secdev
scapy ARP issues
Brief description
when i execute an arp scan (code below) some machines answers are not collected
def arp_scan(
network: str
) -> list[IPmanager]:
arp = ARP(pdst=network)
ether = Ether(dst='ff:ff:ff:ff:ff:ff')
packet: Packet = ether/arp
ans, unans = srp(packet, timeout=3)
return [(packet[1].psrc, packet[1].hwsrc) for packet in ans]
but when i do the exact same request, one ip at a time, suddenly those machines appear:
def arp_scan_single_ip(
network: IPv4Network
) -> list[IPmanager]:
result = []
ether = Ether(dst='ff:ff:ff:ff:ff:ff')
for ip in network:
arp = ARP(pdst=str(ip))
packet: Packet = ether/arp
answered = srp1(
packet,
timeout=0.1,
verbose=verb_level
)
if answered:
result.append((answered.psrc, answered.hwsrc))
return result
as in all the documentation the netwrok address is passed along with the cidr notation, aka "192.168.97.0/24".
i did a fair check on my testing network but couldn't find anything that could cause this problem, i believe this to be a scapy bug.
Scapy version
2.5.0
Python version
3.10.12
Operating system
Ubuntu 22.04.2 LTS
Additional environment information
No response
How to reproduce
execute the two functions in the description and compare the results
Actual result
No response
Expected result
No response
Related resources
No response
Could you share a network trace (pcap file) of the two cases? You can filter it to ARP only if required.
in file1 u find the execution of the first fuc, file2 of the second.
i also tryed to raise the timeout without any success.
You should try and see if there are answers seen by wireshark but not by scapy. This doesn't appear to be the case in the pcaps you provided, so it seems like a congestion issue, or some sort of rate limiter.
i tought of something similar too but i don't seem to find anything of sort