mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
1.7 KiB
1.7 KiB
ARP Poisoning Detection — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| scapy | pip install scapy |
PCAP parsing and ARP packet analysis |
Scapy ARP Packet Fields
| Field | Description |
|---|---|
op |
Operation: 1=request, 2=reply |
hwsrc |
Source MAC address |
psrc |
Source IP address |
hwdst |
Destination MAC address |
pdst |
Destination IP address |
ARP Spoofing Indicators
| Indicator | Description | Severity |
|---|---|---|
| Duplicate MACs for IP | Same IP mapped to multiple MACs | CRITICAL |
| MAC claiming many IPs | One MAC responding for 3+ IPs | HIGH |
| Gratuitous ARP flood | Excessive unsolicited ARP replies | MEDIUM |
| ARP flip-flop | IP/MAC mapping changes rapidly | HIGH |
Scapy PCAP Analysis
from scapy.all import rdpcap, ARP
packets = rdpcap("capture.pcap")
arp_replies = [p for p in packets if ARP in p and p[ARP].op == 2]
System ARP Table
arp -a # Display ARP table
arp -d <ip> # Delete ARP entry
ip neigh show # Linux: show neighbor table
arpwatch Database Format
<mac>\t<ip>\t<timestamp>\t<hostname>
Detection Tools
| Tool | Description |
|---|---|
| arpwatch | Monitors ARP table changes, emails on flip-flop |
| arpsnitch | Real-time ARP spoofing alert |
| XArp | Advanced ARP spoofing detection |
| Snort rule | alert arp any any -> any any (msg:"ARP spoof"; ...) |