What is the meaning of the scapy ARP attributes

Question

What do the attributes of the python scapy ARP packets mean? For example,

• psrc
• pdst
• hwsrc
• hwdst

I'm trying to understand ARP spoofing. I think:

• pdst is where the ARP packet should go (target),
• psrc is the IP to update in the target's arp table,
• hwsrc is the MAC corresponding to psrc, to update in the target's arp table
• hwdst is a mystery to me.

What I want to do is tell the gateway 192.168.1.254 that my MAC (aa:aa:aa:aa:aa:aa) belongs to the victim 192.168.1.100. And the reverse, to tell the victim that my mac belongs to the gateway.

So to poison the gateway I would do this:

srp(ARP(pdst=192.168.1.254, psrc=192.168.1.100, hwsrc=aa:aa:aa:aa:aa:aa))

is that right? Cause it's not working for me (python3.6, latest scapy, kali). That is, I see no change in the gateway's arp table.

Answer 1

hwdst is the destination hardware address. If you are sending an ARP "who-has" request, you should just leave it to 0 (Scapy will do that by default). This field is used in "is-at" responses.

Your command (srp(ARP(pdst=192.168.1.254, psrc=192.168.1.100, hwsrc="aa:aa:aa:aa:aa:aa"))) seems correct and should do what you want. Have you checked with Wireshark or Tcpdump how the packet you send looks like?

If you have a look at the ARP page on Wikipedia, hwsrc is "Sender hardware address (SHA)", psrc is Sender protocol address (SPA), hwdst is "Target hardware address (THA)" and pdst is "Target protocol address (TPA)".