Disable Promiscuous Mode In ScaPy

TL:DR; How to prevent ScaPy from entering promiscuous mode if I don’t need it.

I want to keep track of the machines plugged into our network. For this purpose I was using arpwatch. Arpwatch works, but I didn’t like the emails it generated, simple because they were lacking infos, like previous hostnames of a discovered ethernet address.

I was considering to write a small shell script, which uses sed and awk on arp or /proc/net/arp in order to keep track of what is happening on the network, keeping the table up-to-date with arping. But then I decided to give python a try.

As usual it was not hard to find a python package that was able to to an arping: ScaPy. Lucky me: the second example in the documentation was an arping. After digging into the scapy-code I found that the arping was already available as method, so that one can easily make use of it:

# import scapy method
from scapy.layers.l2 import arping
# run the ping
answered,unanswered = arping("")
# build tuples (hwaddress, ip) from the replies
hosts = [(host[1].hwsrc, host[1].psrc) for host in answered]

That was a walk in the park.

Unfortunately I found in my syslog:

Dec  3 10:06:37 yori kernel: [3352685.329676] device eth0 entered promiscuous mode
Dec  3 10:06:40 yori kernel: [3352687.660405] device eth0 left promiscuous mode

Obviously was scapy entering the promiscuous mode (which is needed for sniffing network packages) per default. It took me some tome to figure out how to disable it, it was easier then expected:

# import scapy config
from scapy.all import conf as scapyconf
# disable scapy promiscuous mode
scapyconf.sniff_promisc = 0

Yay. Now back to work.