Trying to sniff ARP packets using cap about cap HOT 15 CLOSED

Can you also show the code you're using that uses this function?

from cap.

var Cap = require('cap').Cap,
    decoders = require('cap').decoders,
    PROTOCOL = decoders.PROTOCOL;
    c = new Cap(),
    device = '\\Device\\NPF_{B72765D8-CD73-45E0-8723-BD121163DC18}',
    filter = 'arp',
    bufSize = 10 * 1024 * 1024,
    buffer = new Buffer(65535);
    console.log("buffer");
    c.on('packet', function(nbytes, trunc) 
    {
        console.log('packet: length ' + nbytes + ' bytes, truncated? '
        + (trunc ? 'yes\r\n' : 'no\r\n'));

        var linkType = c.open(device, filter, bufSize, buffer);
        if (linkType === 'ETHERNET') 
        console.log('Decoding ARP ...');    
        {
            var ret = decoders.Ethernet(buffer);

            if (ret.info.type === PROTOCOL.ETHERNET.ARP)
            {
                console.log('Decoding ARP ...');

                ret = decoders.ARP(buffer, ret.offset);
                console.log("sender mac address:", ret.info.hardwareAddr);
                console.log("sender Ip Address:", ret.info.senderIp);

            }
        }
    }); 

from cap.

Your c.open() is in the wrong place. You won't get any packet events until you c.open() first, so place that outside of your packet event handler.

from cap.

yeah... i got it thank. Is there any filter in cap module to filter certain "mac address" . can you add my code to your decoders source code so that it will be helpful to everyone . directly they will get ARP packets instead of going for some other modules.

from cap.

As far as the filter syntax goes, it's the same syntax that tcpdump uses. So to look for a particular mac address you should be able to use something like 'ether host aa:bb:cc:dd:ee:ff'.

from cap.

actually now able to see ARP packets . I saw in wireshark, it consists of both ethernet-2 and 802.3 packets . But using cap module i am sniffing only ethernet-2 packets. Is there any way to sniff 802.3 packets also..??

from cap.

You'd have to decode the packet differently. 802.3 is fairly similar to ethernet-2 though, so you could re-use some code. See this SO answer for details.

from cap.

Are you seeing packet events for the 802.3-encapsulated packets? As far as I know the 'arp' filter should emit packets for both types, with the difference being in the decoding of the packets as I previously noted (e.g. if the type/len field is >= 1536, it's Ethernet II). The current ethernet decoder only performs simple type/length field checking and does not handle SNAP or other fields for non-Ethernet II encapsulation.

from cap.

NO ..i am not getting 802.3 packets in any format.

from cap.

so now what shall I add to typelen in ethernet code to decode the packets...???

from cap.

what "linkType" does in function code. actually i have removed ethernet part in decoders and i have added IEEE8023 . but when i try to print linkType it still printing as ETHERNET. So I am not understanding where i have to change ETHERNET TO IEEE8023.

from cap.

Do you have a reliable way of duplicating these packets that I can use?

from cap.

since I am generating packets with local board so i can't share the packets. If you want we can make webex meeting

from cap.

@mscdex I am wondering whether or not you progressed on this one. As I need an ARP decoder for my project I have rolled my own decoding function based on the snippet @dheerajreddy1 posted. My implementation is not perfect as it might not cover all cases, but it is comparable to what node-pcap has. If you like my proposal I am happy to create a pull request.

exports.ARP = function(b, offset) {
  offset || (offset = 0);
  var ret = {
    info: {
      hardwareaddr: undefined,
      protocol: undefined,
      hdrlen: undefined,
      protlen: undefined,
      opcode: undefined,
      sendermac: '',
      senderip: '',
      targetmac: '',
      targetip: ''
    },
    offset: undefined
  };
  ret.info.hardwareaddr = b.readUInt16BE(offset, true);
  offset += 2;
  ret.info.protocol = b.readUInt16BE(offset, true);
  offset += 2;
  ret.info.hdrlen = b.readInt8(offset, true);
  offset += 1;
  ret.info.protlen = b.readInt8(offset, true);
  offset += 1;
  ret.info.opcode = b.readUInt16BE(offset, true);
  offset += 2;
  if (ret.info.hdrlen == 6 && ret.info.protlen == 4) {
    for (i = 0; i < 6; ++i) {
      ret.info.sendermac += ('00' + b[offset++].toString(16)).substr(-2);
      if (i < 5)
        ret.info.sendermac += ':';
    }

    for (i = 0; i < 4; ++i) {
      ret.info.senderip += b[offset++].toString(10);
      if (i < 3)
        ret.info.senderip += '.';
    }

    for (i = 0; i < 6; ++i) {
      ret.info.targetmac += ('00' + b[offset++].toString(16)).substr(-2);
      if (i < 5)
        ret.info.targetmac += ':';
    }

    for (i = 0; i < 4; ++i) {
      ret.info.targetip += b[offset++].toString(10);
      if (i < 3)
        ret.info.targetip += '.';
    }
  }
  ret.offset = offset;
  return ret;
};

from cap.

@mwittig If you have a working decoder, feel free to open a PR.

from cap.