Skip to content

Arp Storm (Cyber Talents)

cybertalents

An attacker in the network is trying to poison the arp table of 11.0.0.100, the admin captured this PCAP.

After you download the pcap file, we will open it on WiresharkĀ :

Itā€™s like a big puzzleĀ .

We will notice that the only change here is the opcode fieldĀ :

So tshark will be used, we will download it as follows, also you can useā€Šā€”ā€ŠhelpĀ , To know moreĀ .

You will find that Input file:\ Ā -r ,ā€Šā€”ā€Šread-file

tshark -r ARP+Storm.pcap

You must now output the different numbers individuallyĀ ,I tried to use the cut command, but it did not work, so after searchingĀ :

$ tshark -r ARP+Storm.pcap -Tfields -e arp.opcode | awk ā€˜{printf(ā€œ%cā€,$1)}ā€™

The command you provided captures and analyzes ARP packets from the file ARP+Storm.pcap. It then uses the tshark tool to print the opcode of each ARP packet to the console.

Hereā€™s a breakdown of theĀ command:

tsharkĀ : This is a command-line tool for capturing and analyzing network traffic.\ -r ARP+Storm.pcapĀ : This specifies the file to read the captured traffic from. In this case, itā€™s called ARP+Storm.pcap.\ -TfieldsĀ : This tells tshark to print the output in a field-based format.\ -e arp.opcode: This specifies the field to print from the captured packets. In this case, itā€™s the ARP opcode.\ awk ā€˜{printf(ā€œ%cā€,$1)}ā€™ : This uses the awk tool to process the output from tshark.

It takes the first field of each line (which is the ARP opcode) and prints it as a single character.\ The output of the command is a string of characters, each representing the opcode of an ARP packet. The most common opcodes are:

1: Request\ 2: Reply\ 3: RARP Request\ 4: RARP Reply\ In the case of an ARP storm, you would expect to see a large number of 1 characters (requests) in the output. This is because the attacker is flooding the network with ARP requests, which can cause network performance problems.

We will also use https://cyberchef.org/

Here we have reached the correct conclusion in the endĀ .

Here we are done, see you in other reportsā€¦!

See you later, bro

Abdelwahab_Shandy

AS_Cyber