Flow based arpWatch
ARP layer 2
Introduction
This tutorial discusses the plugin arpDecode. It supplies vital information for troubleshooting and security related issues.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow arpDecode macRecorder icmpDecode txtSink
...
BUILDING SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: arp-poison.pcapng.
Please save it in your ~/data folder.
Now you are all set for analyzing ARP traffic!
arpDecode aka flow based arpWatch
I guess, somebody who is reading this text now tried to get access to an ARP authenticated wireless network by reusing an ARP address of somebody else, already being authenticated. No? Yeah sure.
There are other tricks, e.g. ARP Poisoning to reroute traffic in a collision domain. T2 provides a plugin which flags or at least logs these nasty tricks in the flow file. So the plugin is similar to a flow based arpWatch.
The configuration of arpDecode allows you to define the maximum MAC/IP pairs/flow to be logged.
arpDecode
vi src/arpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define MAX_IP 10 // Max. number of MAC/IP pairs to list (max 255)
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for arpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...You may reconfigure that with t2conf or just edit the file.
We leave it at the default value for this tutorial.
We also load macRecorder and
icmpDecode in order to compare flow information.
Now run t2 on the sample pcap.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 12725, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 [WRN] PCAP-NG, so *percentage completed* in end report might be less than 100%, will be fixed in a later version Active plugins: 01: basicFlow, 0.9.1 02: macRecorder, 0.9.1 03: icmpDecode, 0.9.1 04: arpDecode, 0.9.1 05: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) [INF] macRecorder: 84110 (84.11 K) short org name records loaded Processing file: /home/user/data/arp-poison.pcapng Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1051612777.463919000 sec (Tue 29 Apr 2003 10:39:37 GMT) Dump stop : 1051612786.610023000 sec (Tue 29 Apr 2003 10:39:46 GMT) Total dump duration: 9.146104000 sec Finished processing. Elapsed time: 0.000405175 sec Finished unloading flow memory. Time: 0.000525005 sec Percentage completed: 3.47% Number of processed packets: 20 Number of processed bytes: 1280 (1.28 K) Number of raw bytes: 1280 (1.28 K) Number of pcap bytes: 46772 (46.77 K) Number of IPv4 packets: 6 [30.00%] Number of A packets: 12 [60.00%] Number of B packets: 8 [40.00%] Number of A bytes: 768 [60.00%] Number of B bytes: 512 [40.00%] <A packet load> 64.00 <B packet load> 64.00 -------------------------------------------------------------------------------- macRecorder: MAC pairs per flow: min: 1, max: 2, average: 1.07 icmpDecode: Aggregated icmpStat=0x21 icmpDecode: Number of ICMP echo request packets: 3 [50.00%] icmpDecode: Number of ICMP echo reply packets: 3 [50.00%] icmpDecode: ICMP echo reply / request ratio: 1.00 arpDecode: Aggregated arpStat=0x81 -------------------------------------------------------------------------------- Headers count: min: 2, max: 3, average: 2.30 Number of ARP packets: 14 [70.00%] Number of ICMP packets: 6 [30.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 8 Number of processed L2 flows: 4 [50.00%] Number of processed IPv4 flows: 4 [50.00%] Number of processed A flows: 4 [50.00%] Number of processed B flows: 4 [50.00%] Number of request flows: 4 [50.00%] Number of reply flows: 4 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 2.50 Number of processed A packets/flows: 3.00 Number of processed B packets/flows: 2.00 Number of processed total packets/s: 2.19 Number of processed A+B packets/s: 2.19 Number of processed A packets/s: 1.31 Number of processed B packets/s: 0.87 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.87 <Bandwidth>: 220 b/s <Raw bandwidth>: 1120 b/s (1.12 Kb/s) Max number of flows in memory: 8 [0.00%] Memory usage: 0.04 GB [0.06%] Aggregated flowStat=0x0400100000004044 [WRN] Consecutive duplicate IP ID [INF] Layer 2 flows [INF] IPv4 flows [INF] ARP
macRecorder reports maximal 2 MAC pairs per flow, which means that a L2 path was changed during communication. Can be normal when multi-path routing is present.
icmpDecode reports that 50% of the traffic is ICMP echo/replies, so somebody pings. That is odd, but it is test traffic. If you have it in your network, it is alarming. But not the problem at hand here.
arpDecode on the other hand reports ARP spoofing, which is definitely not normal,
see arpStat details below:
The arpStat column with value 0x81 is to be interpreted as follows: bit | arpStat | Description ============================================================================= 0 | 0x01 | ARP detected 7 | 0x80 | ARP spoofing (same MAC assigned to multiple IPs)
Now have a look into your results window.
Flow 2 is a ICMP ping which has two MAC pairs, with MAC src and dst swapped and a new dst MAC. WTF?
macRecorder reports the same, 2 packets being sent with the new MAC pair. Odd.
Now look in the next two flows, we have ARP flows, where the last flow reports a poison alarm. Spot it?
Look at the MAC-IP pairs in the arpMac_Ip_Cnt column.
tcol ~/results/arp-poison_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto macStat macPairs srcMac_dstMac_numP srcMacLbl_dstMacLbl icmpStat icmpTCcnt icmpBFTypH_TypL_Code icmpTmGtw icmpEchoSuccRatio icmpPFindex arpStat arpHwType arpOpcode arpIpMacCnt arpMac_Ip_Cnt
A 1 0x0400000000004000 1051612777.463919000 1051612777.463919000 0.000000000 1 3 eth:ipv4:icmp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0800 192.168.1.102 07 "Private network" 0 192.168.1.1 07 "Private network" 0 1 0x00 1 00:d0:59:aa:af:80_00:20:78:d9:0d:db_1 AmbitMicr,TW_RuntopInc,TW 0x01 1 0x00000000_0x00000100_0x0001 0x00000000 1 0 0x00 0 0x0000 0
B 1 0x0400000000004001 1051612777.464716000 1051612777.464716000 0.000000000 1 3 eth:ipv4:icmp 00:20:78:d9:0d:db 00:d0:59:aa:af:80 0x0800 192.168.1.1 07 "Private network" 0 192.168.1.102 07 "Private network" 0 1 0x00 1 00:20:78:d9:0d:db_00:d0:59:aa:af:80_1 RuntopInc,TW_AmbitMicr,TW 0x01 1 0x00000000_0x00000001_0x0001 0x00000000 0 0 0x00 0 0x0000 0
A 2 0x0400000000004000 1051612778.594407000 1051612778.594407000 0.000000000 1 3 eth:ipv4:icmp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0800 192.168.1.103 07 "Private network" 0 192.168.1.1 07 "Private network" 0 1 0x00 1 00:d0:59:aa:af:80_00:20:78:d9:0d:db_1 AmbitMicr,TW_RuntopInc,TW 0x01 1 0x00000000_0x00000100_0x0001 0x00000000 2 0 0x00 0 0x0000 0
B 2 0x0400100000004001 1051612778.595301000 1051612778.699841000 0.104540000 1 3 eth:ipv4:icmp 00:20:78:d9:0d:db;00:d0:59:aa:af:80 00:d0:59:aa:af:80;00:d0:59:12:9b:01 0x0800 192.168.1.1 07 "Private network" 0 192.168.1.103 07 "Private network" 0 1 0x00 2 00:20:78:d9:0d:db_00:d0:59:aa:af:80_1;00:d0:59:aa:af:80_00:d0:59:12:9b:01_2 RuntopInc,TW_AmbitMicr,TW;AmbitMicr,TW_AmbitMicr,TW 0x21 3 0x00000000_0x00000101_0x0001 0x00000000 0 0 0x00 0 0x0000 0
A 3 0x0000000000000044 1051612778.598469000 1051612786.608058000 8.009589000 1 2 eth:arp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0806 - - "-" 0 - - "-" 0 0 0x00 1 00:d0:59:aa:af:80_00:20:78:d9:0d:db_5 AmbitMicr,TW_RuntopInc,TW 0x00 0 0x00000000_0x00000000_0x0000 0x00000000 0 0 0x01 1 0x0006 2 00:d0:59:aa:af:80_192.168.1.103_5;00:20:78:d9:0d:db_192.168.1.1_3
B 3 0x0000000000000045 1051612780.601770000 1051612784.606380000 4.004610000 1 2 eth:arp 00:20:78:d9:0d:db 00:d0:59:aa:af:80 0x0806 - - "-" 0 - - "-" 0 0 0x00 1 00:20:78:d9:0d:db_00:d0:59:aa:af:80_2 RuntopInc,TW_AmbitMicr,TW 0x00 0 0x00000000_0x00000000_0x0000 0x00000000 0 0 0x01 1 0x0004 2 00:20:78:d9:0d:db_192.168.1.1_2;00:d0:59:aa:af:80_192.168.1.103_2
A 4 0x0000000000000044 1051612778.600469000 1051612786.610023000 8.009554000 1 2 eth:arp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0806 - - "-" 0 - - "-" 0 0 0x00 1 00:d0:59:aa:af:80_00:d0:59:12:9b:01_5 AmbitMicr,TW_AmbitMicr,TW 0x00 0 0x00000000_0x00000000_0x0000 0x00000000 0 0 0x81 1 0x0006 4 00:d0:59:aa:af:80_192.168.1.1_5;00:20:78:d9:0d:db_192.168.1.1_0;00:d0:59:12:9b:01_192.168.1.103_3;00:d0:59:aa:af:80_192.168.1.103_0
B 4 0x0000000000000045 1051612780.603266000 1051612784.607832000 4.004566000 1 2 eth:arp 00:d0:59:12:9b:01 00:d0:59:aa:af:80 0x0806 - - "-" 0 - - "-" 0 0 0x00 1 00:d0:59:12:9b:01_00:d0:59:aa:af:80_2 AmbitMicr,TW_AmbitMicr,TW 0x00 0 0x00000000_0x00000000_0x0000 0x00000000 0 0 0x81 1 0x0004 4 00:d0:59:12:9b:01_192.168.1.103_2;00:d0:59:aa:af:80_192.168.1.103_0;00:d0:59:aa:af:80_192.168.1.1_2;00:20:78:d9:0d:db_192.168.1.1_0Have a look in the packet file. Packet number 11, there the arpStat changes to ARP poison detected for the first time. See why and what happens?
tcol ~/results/arp-poison_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto srcMacLbl dstMacLbl icmpStat icmpType icmpCode icmpID icmpSeq icmpPFindex arpStat arpHwType arpProtoType arpHwSize arpProtoSize arpOpcode arpSenderMAC arpSenderIP arpTargetMAC arpTargetIP l7Content
1 1 0x0400000000004000 1051612777.463919 0.000000 0.000000 0.000000 3 eth:ipv4:icmp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0800 192.168.1.102 07 Private network 192.168.1.1 07 Private network 1 AmbitMicr,TW RuntopInc,TW 0x01 8 0 0xe77e 0x0100
2 1 0x0400000000004001 1051612777.464716 0.000000 0.000797 0.000000 3 eth:ipv4:icmp 00:20:78:d9:0d:db 00:d0:59:aa:af:80 0x0800 192.168.1.1 07 Private network 192.168.1.102 07 Private network 1 RuntopInc,TW AmbitMicr,TW 0x01 0 0 0xe77e 0x0100
3 2 0x0400000000004000 1051612778.594407 0.000000 0.000000 0.000000 3 eth:ipv4:icmp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0800 192.168.1.103 07 Private network 192.168.1.1 07 Private network 1 AmbitMicr,TW RuntopInc,TW 0x01 8 0 0xe77e 0x0100
4 2 0x0400000000004001 1051612778.595301 0.000000 0.000894 0.000000 3 eth:ipv4:icmp 00:20:78:d9:0d:db 00:d0:59:aa:af:80 0x0800 192.168.1.1 07 Private network 192.168.1.103 07 Private network 1 RuntopInc,TW AmbitMicr,TW 0x01 0 0 0xe77e 0x0100
5 2 0x0400000000004001 1051612778.597199 0.001898 0.002792 0.001898 3 eth:ipv4:icmp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0800 192.168.1.1 07 Private network 192.168.1.103 07 Private network 1 AmbitMicr,TW AmbitMicr,TW 0x21 8 0 0xe77e 0x0100
6 3 0x0000000000000044 1051612778.598469 0.000000 0.000000 0.000000 2 eth:arp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0806 AmbitMicr,TW RuntopInc,TW 0x01 1 0x0800 6 4 2 00:d0:59:aa:af:80 192.168.1.103 00:20:78:d9:0d:db 192.168.1.1 ..........Y......g. x.\r...........................
7 4 0x0000000000000044 1051612778.600469 0.000000 0.000000 0.000000 2 eth:arp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 2 00:d0:59:aa:af:80 192.168.1.1 00:d0:59:12:9b:01 192.168.1.103 ..........Y.........Y......g......................
8 2 0x0400100000004001 1051612778.699841 0.102642 0.105434 0.104540 3 eth:ipv4:icmp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0800 192.168.1.1 07 Private network 192.168.1.103 07 Private network 1 AmbitMicr,TW AmbitMicr,TW 0x21 0 0 0xe77e 0x0100
9 3 0x0000000000000044 1051612780.601041 2.002572 0.000000 2.002572 2 eth:arp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0806 AmbitMicr,TW RuntopInc,TW 0x01 1 0x0800 6 4 1 00:d0:59:aa:af:80 192.168.1.103 00:20:78:d9:0d:db 192.168.1.1 ..........Y......g. x.\r...........................
10 3 0x0000000000000045 1051612780.601770 0.000000 0.000729 0.000000 2 eth:arp 00:20:78:d9:0d:db 00:d0:59:aa:af:80 0x0806 RuntopInc,TW AmbitMicr,TW 0x01 1 0x0800 6 4 2 00:20:78:d9:0d:db 192.168.1.1 00:d0:59:aa:af:80 192.168.1.103 ......... x.\r.......Y......g......................
11 4 0x0000000000000044 1051612780.602852 2.002383 0.000000 2.002383 2 eth:arp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 1 00:d0:59:aa:af:80 192.168.1.1 00:d0:59:12:9b:01 192.168.1.103 ..........Y.........Y......g......................
12 4 0x0000000000000045 1051612780.603266 0.000000 0.000414 0.000000 2 eth:arp 00:d0:59:12:9b:01 00:d0:59:aa:af:80 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 2 00:d0:59:12:9b:01 192.168.1.103 00:d0:59:aa:af:80 192.168.1.1 ..........Y......g..Y.............................
13 3 0x0000000000000044 1051612782.603278 2.002237 2.001508 4.004809 2 eth:arp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0806 AmbitMicr,TW RuntopInc,TW 0x01 1 0x0800 6 4 2 00:d0:59:aa:af:80 192.168.1.103 00:20:78:d9:0d:db 192.168.1.1 ..........Y......g. x.\r...........................
14 4 0x0000000000000044 1051612782.605243 2.002391 2.001977 4.004774 2 eth:arp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 2 00:d0:59:aa:af:80 192.168.1.1 00:d0:59:12:9b:01 192.168.1.103 ..........Y.........Y......g......................
15 3 0x0000000000000044 1051612784.605667 2.002389 4.003897 6.007198 2 eth:arp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0806 AmbitMicr,TW RuntopInc,TW 0x01 1 0x0800 6 4 1 00:d0:59:aa:af:80 192.168.1.103 00:20:78:d9:0d:db 192.168.1.1 ..........Y......g. x.\r...........................
16 3 0x0000000000000045 1051612784.606380 4.004610 0.000713 4.004610 2 eth:arp 00:20:78:d9:0d:db 00:d0:59:aa:af:80 0x0806 RuntopInc,TW AmbitMicr,TW 0x01 1 0x0800 6 4 2 00:20:78:d9:0d:db 192.168.1.1 00:d0:59:aa:af:80 192.168.1.103 ......... x.\r.......Y......g......................
17 4 0x0000000000000044 1051612784.607630 2.002387 4.004364 6.007161 2 eth:arp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 1 00:d0:59:aa:af:80 192.168.1.1 00:d0:59:12:9b:01 192.168.1.103 ..........Y.........Y......g......................
18 4 0x0000000000000045 1051612784.607832 4.004566 0.000202 4.004566 2 eth:arp 00:d0:59:12:9b:01 00:d0:59:aa:af:80 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 2 00:d0:59:12:9b:01 192.168.1.103 00:d0:59:aa:af:80 192.168.1.1 ..........Y......g..Y.............................
19 3 0x0000000000000044 1051612786.608058 2.002391 2.001678 8.009589 2 eth:arp 00:d0:59:aa:af:80 00:20:78:d9:0d:db 0x0806 AmbitMicr,TW RuntopInc,TW 0x01 1 0x0800 6 4 2 00:d0:59:aa:af:80 192.168.1.103 00:20:78:d9:0d:db 192.168.1.1 ..........Y......g. x.\r...........................
20 4 0x0000000000000044 1051612786.610023 2.002393 2.002191 8.009554 2 eth:arp 00:d0:59:aa:af:80 00:d0:59:12:9b:01 0x0806 AmbitMicr,TW AmbitMicr,TW 0x81 1 0x0800 6 4 2 00:d0:59:aa:af:80 192.168.1.1 00:d0:59:12:9b:01 192.168.1.103 ..........Y.........Y......g......................Is there more? What happens in packet 7? False positive?
Have fun analyzing ARP traffic!