search

secdev / scapy

Scapy: the Python-based interactive packet manipulation program & library.
https://scapy.net
GNU General Public License v2.0
10.56k stars 2.01k forks source link

scapy ARP issues #4219

Open giovanni-bellini-argo opened 8 months ago

giovanni-bellini-argo commented 8 months ago

Brief description

when i execute an arp scan (code below) some machines answers are not collected

def arp_scan(
        network: str
) -> list[IPmanager]:
    arp = ARP(pdst=network)
    ether = Ether(dst='ff:ff:ff:ff:ff:ff')
    packet: Packet = ether/arp

    ans, unans = srp(packet, timeout=3)

    return [(packet[1].psrc, packet[1].hwsrc) for packet in ans]

but when i do the exact same request, one ip at a time, suddenly those machines appear:

def arp_scan_single_ip(
    network: IPv4Network
) -> list[IPmanager]:
    result = []
    ether = Ether(dst='ff:ff:ff:ff:ff:ff')

    for ip in network:
        arp = ARP(pdst=str(ip))
        packet: Packet = ether/arp

        answered = srp1(
            packet,
            timeout=0.1,
            verbose=verb_level
        )

        if answered:
            result.append((answered.psrc, answered.hwsrc))
    return result

as in all the documentation the netwrok address is passed along with the cidr notation, aka "192.168.97.0/24".

i did a fair check on my testing network but couldn't find anything that could cause this problem, i believe this to be a scapy bug.

Scapy version

2.5.0

Python version

3.10.12

Operating system

Ubuntu 22.04.2 LTS

Additional environment information

No response

How to reproduce

execute the two functions in the description and compare the results

Actual result

No response

Expected result

No response

Related resources

No response

gpotter2 commented 8 months ago

Could you share a network trace (pcap file) of the two cases? You can filter it to ARP only if required.

giovanni-bellini-argo commented 8 months ago

pcapfilezip.zip

in file1 u find the execution of the first fuc, file2 of the second.

i also tryed to raise the timeout without any success.

gpotter2 commented 8 months ago

You should try and see if there are answers seen by wireshark but not by scapy. This doesn't appear to be the case in the pcaps you provided, so it seems like a congestion issue, or some sort of rate limiter.

giovanni-bellini-argo commented 8 months ago

i tought of something similar too but i don't seem to find anything of sort