How to get source ip of a captured packet faster?

[n00b110]

require 'packetgen'

iface = 'wlp2s0'
pkt = PacketGen.gen("Eth").add("ARP")
pkt.to_w('wlp2s0')

puts 'I sent the packet'

pcap = PacketGen.capture(iface: iface, filter: 'arp', max: 1) do |packet|
    dst = packet.eth.dst 
    puts dst
    end

@sdaubert I'm trying to work on a program that gets the source mac address of a captured packet, this isn't the program; its just a test script. It sends an arp request and gets the source address of the arp reply. The problem is it takes a LONG time for the program to get the source address. Why does the program take such a long time, and is there a better way to do this? Regardless, this is an amazing library! Thanks!

[sdaubert]

@n00b110 There are several issues with your code:

• Eth nor ARP headers are set. So no one responds to your packet. The one you received a long time after you sent your request is a response to a legitimate request on your network.
• response can arrive before capture is ready: libpcap is not so quick, and ruby layers also add latency.

ARP request is broadcasted, so you have to set your Eth destination address to ff:ff:ff:ff:ff:ff. Furthermore, your ARP request should be set accordingly to ensure receiving a response:

require 'packetgen'
require 'packetgen/utils'
require 'packetgen/config'

iface = 'eth0'
config = PacketGen::Config.instance
my_mac = config.hwaddr(iface)
# Filter to only ARP response, as capture is started before sending request
filter = "ether dst #{my_mac} and ether proto 0x806"

cap_thread = Thread.new do
  PacketGen.capture(iface: iface, filter: filter, max: 1) do |packet|
    puts packet.eth.src
  end
end

pkt = PacketGen.gen('Eth', dst: 'ff:ff:ff:ff:ff:ff', src: my_mac).
                add('ARP', sha: my_mac, spa: config.ipaddr(iface), tpa: '192.168.0.254')
pkt.to_w(iface)

cap_thread.join

[n00b110]

@sdaubert Thanks a lot, this solved my problem!