09-26-2009
Hello everybody,
Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.
The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.
When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.
Thank you VERY MUCH for your help, fpmurphy, Corona688.
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
hi,
What is the difference between UBC cache and Metadata cache ? where can i find UBC cache Hits and Metadata cache Hits in hp-ux?
Advanced thanx for the help. (2 Replies)
Discussion started by: sushaga
2 Replies
2. Solaris
Dear all,
We are testing two of our servers for mq series connectivity. The scenario is, when one machine is shutting down it's services there are some scripts that do a dns update, which removes the ip address and relates it to the ip address of the other node on our dns server, and the update... (7 Replies)
Discussion started by: earlysame55
7 Replies
3. IP Networking
how can we spoof ethernet by ARP cache poisoning on unix through a program...
can anyone post the source code to achieve this... (1 Reply)
Discussion started by: ud4u
1 Replies
4. Linux
Hi all
I am trying to understand the kernel memory management and require assistance in this regard. Kernel first creates the cache memory to perform any subsequent allocation to processes. I could not figure out how it is accomplished. Do kernel directly allocates any hardware cache or allocates... (0 Replies)
Discussion started by: joshighanshyam
0 Replies
5. Linux
Hi all
I saw in Microsoft web site www.SysInternals.com a tool called CoreInfo from able to print out on screen the size of the Data and Instruction caches of your processor, the Locigal to Physical Processor mapping, the number of the CPU sockets. etc..
Do you know if in Linux is available a... (2 Replies)
Discussion started by: manustone
2 Replies
6. UNIX for Advanced & Expert Users
18:45:47 # free -m
total used free shared buffers cached
Mem: 96679 95909 770 0 1530 19550
-/+ buffers/cache: 74828 21851
Swap: 12287 652 11635
Hi all. The below output is from a RHEL 4.5... (0 Replies)
Discussion started by: drummerrob
0 Replies
7. Linux
Hi All,
could any one point out any open source test-suites for "File cache" testing and as well as performance test suites for the same. Currently my system is up with Linux/ext4.
Regards
Manish (0 Replies)
Discussion started by: hmanish
0 Replies
8. Linux
Hi,
We are working on OEL5.7 (Oracle Linux) OS. We have a server with 64GB RAM. When we issue free -m command which shows the used, available and cached space. Most of the space is shown in cached section, where as we are not really doing much activity on the server.
It's like cached is... (5 Replies)
Discussion started by: shrshah64
5 Replies
9. Linux
Hi,
Can any one please help me increase the arp stale time of an ipv6 interface on linux platform ?
I have tried increasing the variable gc_stale_time but that doesnt work.
Thanks (2 Replies)
Discussion started by: dkothapa
2 Replies
10. UNIX for Dummies Questions & Answers
i wish to clear memory cache on a production box and i was wondering what is the worst that can happen if i do?
i already tested this on a backup server and everything seemed fine.
but i need to know from you experts what are the worst things that can happen when i run it on a real server:
... (5 Replies)
Discussion started by: SkySmart
5 Replies
arp(4p) arp(4p)
Name
arp - Address Resolution Protocol
Syntax
pseudo-device ether
Description
The ARP protocol is used to map dynamically between DARPA Internet and 10Mb/s Ethernet addresses. It is used by all the 10Mb/s Ethernet
interface drivers.
The ARP protocol caches Internet-Ethernet address mappings. When an interface requests a mapping for an address not in the cache, ARP
queues the message which requires the mapping and broadcasts a message on the associated network requesting the address mapping. If a
response is provided, the new mapping is cached and any pending messages are transmitted. The ARP protocol queues only the most recently
``transmitted'' packet while waiting for a mapping request to be responded to.
To enable communications with systems which do not use ARP, ioctls are provided to enter and delete entries in the Internet-to-Ethernet
tables. The usage is:
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <net/if.h>
struct arpreq arpreq;
ioctl(s, SIOCSARP, (caddr_t)&arpreq);
ioctl(s, SIOCGARP, (caddr_t)&arpreq);
ioctl(s, SIOCDARP, (caddr_t)&arpreq);
Each ioctl takes the same structure as an argument. SIOCSARP sets an ARP entry, SIOCGARP gets an ARP entry, and SIOCDARP deletes an ARP
entry. These ioctls may be applied to any socket descriptor s, but only by the superuser. The arpreq structure contains:
/*
* ARP ioctl request
*/
struct arpreq {
struct sockaddr arp_pa; /* protocol address */
struct sockaddr arp_ha; /* hardware address */
int arp_flags; /* flags */
};
/* arp_flags field values */
#define ATF_COM 2 /* completed entry (arp_ha valid) */
#define ATF_PERM 4 /* permanent entry */
#define ATF_PUBL 8 /* publish (respond for other host) */
The address family for the arp_pa sockaddr must be AF_INET; for the arp_ha sockaddr, it must be AF_UNSPEC. The only flag bits that can be
written are ATF_PERM and ATF_PUBL. ATF_PERM causes the entry to be permanent if the ioctl call succeeds. The ioctl may fail if more than
four permanent Internet host addresses hash to the same slot. ATF_PUBL specifies that the ARP code should respond to ARP requests for the
indicated host coming from other machines. This lets a SUN act as an ARP server, which can be used to make an ARP-only machine talk to a
non-ARP machine.
The ARP protocol watches passively for a host that responds to an ARP mapping request for the local host's address.
Restrictions
ARP packets on the Ethernet use only 42 bytes of data. The smallest legal Ethernet packet is 60 bytes, however, not including CRC. Some
systems may not enforce the minimum packet size.
Diagnostics
duplicate IP address!! sent from Ethernet address: %x:%x:%x:%x:%x:%x
ARP has discovered another host on the local network that responds to mapping requests for its own Internet address.
See Also
inet(4f), arp(8c), ifconfig(8c)
arp(4p)