scapy icon indicating copy to clipboard operation
scapy copied to clipboard

Published 20 hours ago verified publisher icon secdev

Intermittant "WARNING: Mac address to reach destination not found. Using broadcast." on windows 10.

Open 0xKate opened this issue 2 years ago • 3 comments

Brief description

When using Automaton.send() or even getmacbyip(), it intermittently fails to acquire the mac address for the default gateway despite it being visible in the windows ARP table using arp -a.

Scapy version

2.4.5rc1.dev162

Python version

3.9.0 (tags/v3.9.0:9cf6752, Oct 5 2020, 15:34:40) [MSC v.1927 64 bit (AMD64)]

Operating system

Windows 10

Additional environment information

10.0.0.10 -> SW -> 10.0.0.250 -> PublicIP -> 1.1.1.1

See a Gist here of what I am running and a good vs bad output. https://gist.github.com/0xKate/c5757a92f8a937142b78630621c8be7d

How to reproduce

On average 1/10 times getmacbyip() will return None. On average 1/10 times Automaton.send() will "WARNING: Mac address to reach destination not found"

route = conf.route.route("0.0.0.0")
gw_hwaddr = getmacbyip(route[2])
print(gw_hwaddr)

Actual result

Scapy Version: 2.4.5rc1.dev162 Python Version: 3.9.0 (tags/v3.9.0:9cf6752, Oct  5 2020, 15:34:40) [MSC v.1927 64 bit (AMD64)]
[18:40:33:951611] Local
 Iface: \Device\NPF_{_-5E428F13573A} 
 IP: 10.0.0.10 
 MAC: 4c:_:_:_:_:78

---------- Scapy conf.route ----------
Network          Netmask          Gateway     Iface                                     Output IP     Metric
0.0.0.0          0.0.0.0          10.0.0.250  Killer E2500 Gigabit Ethernet Controller  10.0.0.10     25    
10.0.0.0         255.255.255.0    0.0.0.0     Killer E2500 Gigabit Ethernet Controller  10.0.0.10     281   
10.0.0.10        255.255.255.255  0.0.0.0     Killer E2500 Gigabit Ethernet Controller  10.0.0.10     281   
10.0.0.255       255.255.255.255  0.0.0.0     Killer E2500 Gigabit Ethernet Controller  10.0.0.10     281   
224.0.0.0        240.0.0.0        0.0.0.0     Killer E2500 Gigabit Ethernet Controller  10.0.0.10     281   
255.255.255.255  255.255.255.255  0.0.0.0     Killer E2500 Gigabit Ethernet Controller  10.0.0.10     281   

---------- Windows arp -a   ----------
['10.0.0.250', '00:_:_:_:_:19', 'dynamic']
['10.0.0.255', 'ff:ff:ff:ff:ff:ff', 'static']


[18:44:20:458746] Getting Mac by ip...
[18:44:22:460377] Scapy getmacbyip: None 

[18:44:22:460377] Scapy's getmacbyip() Failed to get arp entry for 10.0.0.250.
10.0.0.250 exists inside windows arp table, hwaddr of: 00:_:_:_:_:19

[18:44:22:524113] BEGIN
WARNING: Mac address to reach destination not found. Using broadcast.
[18:44:24:533194] 10.0.0.10 > 1.1.1.1 icmp
[18:44:27:533442] TIMEOUT
[18:44:27:533442] RETRYING 10.0.0.10 > 1.1.1.1 icmp
[18:44:27:559796] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:44:28:561234] 10.0.0.10 > 1.1.1.1 icmp
[18:44:28:583723] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:44:29:586249] 10.0.0.10 > 1.1.1.1 icmp
[18:44:29:611411] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:44:30:613542] 10.0.0.10 > 1.1.1.1 icmp
[18:44:30:636495] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:44:30:636495] END

Process finished with exit code 0

Expected result

[18:46:04:866248] Getting Mac by ip...
[18:46:04:870180] Scapy getmacbyip: 00:_:_:_:_:19 

[18:46:04:870180] BEGIN
[18:46:04:873591] 10.0.0.10 > 1.1.1.1 icmp
[18:46:04:897557] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:46:05:899327] 10.0.0.10 > 1.1.1.1 icmp
[18:46:05:923340] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:46:06:925417] 10.0.0.10 > 1.1.1.1 icmp
[18:46:06:959108] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:46:07:961328] 10.0.0.10 > 1.1.1.1 icmp
[18:46:07:983304] ICMP 1.1.1.1 > 10.0.0.10 echo-reply 0
[18:46:07:983304] END

Process finished with exit code 0

Related resources

Screenshot 2021-12-03 185646

0xKate avatar Dec 04 '21 02:12 0xKate

It may be worth noting that Scapy is generating an unnecessary ARP request since the entry is already accessible in the windows ARP table.

The other thing I notice is getmacbyip() tends to timeout after 2 seconds despite the ARP request it generated being answered within 0.000177 seconds.

0xKate avatar Dec 04 '21 03:12 0xKate

For main issue: I had the same issue, when I'm connected over cable to my router using switch in the meantime, even as sudo on linux to my own router :) For additional thing about unnecessary ARP request - Scapy have it's own route tables etc, so that's the reason for that :) About timeout after 2s, even if answer is there - It's evidently a bug.

KhazAkar avatar Feb 19 '22 16:02 KhazAkar

Okay that makes sense. Thanks. I'm deploying to raspbery pi linux for now and its working great.

0xKate avatar Feb 23 '22 03:02 0xKate

i got no freaking idea what the heck you guys said the only thing i know is that i have the problem: "Mac address to reach destination not found. Using broadcast." and i have no freaking idea how to fix it

rickpotatoe avatar Sep 05 '22 13:09 rickpotatoe

Scapy mainly is developed targeting Linux it's awesome that it works on windows at all.

Even python asyicio runs different on windows then on Linux. It's just not the main platform scapy is developed for.

If I had to guess: It's probably some kind of race condition with one of the libraries exclusively on Windows because it only happens to me when arp requests are answered incredibly fast.

I closed the issue because most of the scapy docs suggested to use Linux if it's not working right on windows. I did that and have not had an issue and since.

0xKate avatar Sep 05 '22 19:09 0xKate