crazyideas21
commented
3 months ago ARP spoofing will result in duplicate packets. There is no workaround for IoT Inspector. The only fix is for pcap-parser to deduplicate these packets.
Open crazyideas21 opened 7 months ago
crazyideas21
commented
3 months ago ARP spoofing will result in duplicate packets. There is no workaround for IoT Inspector. The only fix is for pcap-parser to deduplicate these packets.
If you have captured packets with
tcpdumpwhile IoT Inspector is running, you'll see duplicate packets to and from the Inspector-running host. Here's an example of what you would expect:Let's say you're running IoT Inspector on a host with the mac address H. You're capturing packets between a device with mac address D and the Internet. The gateway has a mac address of G. On H, you're running
tcpdump. You will NOT see packets between D and G. If there's a packet from D to G, you'll see two packets in the capture:Currently, this parser cannot handle the situation above. Users of this parser would have to manually identify and de-duplicate these packets.
I think @Rameen-Mahmood is one of the primary users of this script. Just make sure to handle this issue.