## **ARP Sniffing: An Overview**
**ARP Sniffing** is a technique where a machine listens to the ARP (Address Resolution Protocol) messages on a network to capture IP-to-MAC address mappings. It can help monitor devices on the network, identify potential attackers, or analyze network traffic.

In an ARP sniffing attack, an attacker can intercept ARP packets and manipulate the network's ARP cache, redirecting the traffic between a victim and a gateway.

⚠ **Disclaimer:** ARP sniffing should only be done in **authorized penetration testing environments** or for **educational purposes**. Unauthorized ARP sniffing is illegal.

## **Performing ARP Sniffing with Built-in Tools and Python**

### **1. Using Built-in Tools**

#### **Method 1: Using `tcpdump` to Capture ARP Packets**

`tcpdump` is a network packet analyzer that can capture ARP packets on the network.

**Steps:**
1. **Install tcpdump** (if not installed):

In [None]:
sudo apt-get install tcpdump

2. **Capture ARP traffic**:
   To capture only ARP packets, use the following command:

In [None]:
sudo tcpdump -i eth0 arp

    Replace `eth0` with the network interface you wish to monitor. This command will display all ARP traffic, including requests and replies.

3. **Save captured ARP traffic to a file**:
   If you want to save the ARP packets for further analysis, you can write them to a `.pcap` file:

In [None]:
sudo tcpdump -i eth0 arp -w arp_traffic.pcap

4. **Analyzing captured ARP packets**:
   Open the `.pcap` file using **Wireshark** for detailed analysis:

In [None]:
wireshark arp_traffic.pcap

#### **Method 2: Using `Wireshark` for ARP Sniffing**
Wireshark is a GUI-based tool for detailed analysis of network traffic, including ARP packets.

**Steps:**
1. **Install Wireshark**:

In [None]:
sudo apt-get install wireshark

2. **Start Wireshark**:
   Launch Wireshark and select the network interface you want to monitor.

3. **Apply ARP filter**:
   In the display filter bar at the top of Wireshark, enter the following filter to show only ARP packets:
   ```text
   arp
   ```

4. **Analyze ARP Packets**:
   - Look for ARP requests (`Who has`) and ARP replies (`Is at`).
   - Identify any suspicious devices that may be trying to poison ARP tables.

### **2. Using Python for ARP Sniffing with Scapy**

`Scapy` is a Python-based tool that allows you to create, manipulate, and sniff packets on a network.

#### **Install Scapy**:
If you don't have `scapy` installed, you can install it using `pip`:

In [8]:
pip install scapy

Note: you may need to restart the kernel to use updated packages.


#### **Python Script for ARP Sniffing**:
Here’s a Python script to sniff ARP packets on a network using Scapy. The script will capture and display ARP requests and replies.

In [None]:
from scapy.all import sniff, ARP

# Define a callback function to process captured packets
def arp_sniff(packet):
    if packet.haslayer(ARP):
        if packet[ARP].op == 1:  # ARP Request
            print(f"ARP Request: {packet[ARP].psrc} is asking 'Who has' {packet[ARP].pdst}")
        elif packet[ARP].op == 2:  # ARP Reply
            print(f"ARP Reply: {packet[ARP].psrc} has address {packet[ARP].hwsrc}")

# Start sniffing ARP packets on the network
print("Starting ARP sniffing...")
sniff(prn=arp_sniff, filter="arp", store=0, iface="eth0")

**Explanation**:
- `sniff`: Captures packets on the specified interface.
- `arp_sniff`: Callback function that checks if the captured packet is an ARP request or reply and prints relevant information.
- `filter="arp"`: Captures only ARP packets.
- `iface="eth0"`: Specifies the network interface (replace with your actual interface).

#### **Capture and Analyze ARP Packets**:
1. **Run the script**:
   When you run the script, it will listen for ARP traffic and print out ARP requests and replies.

In [None]:
python arp_sniff.py

2. **Stop sniffing**:
   Press `Ctrl+C` to stop the sniffing process.

### **3. ARP Sniffing Ethics and Network Restoration**
- **ARP Poisoning and Spoofing**: ARP sniffing can be used for ARP poisoning attacks, which redirect traffic to malicious actors. Be sure to use this technique only in a **controlled, authorized environment**.
  
- **Restoring ARP Tables**: After sniffing or poisoning, you may want to restore the correct ARP mappings to avoid disruption in the network. This can be done with the following command on Linux:

In [None]:
sudo arp -d <target-ip>

  Alternatively, you can use `scapy` to send correct ARP responses to restore the network.

### **Conclusion**
- **Method 1 (tcpdump)**: Quick and easy for capturing ARP packets.
- **Method 2 (Wireshark)**: Provides an advanced GUI for analyzing ARP traffic.
- **Method 3 (Python with Scapy)**: Customizable and automated ARP sniffing using Python scripting.