Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Manipulate the Linux ARP Cache in C
Top Forums Programming Manipulate the Linux ARP Cache in C Post 302356687 by semash! on Saturday 26th of September 2009 09:40:01 PM
Old 09-26-2009
Hello everybody,

Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.

The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.

When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.

Thank you VERY MUCH for your help, fpmurphy, Corona688.
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

UBC cache vs. Metadata cache

hi, What is the difference between UBC cache and Metadata cache ? where can i find UBC cache Hits and Metadata cache Hits in hp-ux? Advanced thanx for the help. (2 Replies)
Discussion started by: sushaga
2 Replies

2. Solaris

ARP Cache

Dear all, We are testing two of our servers for mq series connectivity. The scenario is, when one machine is shutting down it's services there are some scripts that do a dns update, which removes the ip address and relates it to the ip address of the other node on our dns server, and the update... (7 Replies)
Discussion started by: earlysame55
7 Replies

3. IP Networking

how can we spoof ethernet by ARP cache poisoning on unix through a program

how can we spoof ethernet by ARP cache poisoning on unix through a program... can anyone post the source code to achieve this... (1 Reply)
Discussion started by: ud4u
1 Replies

4. Linux

Linux cache

Hi all I am trying to understand the kernel memory management and require assistance in this regard. Kernel first creates the cache memory to perform any subsequent allocation to processes. I could not figure out how it is accomplished. Do kernel directly allocates any hardware cache or allocates... (0 Replies)
Discussion started by: joshighanshyam
0 Replies

5. Linux

getting info on Cache Size, Data Cache etc..

Hi all I saw in Microsoft web site www.SysInternals.com a tool called CoreInfo from able to print out on screen the size of the Data and Instruction caches of your processor, the Locigal to Physical Processor mapping, the number of the CPU sockets. etc.. Do you know if in Linux is available a... (2 Replies)
Discussion started by: manustone
2 Replies

6. UNIX for Advanced & Expert Users

linux memory buffers & cache usage

18:45:47 # free -m total used free shared buffers cached Mem: 96679 95909 770 0 1530 19550 -/+ buffers/cache: 74828 21851 Swap: 12287 652 11635 Hi all. The below output is from a RHEL 4.5... (0 Replies)
Discussion started by: drummerrob
0 Replies

7. Linux

File cache /Page cache Linux

Hi All, could any one point out any open source test-suites for "File cache" testing and as well as performance test suites for the same. Currently my system is up with Linux/ext4. Regards Manish (0 Replies)
Discussion started by: hmanish
0 Replies

8. Linux

Linux cache

Hi, We are working on OEL5.7 (Oracle Linux) OS. We have a server with 64GB RAM. When we issue free -m command which shows the used, available and cached space. Most of the space is shown in cached section, where as we are not really doing much activity on the server. It's like cached is... (5 Replies)
Discussion started by: shrshah64
5 Replies

9. Linux

Help Me: How to set ARP stale time interval on linux platform for Ipv6 interface

Hi, Can any one please help me increase the arp stale time of an ipv6 interface on linux platform ? I have tried increasing the variable gc_stale_time but that doesnt work. Thanks (2 Replies)
Discussion started by: dkothapa
2 Replies

10. UNIX for Dummies Questions & Answers

Clearing memory cache on Linux server

i wish to clear memory cache on a production box and i was wondering what is the worst that can happen if i do? i already tested this on a backup server and everything seemed fine. but i need to know from you experts what are the worst things that can happen when i run it on a real server: ... (5 Replies)
Discussion started by: SkySmart
5 Replies

LEARN ABOUT ULTRIX

arp

arp(4p) 																   arp(4p)

Name
       arp - Address Resolution Protocol

Syntax
       pseudo-device ether

Description
       The  ARP  protocol  is used to map dynamically between DARPA Internet and 10Mb/s Ethernet addresses.  It is used by all the 10Mb/s Ethernet
       interface drivers.

       The ARP protocol caches Internet-Ethernet address mappings.  When an interface requests a mapping for an address  not  in  the  cache,  ARP
       queues  the  message  which  requires  the mapping and broadcasts a message on the associated network requesting the address mapping.  If a
       response is provided, the new mapping is cached and any pending messages are transmitted.  The ARP protocol queues only the  most  recently
       ``transmitted'' packet while waiting for a mapping request to be responded to.

       To  enable  communications  with  systems which do not use ARP, ioctls are provided to enter and delete entries in the Internet-to-Ethernet
       tables.	The usage is:
       #include <sys/ioctl.h>
       #include <sys/socket.h>
       #include <net/if.h>
       struct arpreq arpreq;

       ioctl(s, SIOCSARP, (caddr_t)&arpreq);
       ioctl(s, SIOCGARP, (caddr_t)&arpreq);
       ioctl(s, SIOCDARP, (caddr_t)&arpreq);

       Each ioctl takes the same structure as an argument.  SIOCSARP sets an ARP entry, SIOCGARP gets an ARP entry, and SIOCDARP  deletes  an  ARP
       entry.  These ioctls may be applied to any socket descriptor s, but only by the superuser.  The arpreq structure contains:
       /*
	* ARP ioctl request
	*/
       struct arpreq {
	   struct sockaddr   arp_pa;	 /* protocol address */
	   struct sockaddr   arp_ha;	 /* hardware address */
	   int		     arp_flags;  /* flags */
       };
       /*  arp_flags field values */
       #define ATF_COM	2   /* completed entry (arp_ha valid) */
       #define	 ATF_PERM 4   /* permanent entry */
       #define	 ATF_PUBL 8   /* publish (respond for other host) */

       The  address family for the arp_pa sockaddr must be AF_INET; for the arp_ha sockaddr, it must be AF_UNSPEC.  The only flag bits that can be
       written are ATF_PERM and ATF_PUBL.  ATF_PERM causes the entry to be permanent if the ioctl call succeeds.  The ioctl may fail if more  than
       four  permanent Internet host addresses hash to the same slot.  ATF_PUBL specifies that the ARP code should respond to ARP requests for the
       indicated host coming from other machines.  This lets a SUN act as an ARP server, which can be used to make an ARP-only machine talk  to  a
       non-ARP machine.

       The ARP protocol watches passively for a host that responds to an ARP mapping request for the local host's address.

Restrictions
       ARP  packets  on the Ethernet use only 42 bytes of data.  The smallest legal Ethernet packet is 60 bytes, however, not including CRC.  Some
       systems may not enforce the minimum packet size.

Diagnostics
       duplicate IP address!! sent from Ethernet address: %x:%x:%x:%x:%x:%x
       ARP has discovered another host on the local network that responds to mapping requests for its own Internet address.

See Also
       inet(4f), arp(8c), ifconfig(8c)

																	   arp(4p)
All times are GMT -4. The time now is 05:06 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy