From 0b02af616a82609fd1640788a40b96ad0ecb2b7a Mon Sep 17 00:00:00 2001
From: Matias Fontanini <matias.fontanini@gmail.com>
Date: Tue, 29 Oct 2013 21:10:11 -0300
Subject: [PATCH] Added ARP monitor example.

---
 examples/Makefile.in    |  5 +++-
 examples/arpmonitor.cpp | 63 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 examples/arpmonitor.cpp

diff --git a/examples/Makefile.in b/examples/Makefile.in
index fc5b107..bceb7bc 100644
--- a/examples/Makefile.in
+++ b/examples/Makefile.in
@@ -1,7 +1,7 @@
 CXX=@CXX@
 CXXFLAGS=-Wall @CXXFLAGS@
 LDFLAGS=-ltins
-EXECUTABLES=arpspoofing portscan traceroute beacon_display dns_queries dns_spoof wps_detect
+EXECUTABLES=arpspoofing arpmonitor portscan traceroute beacon_display dns_queries dns_spoof wps_detect
 
 all: $(EXECUTABLES)
 
@@ -12,6 +12,9 @@ recompile: clean all
 arpspoofing: 
 	$(CXX) arpspoofing.cpp -o arpspoofing $(CXXFLAGS) $(LDFLAGS)
 
+arpmonitor: 
+	$(CXX) arpmonitor.cpp -o arpmonitor -std=c++0x $(CXXFLAGS) $(LDFLAGS)
+
 dns_queries: 
 	$(CXX) dns_queries.cpp -o dns_queries -std=c++0x  $(CXXFLAGS) $(LDFLAGS)
 
diff --git a/examples/arpmonitor.cpp b/examples/arpmonitor.cpp
new file mode 100644
index 0000000..7917925
--- /dev/null
+++ b/examples/arpmonitor.cpp
@@ -0,0 +1,63 @@
+#include <tins/tins.h>
+#include <map>
+#include <iostream>
+#include <functional>
+
+using namespace Tins;
+
+class arp_monitor {
+public:
+    void run(Sniffer &sniffer);
+private:
+    bool callback(const PDU &pdu);
+
+    std::map<IPv4Address, HWAddress<6>> addresses;
+};
+
+void arp_monitor::run(Sniffer &sniffer)
+{
+    sniffer.sniff_loop(
+        std::bind(
+            &arp_monitor::callback,
+            this,
+            std::placeholders::_1
+        )
+    );
+}
+
+bool arp_monitor::callback(const PDU &pdu)
+{
+    // Retrieve the ARP layer
+    const ARP &arp = pdu.rfind_pdu<ARP>();
+    // Is it an ARP reply?
+    if(arp.opcode() == ARP::REPLY) {
+        // Let's check if there's already an entry for this address
+        auto iter = addresses.find(arp.sender_ip_addr());
+        if(iter == addresses.end()) {
+            // We haven't seen this address. Save it.
+            addresses.insert({ arp.sender_ip_addr(), arp.sender_hw_addr()});
+            std::cout << "[INFO] " << arp.sender_ip_addr() << " is at "
+                      << arp.sender_hw_addr() << std::endl;
+        }
+        else {
+            // We've seen this address. If it's not the same HW address, inform it
+            if(arp.sender_hw_addr() != iter->second) {
+                std::cout << "[WARNING] " << arp.sender_ip_addr() << " is at " 
+                          << iter->second << " but also at " << arp.sender_hw_addr() 
+                          << std::endl;
+            }
+        }
+    }
+    return true;
+}
+
+int main(int argc, char *argv[]) 
+{
+    if(argc != 2) {
+        std::cout << "Usage: " << *argv << " <interface>\n";
+        return 1;
+    }
+    arp_monitor monitor;
+    Sniffer sniffer(argv[1], 2000, true, "arp");
+    monitor.run(sniffer);
+}