilDecodeFeedback)
|
|
|
|
|
if decodeErr != nil {
|
|
|
|
|
// Encountered an error during decoding, most likely a broken packet
|
|
|
|
|
return decodeErr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Convert MAC address byte array to string
|
|
|
|
|
sourceAddr := net.HardwareAddr(arppacket.SourceHwAddress).String()
|
2019-12-09 11:14:01 +00:00
|
|
|
participant := p.getStatOrCreate(sourceAddr)
|
2019-11-27 19:24:12 +00:00
|
|
|
|
|
|
|
|
// Raise stats
|
|
|
|
|
if arppacket.Operation == layers.ARPRequest {
|
|
|
|
|
// Request packet
|
|
|
|
|
participant.asked++
|
2019-11-29 13:32:07 +00:00
|
|
|
participant.askedList = common.AppendIfUnique(net.IP(arppacket.DstProtAddress).String(), participant.askedList)
|
2019-11-28 12:51:00 +00:00
|
|
|
|
|
|
|
|
// Add device entry
|
2019-12-09 11:14:01 +00:00
|
|
|
p.addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String())
|
2019-11-27 19:24:12 +00:00
|
|
|
} else {
|
|
|
|
|
// Response packet
|
|
|
|
|
participant.answered++
|
2019-11-29 13:32:07 +00:00
|
|
|
participant.answeredList = common.AppendIfUnique(net.IP(arppacket.SourceProtAddress).String(), participant.answeredList)
|
2019-11-27 19:24:12 +00:00
|
|
|
|
|
|
|
|
// Add device entry
|
2019-12-09 11:14:01 +00:00
|
|
|
p.addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String())
|
2019-11-27 19:24:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Print a summary after all packets are processed
|
2019-12-09 11:14:01 +00:00
|
|
|
func (p *Protocol) PrintSummary() {
|
|
|
|
|
output.PrintBlock("ARP traffic summary", p.generateTrafficStats())
|
|
|
|
|
output.PrintBlock("ARP LAN overview", p.generateLANOverview())
|
2019-11-27 19:24:12 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-03 22:51:03 +00:00
|
|
|
// Generates an answer regarding the ARP traffic
|
2019-12-09 11:14:01 +00:00
|
|
|
func (p *Protocol) generateTrafficStats() string {
|
2019-11-27 19:24:12 +00:00
|
|
|
var tmparr []string
|
|
|
|
|
|
|
|
|
|
// Iterate over all participants
|
|
|
|
|
for _, p := range arpStatsList {
|
2019-12-03 15:44:17 +00:00
|
|
|
// produce a meaningful output
|
|
|
|
|
if p.asked > 0 {
|
|
|
|
|
// device asked at least for one IP
|
|
|
|
|
if p.answered > 0 {
|
|
|
|
|
// and also answered requests
|
|
|
|
|
tmparr = append(tmparr, fmt.Sprintf("%s asked for %d addresses and answered %d requests", p.macaddr, p.asked, p.answered))
|
|
|
|
|
} else {
|
|
|
|
|
// only asked, never answered
|
|
|
|
|
tmparr = append(tmparr, fmt.Sprintf("%s asked for %d addresses", p.macaddr, p.asked))
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// Answered, but never asked for any addresses
|
|
|
|
|
tmparr = append(tmparr, fmt.Sprintf("%s answered %d requests", p.macaddr, p.answered))
|
|
|
|
|
}
|
2019-11-27 19:24:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// And print it as a tree
|
2019-12-03 22:51:03 +00:00
|
|
|
return common.GenerateTree(tmparr)
|
2019-11-27 19:24:12 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-03 22:51:03 +00:00
|
|
|
// Generates an overview over all connected devices in the LAN
|
2019-12-09 11:14:01 +00:00
|
|
|
func (p *Protocol) generateLANOverview() string {
|
2019-11-27 19:24:12 +00:00
|
|
|
var tmparr []string
|
|
|
|
|
|
|
|
|
|
// iterate over all devices
|
|
|
|
|
for _, d := range devices {
|
|
|
|
|
tmparr = append(tmparr, fmt.Sprintf("%s got address %s", d.macaddr, d.ipaddr))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// And print it as a tree
|
2019-12-03 22:51:03 +00:00
|
|
|
return common.GenerateTree(tmparr)
|
2019-11-27 19:24:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Returns the arpStats object for the given MAC address, or creates a new one
|
2019-12-09 11:14:01 +00:00
|
|
|
func (p *Protocol) getStatOrCreate(macaddr string) *arpStats {
|
2019-11-27 19:24:12 +00:00
|
|
|
// Try to find the given macaddr
|
|
|
|
|
for i := 0; i < len(arpStatsList); i++ {
|
|
|
|
|
if arpStatsList[i].macaddr == macaddr {
|
|
|
|
|
// Found, return it
|
|
|
|
|
return &arpStatsList[i]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// None found yet, we need to create a new one
|
|
|
|
|
arpStatsList = append(arpStatsList, arpStats{
|
|
|
|
|
macaddr: macaddr,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// And return it
|
|
|
|
|
return &arpStatsList[len(arpStatsList)-1]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Adds a new entry to the devices array, checking if there may be a collision (=ARP Spoofing)
|
2019-12-09 11:14:01 +00:00
|
|
|
func (p *Protocol) addDeviceEntry(macaddr string, ipaddr string) {
|
2019-11-28 17:22:19 +00:00
|
|
|
if ipaddr == "0.0.0.0" {
|
|
|
|
|
// Possible ARP request if sender doesn't have an IP address yet. Ignore.
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-27 19:24:12 +00:00
|
|
|
for i := 0; i < len(devices); i++ {
|
|
|
|
|
// check if we found a collision (possible ARP spoofing)
|
|
|
|
|
if (devices[i].macaddr == macaddr) != (devices[i].ipaddr == ipaddr) {
|
|
|
|
|
// this operation is practically XOR (which golang doesn't provide e.g. with ^)
|
2019-12-14 10:31:52 +00:00
|
|
|
|
|
|
|
|
// Check if one address is in the link-local block (169.254.0.0/16), ignore "ARP spoofing" then
|
|
|
|
|
if !linkLocalBlock.Contains(net.ParseIP(devices[i].ipaddr)) && !linkLocalBlock.Contains(net.ParseIP(ipaddr)) {
|
|
|
|
|
// The old and the new IP are both outside of the link-local range - we can warn about ARP spoofing
|
|
|
|
|
log.Printf("Found possible ARP spoofing! Old: (MAC=%s, IP=%s), New: (MAC=%s, IP=%s). Overriding...", devices[i].macaddr, devices[i].ipaddr, macaddr, ipaddr)
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-27 19:24:12 +00:00
|
|
|
devices[i].macaddr = macaddr
|
|
|
|
|
devices[i].ipaddr = ipaddr
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if devices[i].macaddr == macaddr && devices[i].ipaddr == ipaddr {
|
|
|
|
|
// Found collision, but no ARP spoofing (both values are identical)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// No device found, add a new entry
|
|
|
|
|
devices = append(devices, arpDevice{
|
|
|
|
|
macaddr: macaddr,
|
|
|
|
|
ipaddr: ipaddr,
|
|
|
|
|
})
|
|
|
|
|
}
|
