Add support for ARP packets

This commit is contained in:
maride 2019-11-27 20:24:12 +01:00
parent 6c03ab714b
commit 469a05aa61
5 changed files with 181 additions and 8 deletions

126
src/ethernet/arp/arp.go Normal file
View File

@ -0,0 +1,126 @@
package arp
import (
"fmt"
"github.com/fatih/color"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
"log"
"net"
)
var (
arpStatsList []arpStats
devices []arpDevice
)
// Called on every ARP packet
func ProcessARPPacket(packet gopacket.Packet) error {
var arppacket layers.ARP
// Decode raw packet into ARP
decodeErr := arppacket.DecodeFromBytes(packet.Layer(layers.LayerTypeARP).LayerContents(), gopacket.NilDecodeFeedback)
if decodeErr != nil {
// Encountered an error during decoding, most likely a broken packet
return decodeErr
}
// Convert MAC address byte array to string
sourceAddr := net.HardwareAddr(arppacket.SourceHwAddress).String()
participant := getStatOrCreate(sourceAddr)
// Raise stats
if arppacket.Operation == layers.ARPRequest {
// Request packet
participant.asked++
appendIfUnique(net.IP(arppacket.DstProtAddress).String(), participant.askedList)
} else {
// Response packet
participant.answered++
appendIfUnique(net.IP(arppacket.SourceProtAddress).String(), participant.answeredList)
// Add device entry
addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String())
}
return nil
}
// Print a summary after all packets are processed
func PrintARPSummary() {
headline := color.New(color.FgRed, color.Bold)
headline.Println("ARP traffic summary")
printTrafficStats()
headline.Println("ARP LAN overview")
printLANOverview()
}
// Constructs an answer regarding the ARP traffic
func printTrafficStats() {
var tmparr []string
// Iterate over all participants
for _, p := range arpStatsList {
tmparr = append(tmparr, fmt.Sprintf("%s asked for %d addresses and answered %d requests", p.macaddr, p.asked, p.answered))
}
// And print it as a tree
printTree(tmparr)
}
// Prints an overview over all connected devices in the LAN
func printLANOverview() {
var tmparr []string
// iterate over all devices
for _, d := range devices {
tmparr = append(tmparr, fmt.Sprintf("%s got address %s", d.macaddr, d.ipaddr))
}
// And print it as a tree
printTree(tmparr)
}
// Returns the arpStats object for the given MAC address, or creates a new one
func getStatOrCreate(macaddr string) *arpStats {
// Try to find the given macaddr
for i := 0; i < len(arpStatsList); i++ {
if arpStatsList[i].macaddr == macaddr {
// Found, return it
return &arpStatsList[i]
}
}
// None found yet, we need to create a new one
arpStatsList = append(arpStatsList, arpStats{
macaddr: macaddr,
})
// And return it
return &arpStatsList[len(arpStatsList)-1]
}
// Adds a new entry to the devices array, checking if there may be a collision (=ARP Spoofing)
func addDeviceEntry(macaddr string, ipaddr string) {
for i := 0; i < len(devices); i++ {
// check if we found a collision (possible ARP spoofing)
if (devices[i].macaddr == macaddr) != (devices[i].ipaddr == ipaddr) {
// this operation is practically XOR (which golang doesn't provide e.g. with ^)
log.Printf("Found possible ARP spoofing! Old: (MAC=%s, IP=%s), New: (MAC=%s, IP=%s). Overriding...", devices[i].macaddr, devices[i].ipaddr, macaddr, ipaddr)
devices[i].macaddr = macaddr
devices[i].ipaddr = ipaddr
return
}
if devices[i].macaddr == macaddr && devices[i].ipaddr == ipaddr {
// Found collision, but no ARP spoofing (both values are identical)
return
}
}
// No device found, add a new entry
devices = append(devices, arpDevice{
macaddr: macaddr,
ipaddr: ipaddr,
})
}

View File

@ -0,0 +1,6 @@
package arp
type arpDevice struct {
macaddr string
ipaddr string
}

View File

@ -0,0 +1,9 @@
package arp
type arpStats struct {
macaddr string
asked int
answered int
askedList []string
answeredList []string
}

View File

@ -0,0 +1,30 @@
package arp
import "fmt"
// Appends the appendee to the array if it does not contain appendee yet
func appendIfUnique(appendee string, array []string) []string {
// Iterate over all elements and check values
for _, elem := range array {
if elem == appendee {
// ... found. Stop here
return array
}
}
// None found, append
return append(array, appendee)
}
// Prints each element, along with a small ASCII tree
func printTree(strarr []string) {
// iterate over each element
for iter, elem := range strarr {
// check if we got the last element
if iter < len(strarr) - 1 {
fmt.Printf("|- %s\n", elem)
} else {
fmt.Printf("'- %s\n\n", elem)
}
}
}

View File

@ -4,6 +4,7 @@ import (
"github.com/google/gopacket" "github.com/google/gopacket"
"github.com/google/gopacket/layers" "github.com/google/gopacket/layers"
"log" "log"
"./arp"
"./dns" "./dns"
) )
@ -20,14 +21,14 @@ func Analyze(source *gopacket.PacketSource) error {
continue continue
} }
// Check if we can do some Application Layer statistics with this packet if packet.Layer(layers.LayerTypeDNS) != nil {
if packet.ApplicationLayer() != nil {
// We can, switch over the type
switch packet.ApplicationLayer().LayerType() {
case layers.LayerTypeDNS:
// Handle DNS packet // Handle DNS packet
dns.ProcessDNSPacket(packet) dns.ProcessDNSPacket(packet)
} }
if packet.Layer(layers.LayerTypeARP) != nil {
// Handle ARP packet
arp.ProcessARPPacket(packet)
} }
} }
@ -39,5 +40,6 @@ func Analyze(source *gopacket.PacketSource) error {
// Prints all the summaries. // Prints all the summaries.
func printSummary() { func printSummary() {
arp.PrintARPSummary()
dns.PrintDNSSummary() dns.PrintDNSSummary()
} }