Tutorial: Flow based arpwatch

arpDecode

This tutorial discusses the plugin arpDecode. t supplies vital information for troubleshooting and security related issues.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile the standard plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away. We also load macRecorder and icmpDecode in order to compare flow information.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build tranalyzer2 basicFlow macRecorder icmpDecode arpDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, that facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap if did not do it already: arp-poison.pcapng. Now you’re all set.

arpDecode aka flow based arpWatch

I guess, somebody who is reading this text now tried to get access to an arp authenticated wireless network by reusing an arp address of somebody else, already being authenticated. No? Yeah sure.

There are other tricks, e.g. arp Poisoning to reroute traffic in a collision domain. T2 provides a plugin which flags or at least logs these nasty tricks in the flow file. So the plugin is similar to a flow based arpWatch.

The configuration of arpDecode allows you to define the maximum mac/ip pairs/flow to be logged.

$ arpDecode
$ vi src/arpDecode.h
...
// user defines

#define MAX_IP 10 // Max. number of MAC/IP pairs to list (max 255)
...

You may reconfigure that with t2config or just edit the file. We leave it at the default value for this tutorial. Now run t2 on the sample pcap.

$ t2 -r ~/data/arp-poison.pcapng -w ~/results/ -s
================================================================================
Tranalyzer 0.8.8 (Anteater), Tarantula. PID: 19330
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
[WRN] PCAP-NG, so *percentage completed* in end report might be less than 100%, will be fixed in a later version
Active plugins:
    01: basicFlow, 0.8.8
    02: macRecorder, 0.8.8
    03: icmpDecode, 0.8.8
    04: arpDecode, 0.8.8
    05: txtSink, 0.8.8
[INF] IPv4 Ver: 5, Rev: 01022020, Range Mode: 0, subnet ranges loaded: 389669 (389.67 K)
[INF] IPv6 Ver: 5, Rev: 01022020, Range Mode: 0, subnet ranges loaded: 104862 (104.86 K)
Processing file: /home/wurst/tranalyzer-website/tranalyzer/download/data/arp-poison.pcapng
Link layer type: Ethernet [EN10MB/1]
Dump start: 1051612777.463919 sec (Tue 29 Apr 2003 10:39:37 GMT)
Dump stop : 1051612786.610023 sec (Tue 29 Apr 2003 10:39:46 GMT)
Total dump duration: 9.146104 sec
Finished processing. Elapsed time: 0.000266 sec
Finished unloading flow memory. Time: 0.000393 sec
Percentage completed: 3.47%
Number of processed packets: 20
Number of processed bytes: 1280 (1.28 K)
Number of raw bytes: 1280 (1.28 K)
Number of pcap bytes: 46772 (46.77 K)
Number of IPv4 packets: 6 [30.00%]
Number of A packets: 12 [60.00%]
Number of B packets: 8 [40.00%]
Number of A bytes: 768 [60.00%]
Number of B bytes: 512 [40.00%]
Average A packet load: 64.00
Average B packet load: 64.00
--------------------------------------------------------------------------------
macRecorder: MAC pairs per flow: min: 1, max: 2, average: 1.07
icmpDecode: Number of ICMP echo request packets: 3 [50.00%]
icmpDecode: Number of ICMP echo reply packets: 3 [50.00%]
icmpDecode: ICMP echo reply / request ratio: 1.00
arpDecode: Aggregated status flags: 0x81
--------------------------------------------------------------------------------
Headers count: min: 2, max: 3, average: 2.30
Number of GRE packets: 14 [70.00%]
Number of ICMP packets: 6 [30.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 8
Number of processed A flows: 4 [50.00%]
Number of processed B flows: 4 [50.00%]
Number of request     flows: 4 [50.00%]
Number of reply       flows: 4 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 2.50
Number of processed A packets/flows: 3.00
Number of processed B packets/flows: 2.00
Number of processed total packets/s: 2.19
Number of processed A+B packets/s: 2.19
Number of processed A   packets/s: 1.31
Number of processed   B packets/s: 0.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.87
Average full raw bandwidth: 1120 b/s (1.12 Kb/s)
Average full bandwidth : 220 b/s
Max number of flows in memory: 8 [0.00%]
Memory usage: 0.18 GB [0.27%]
Aggregate flow status: 0x0400100000004044
[WRN] Consecutive duplicate IP ID
[INF] Ethernet flows
[INF] IPv4 flows
[INF] ARP
$

macRecorder reports maximal 2 MAC pairs per flow, which means that a L2 path was changed during communication. Can be normal when multi-path routing is present.

icmpDecode reports that 50% of the traffic is icmp echo/replies, so somebody pings. That is odd, but it is test traffic. If you have it in your network, it is alarming. But not the problem at hand here.

arpDecode on the other hand reports ARP spoofing, which is definetely not normal, see arpStat details below:

$ tawk -V arpStat=0x81

The arpStat column with value 0x81 is to be interpreted as follows:

   bit | arpStat | Description
   =============================================================================
     0 | 0x01    | ARP detected
     7 | 0x80    | ARP spoofing (same MAC assigned to multiple IPs)

Now have a look into your results window. iB Flow 2 is a icmp ping which has two mac pairs, with mac src and dst swapped and a new dst mac. WRF? macRecorder reports the same, 2 packets being sent with the new mac pair. Odd. Now look in the next two flows, we have arp flows, where the last flow reports a poison alarm. Spot it? Look at the mac-ip pairs in the arpMac_Ip_Cnt column.

$ tcol arp-poison_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc        srcMac                               dstMac                               ethType  ethVlanID  srcIP          srcIPCC  srcIPCnty  srcIPCty  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPCnty  dstIPCty  dstIPOrg           dstPort  l4Proto  macStat  macPairs  srcMac_dstMac_numP                                                           srcManuf_dstManuf                  icmpStat  icmpTCcnt  icmpBFTypH_TypL_Code          icmpTmGtw   icmpEchoSuccRatio  icmpPFindex  arpStat  arpHwType  arpOpcode  arpIpMacCnt  arpMac_Ip_Cnt
A     1        0x0400000000004000  1051612777.463919  1051612777.463919  0.000000  1           3        eth:ipv4:icmp  00:d0:59:aa:af:80                    00:20:78:d9:0d:db                    0x0800              192.168.1.102  07       "-"        "-"       "Private network"  0        192.168.1.1    07       "-"        "-"       "Private network"  0        1        0x00     1         00:d0:59:aa:af:80_00:20:78:d9:0d:db_1                                        AmbitMic_Runtop                    0x01      1          0x00000000_0x00000100_0x0001  0x00017ee7  1                  0            0x00     0          0x0000     0            
B     1        0x0400000000004001  1051612777.464716  1051612777.464716  0.000000  1           3        eth:ipv4:icmp  00:20:78:d9:0d:db                    00:d0:59:aa:af:80                    0x0800              192.168.1.1    07       "-"        "-"       "Private network"  0        192.168.1.102  07       "-"        "-"       "Private network"  0        1        0x00     1         00:20:78:d9:0d:db_00:d0:59:aa:af:80_1                                        Runtop_AmbitMic                    0x01      1          0x00000000_0x00000001_0x0001  0x00017ee7  0                  0            0x00     0          0x0000     0            
A     2        0x0400000000004000  1051612778.594407  1051612778.594407  0.000000  1           3        eth:ipv4:icmp  00:d0:59:aa:af:80                    00:20:78:d9:0d:db                    0x0800              192.168.1.103  07       "-"        "-"       "Private network"  0        192.168.1.1    07       "-"        "-"       "Private network"  0        1        0x00     1         00:d0:59:aa:af:80_00:20:78:d9:0d:db_1                                        AmbitMic_Runtop                    0x01      1          0x00000000_0x00000100_0x0001  0x00017ee7  2                  0            0x00     0          0x0000     0            
B     2        0x0400100000004001  1051612778.595301  1051612778.699841  0.104540  1           3        eth:ipv4:icmp  00:20:78:d9:0d:db;00:d0:59:aa:af:80  00:d0:59:aa:af:80;00:d0:59:12:9b:01  0x0800              192.168.1.1    07       "-"        "-"       "Private network"  0        192.168.1.103  07       "-"        "-"       "Private network"  0        1        0x00     2         00:20:78:d9:0d:db_00:d0:59:aa:af:80_1;00:d0:59:aa:af:80_00:d0:59:12:9b:01_2  Runtop_AmbitMic;AmbitMic_AmbitMic  0x01      3          0x00000000_0x00000101_0x0001  0x00017ee7  0                  0            0x00     0          0x0000     0            
A     3        0x0000000000000044  1051612778.598469  1051612786.608058  8.009589  1           2        eth:arp        00:d0:59:aa:af:80                    00:20:78:d9:0d:db                    0x0806              0.0.0.0        --       "--"       "--"      "--"               0        0.0.0.0        --       "--"       "--"      "--"               0        0        0x00     1         00:d0:59:aa:af:80_00:20:78:d9:0d:db_5                                        AmbitMic_Runtop                    0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            0x01     1          0x0006     2            00:d0:59:aa:af:80_192.168.1.103_5;00:20:78:d9:0d:db_192.168.1.1_3
B     3        0x0000000000000045  1051612780.601770  1051612784.606380  4.004610  1           2        eth:arp        00:20:78:d9:0d:db                    00:d0:59:aa:af:80                    0x0806              0.0.0.0        --       "--"       "--"      "--"               0        0.0.0.0        --       "--"       "--"      "--"               0        0        0x00     1         00:20:78:d9:0d:db_00:d0:59:aa:af:80_2                                        Runtop_AmbitMic                    0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            0x01     1          0x0004     2            00:20:78:d9:0d:db_192.168.1.1_2;00:d0:59:aa:af:80_192.168.1.103_2
A     4        0x0000000000000044  1051612778.600469  1051612786.610023  8.009554  1           2        eth:arp        00:d0:59:aa:af:80                    00:d0:59:12:9b:01                    0x0806              0.0.0.0        --       "--"       "--"      "--"               0        0.0.0.0        --       "--"       "--"      "--"               0        0        0x00     1         00:d0:59:aa:af:80_00:d0:59:12:9b:01_5                                        AmbitMic_AmbitMic                  0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            0x81     1          0x0006     4            00:d0:59:aa:af:80_192.168.1.1_5;00:20:78:d9:0d:db_192.168.1.1_0;00:d0:59:12:9b:01_192.168.1.103_3;00:d0:59:aa:af:80_192.168.1.103_0
B     4        0x0000000000000045  1051612780.603266  1051612784.607832  4.004566  1           2        eth:arp        00:d0:59:12:9b:01                    00:d0:59:aa:af:80                    0x0806              0.0.0.0        --       "--"       "--"      "--"               0        0.0.0.0        --       "--"       "--"      "--"               0        0        0x00     1         00:d0:59:12:9b:01_00:d0:59:aa:af:80_2                                        AmbitMic_AmbitMic                  0x00      0          0x00000000_0x00000000_0x0000  0x00000000  0                  0            0x81     1          0x0004     4            00:d0:59:12:9b:01_192.168.1.103_2;00:d0:59:aa:af:80_192.168.1.103_0;00:d0:59:aa:af:80_192.168.1.1_2;00:20:78:d9:0d:db_192.168.1.1_0
$

Have a look in the packet file. Packet number 11, there the arpStat changes to arp poison detected for the first time. See why and what happens?

$ tcol arp-poison_packets.txt
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc        ethVlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg         srcPort  dstIP          dstIPCC  dstIPOrg         dstPort  l4Proto  srcManuf  dstManuf  icmpType  icmpCode  icmpPFindex  arpStat  arpHwType  arpProtoType  arpHwSize  arpProtoSize  arpOpcode  arpSenderMAC       arpSenderIP    arpTargetMAC       arpTargetIP    l7Content
1       1        0x0400000000004000  1051612777.463919  0.000000  0.000000      3        eth:ipv4:icmp             00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0800   192.168.1.102  07       Private network           192.168.1.1    07       Private network           1        AmbitMic  Runtop    8         0                                                                                                                                                                
2       1        0x0400000000004001  1051612777.464716  0.000000  0.000000      3        eth:ipv4:icmp             00:20:78:d9:0d:db  00:d0:59:aa:af:80  0x0800   192.168.1.1    07       Private network           192.168.1.102  07       Private network           1        Runtop    AmbitMic  0         0                                                                                                                                                                
3       2        0x0400000000004000  1051612778.594407  0.000000  0.000000      3        eth:ipv4:icmp             00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0800   192.168.1.103  07       Private network           192.168.1.1    07       Private network           1        AmbitMic  Runtop    8         0                                                                                                                                                                
4       2        0x0400000000004001  1051612778.595301  0.000000  0.000000      3        eth:ipv4:icmp             00:20:78:d9:0d:db  00:d0:59:aa:af:80  0x0800   192.168.1.1    07       Private network           192.168.1.103  07       Private network           1        Runtop    AmbitMic  0         0                                                                                                                                                                
5       2        0x0400000000004001  1051612778.597199  0.001898  0.001898      3        eth:ipv4:icmp             00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0800   192.168.1.1    07       Private network           192.168.1.103  07       Private network           1        AmbitMic  AmbitMic  8         0                                                                                                                                                                
6       3        0x0000000000000044  1051612778.598469  0.000000  0.000000      2        eth:arp                   00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0806                                                                                                                AmbitMic  Runtop                                     0x01     1          0x0800        6          4             2          00:d0:59:aa:af:80  192.168.1.103  00:20:78:d9:0d:db  192.168.1.1    ..........Y......g. x.\r...........................
7       4        0x0000000000000044  1051612778.600469  0.000000  0.000000      2        eth:arp                   00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             2          00:d0:59:aa:af:80  192.168.1.1    00:d0:59:12:9b:01  192.168.1.103  ..........Y.........Y......g......................
8       2        0x0400100000004001  1051612778.699841  0.102642  0.104540      3        eth:ipv4:icmp             00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0800   192.168.1.1    07       Private network           192.168.1.103  07       Private network           1        AmbitMic  AmbitMic  0         0                                                                                                                                                                
9       3        0x0000000000000044  1051612780.601041  2.002572  2.002572      2        eth:arp                   00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0806                                                                                                                AmbitMic  Runtop                                     0x01     1          0x0800        6          4             1          00:d0:59:aa:af:80  192.168.1.103  00:20:78:d9:0d:db  192.168.1.1    ..........Y......g. x.\r...........................
10      3        0x0000000000000045  1051612780.601770  0.000000  0.000000      2        eth:arp                   00:20:78:d9:0d:db  00:d0:59:aa:af:80  0x0806                                                                                                                Runtop    AmbitMic                                   0x01     1          0x0800        6          4             2          00:20:78:d9:0d:db  192.168.1.1    00:d0:59:aa:af:80  192.168.1.103  ......... x.\r.......Y......g......................
11      4        0x0000000000000044  1051612780.602852  2.002383  2.002383      2        eth:arp                   00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             1          00:d0:59:aa:af:80  192.168.1.1    00:d0:59:12:9b:01  192.168.1.103  ..........Y.........Y......g......................
12      4        0x0000000000000045  1051612780.603266  0.000000  0.000000      2        eth:arp                   00:d0:59:12:9b:01  00:d0:59:aa:af:80  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             2          00:d0:59:12:9b:01  192.168.1.103  00:d0:59:aa:af:80  192.168.1.1    ..........Y......g..Y.............................
13      3        0x0000000000000044  1051612782.603278  2.002237  4.004809      2        eth:arp                   00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0806                                                                                                                AmbitMic  Runtop                                     0x01     1          0x0800        6          4             2          00:d0:59:aa:af:80  192.168.1.103  00:20:78:d9:0d:db  192.168.1.1    ..........Y......g. x.\r...........................
14      4        0x0000000000000044  1051612782.605243  2.002391  4.004774      2        eth:arp                   00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             2          00:d0:59:aa:af:80  192.168.1.1    00:d0:59:12:9b:01  192.168.1.103  ..........Y.........Y......g......................
15      3        0x0000000000000044  1051612784.605667  2.002389  6.007198      2        eth:arp                   00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0806                                                                                                                AmbitMic  Runtop                                     0x01     1          0x0800        6          4             1          00:d0:59:aa:af:80  192.168.1.103  00:20:78:d9:0d:db  192.168.1.1    ..........Y......g. x.\r...........................
16      3        0x0000000000000045  1051612784.606380  4.004610  4.004610      2        eth:arp                   00:20:78:d9:0d:db  00:d0:59:aa:af:80  0x0806                                                                                                                Runtop    AmbitMic                                   0x01     1          0x0800        6          4             2          00:20:78:d9:0d:db  192.168.1.1    00:d0:59:aa:af:80  192.168.1.103  ......... x.\r.......Y......g......................
17      4        0x0000000000000044  1051612784.607630  2.002387  6.007161      2        eth:arp                   00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             1          00:d0:59:aa:af:80  192.168.1.1    00:d0:59:12:9b:01  192.168.1.103  ..........Y.........Y......g......................
18      4        0x0000000000000045  1051612784.607832  4.004566  4.004566      2        eth:arp                   00:d0:59:12:9b:01  00:d0:59:aa:af:80  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             2          00:d0:59:12:9b:01  192.168.1.103  00:d0:59:aa:af:80  192.168.1.1    ..........Y......g..Y.............................
19      3        0x0000000000000044  1051612786.608058  2.002391  8.009589      2        eth:arp                   00:d0:59:aa:af:80  00:20:78:d9:0d:db  0x0806                                                                                                                AmbitMic  Runtop                                     0x01     1          0x0800        6          4             2          00:d0:59:aa:af:80  192.168.1.103  00:20:78:d9:0d:db  192.168.1.1    ..........Y......g. x.\r...........................
20      4        0x0000000000000044  1051612786.610023  2.002393  8.009554      2        eth:arp                   00:d0:59:aa:af:80  00:d0:59:12:9b:01  0x0806                                                                                                                AmbitMic  AmbitMic                                   0x81     1          0x0800        6          4             2          00:d0:59:aa:af:80  192.168.1.1    00:d0:59:12:9b:01  192.168.1.103  ..........Y.........Y......g......................
$

Is there more?

Have fun analyzing.