Python ARP Spoofing Detection Tool - Network Security Monitoring

import threading
import time
import tkinter as tk
import netifaces
from scapy.all import ARP, sr1, Ether
from getmac import getmacbyip

class ArpDetectorPage:
    def __init__(self, master, timeout):
        self.master = master
        self.timeout = timeout
        self.interface = 'ens33'
        self.ip_mac_map = {}
        self.attacker_ip = None
        self.attacker_mac = None
        self.thread = None
        self.stop_event = threading.Event()
        self.timer = 0

        self.frame = tk.Frame(self.master)
        self.frame.pack()

        self.status_label = tk.Label(self.frame, text='Idle')
        self.status_label.pack()

        self.start_button = tk.Button(self.frame, text='Start', command=self.start_detection)
        self.start_button.pack()

        self.stop_button = tk.Button(self.frame, text='Stop', command=self.stop_detection, state=tk.DISABLED)
        self.stop_button.pack()

    def start_detection(self):
        self.status_label.config(text='Running')
        self.start_button.config(state=tk.DISABLED)
        self.stop_button.config(state=tk.NORMAL)

        self.thread = threading.Thread(target=self.run)
        self.thread.start()

    def stop_detection(self):
        self.status_label.config(text='Idle')
        self.start_button.config(state=tk.NORMAL)
        self.stop_button.config(state=tk.DISABLED)

        self.stop_event.set()
        self.thread.join()

    def run(self):
        self.attacker_ip = netifaces.ifaddresses(self.interface)[netifaces.AF_INET][0]['addr']
        self.attacker_mac = getmacbyip(self.attacker_ip)
        print(f'Attacker IP: {self.attacker_ip}, MAC: {self.attacker_mac}')

        while not self.stop_event.is_set():
            self.scan_network()
            self.detect_arp_spoofing()
            time.sleep(5)
            self.timer += 5
            if self.timer >= self.timeout:
                print('No ARP spoofing detected')
                self.stop_event.set()

    def scan_network(self):
        for ip in netifaces.ifaddresses(self.interface)[netifaces.AF_INET][0]['addr'].split('.')[:-1]:
            for i in range(1, 255):
                target_ip = f'{ip}.{i}'
                if target_ip != self.attacker_ip:
                    arp_request = ARP(pdst=target_ip)
                    arp_reply = sr1(arp_request, timeout=1, verbose=0)
                    if arp_reply and arp_reply.hwsrc not in ('00:00:00:00:00:00', self.attacker_mac):
                        self.ip_mac_map[target_ip] = arp_reply.hwsrc

    def detect_arp_spoofing(self):
        for target_ip, target_mac in self.ip_mac_map.items():
            arp_request = ARP(op=1, pdst=target_ip, hwdst=target_mac, psrc=self.attacker_ip, hwsrc=self.attacker_mac)
            arp_reply = sr1(arp_request, timeout=1, verbose=0)
            if arp_reply and arp_reply.hwsrc != target_mac:
                print(f'ARP spoofing detected: {target_ip} ({target_mac}) -> {arp_reply.hwsrc}')

class ArpDetectorPageUI:
    def __init__(self, master):
        self.master = master
        self.master.title('ARP Detector')
        self.master.geometry('400x150')

        self.timeout_label = tk.Label(self.master, text='Detection Time (s)')
        self.timeout_label.pack()
        self.timeout_entry = tk.Entry(self.master)
        self.timeout_entry.pack()

        self.start_button = tk.Button(self.master, text='Start', command=self.start_detection)
        self.start_button.pack()

    def start_detection(self):
        timeout = int(self.timeout_entry.get())
        self.master.withdraw()
        ArpDetectorPage(self.master, timeout)

root = tk.Tk()
arp_detector_ui = ArpDetectorPageUI(root)
root.mainloop()

The code utilizes the following libraries:

• threading: For creating and managing threads for background monitoring.
• time: To introduce delays in the monitoring loop.
• tkinter: To build the graphical user interface (GUI) for the tool.
• netifaces: To retrieve network interface details and addresses.
• Scapy: A powerful Python library for crafting and sending network packets, particularly ARP requests.
• getmac: To obtain MAC addresses based on IP addresses.

The ArpDetectorPage class is responsible for the actual ARP detection logic, while the ArpDetectorPageUI class manages the GUI, including user input for the detection time and button actions to start and stop the detection process.

Key features:

• Network Scanning: The tool scans the local network for active devices by sending ARP requests and collecting responses, building a map of IP addresses to MAC addresses.
• ARP Spoofing Detection: It compares the MAC address obtained from ARP requests to the expected MAC addresses in the map. Any discrepancies indicate potential ARP spoofing attempts.
• User-friendly Interface: The Tkinter-based GUI provides a simple way to start and stop detection, and set the monitoring duration.
• Real-time Monitoring: The detection process runs in the background, constantly checking for spoofed ARP packets.
• Status Updates: The GUI updates the status of the tool, indicating when it is running, idle, or if any spoofing events are detected.

This script provides a basic implementation for ARP spoofing detection, and can be extended to include more advanced features such as logging, alert notifications, and automatic countermeasures.