ARP-Watcher

Source code

#!/usr/bin/env python
#coding:utf-8

'''This tool reports all newly connected devices to our network therefore it has to remember all IP to MAC resolutions. Additionally it can detect if a device suddenly changes its MAC address.'''
This tool reports all newly connected devices to our network
 therefore it has to remember all IP to MAC resolutions.
 Additionally it can detect if a device suddenly changes
 its MAC address.
'''

from scapy.all import sniff, ARP
from signal import signal, SIGINT
import sys

arp_watcher_db_file = "/var/cache/arp-watcher.db"
ip_mac = {}

def sig_int_handler(signum, frame):
    print "Got SIGINT. Saving ARP database..."
    try:
        f = open(arp_watcher_db_file, "w")
        for (ip, mac) in ip_mac.items():
            f.write(ip + " " + mac + "\n")

        f.close()
        print "Done."
    except IOError:
        print "Cannot write file " + arp_watcher_db_file
        sys.exit(1)

def watch_arp(pkt):
    #Got is-at pkt (ARP response)
    if  pkt[ARP].op == 2:
        print pkt[ARP].hwsrc + " " + pkt[ARP].psrc

        #Device is new. Remember it.
        if ip_mac.get(pkt[ARP].psrc) == None:
            print "Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc
            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc

        #Device is known but has different IP

        elif ip_mac.get(pkt[ARP].psrc) and ip_mac[pkt[ARP].psrc] != pkt[ARP].hws
rc:
            print pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc + "(old "
+ ip_mac[pkt[ARP].psrc] + ")"

signal(SIGINT, sig_int_handler)

if len(sys.argv) < 2:
    print sys.argv[0] + " <iface>"
    sys.exit(0)

try:
    fh = open(arp_watcher_db_file, "r")
except IOError:
    print "Cannot read file " + arp_watcher_db_file
    sys.exit(1)

for line in fh:
    line.chomp()
    (ip, mac) = line.split(" ")
    ip_mac[IP] = mac

sniff(prn=watch_arp,filter="arp", iface=sys.argv[1], store=0)