Hello fpmurphy, Thanks for reply.

Yes, i am aware of IPv6 and the Neightbor Discovery Protocol, but i'm totally sure that IPv4 will be with us for a long time, at least implemented on corporative LANs because of its simplicity and short address size.

About CAP_NET_ADMIN, yes, the user must be root to run the application i'm designing, i think this won't be a problem, because if you want to secure the host i think you would be the sysadmin.

Didn't think about this IOCTL commands, it's a big step ahead, i'm reading the sources right now.

Thank you very very much!

Hello everybody,

Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.

The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.

When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.

Thank you VERY MUCH for your help, fpmurphy, Corona688.

Hello everybody,

Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.

The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.

When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.

Thank you VERY MUCH for your help, fpmurphy, Corona688.

Sounds like a fairly portable solution actually.

Semash, glad I was able to help.