09-26-2009
Hello everybody,
Finally, i came up with how to do it, it's not the way i thought it was going to be, but it works.
The solution is in SIOCxARP. My program's algorithm listens for ARP traffic, and when receives a valid frame, uses SIOCSARP to add an entry to the ARP cache. The kernel does it before, but just in case, this will overwrite it.
When it detects a malicious frame, it uses SIOCDARP to delete the entry previously created by the kernel in the cache, so the ARP attack has no impact over the secured host.
Thank you VERY MUCH for your help, fpmurphy, Corona688.
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
hi,
What is the difference between UBC cache and Metadata cache ? where can i find UBC cache Hits and Metadata cache Hits in hp-ux?
Advanced thanx for the help. (2 Replies)
Discussion started by: sushaga
2 Replies
2. Solaris
Dear all,
We are testing two of our servers for mq series connectivity. The scenario is, when one machine is shutting down it's services there are some scripts that do a dns update, which removes the ip address and relates it to the ip address of the other node on our dns server, and the update... (7 Replies)
Discussion started by: earlysame55
7 Replies
3. IP Networking
how can we spoof ethernet by ARP cache poisoning on unix through a program...
can anyone post the source code to achieve this... (1 Reply)
Discussion started by: ud4u
1 Replies
4. Linux
Hi all
I am trying to understand the kernel memory management and require assistance in this regard. Kernel first creates the cache memory to perform any subsequent allocation to processes. I could not figure out how it is accomplished. Do kernel directly allocates any hardware cache or allocates... (0 Replies)
Discussion started by: joshighanshyam
0 Replies
5. Linux
Hi all
I saw in Microsoft web site www.SysInternals.com a tool called CoreInfo from able to print out on screen the size of the Data and Instruction caches of your processor, the Locigal to Physical Processor mapping, the number of the CPU sockets. etc..
Do you know if in Linux is available a... (2 Replies)
Discussion started by: manustone
2 Replies
6. UNIX for Advanced & Expert Users
18:45:47 # free -m
total used free shared buffers cached
Mem: 96679 95909 770 0 1530 19550
-/+ buffers/cache: 74828 21851
Swap: 12287 652 11635
Hi all. The below output is from a RHEL 4.5... (0 Replies)
Discussion started by: drummerrob
0 Replies
7. Linux
Hi All,
could any one point out any open source test-suites for "File cache" testing and as well as performance test suites for the same. Currently my system is up with Linux/ext4.
Regards
Manish (0 Replies)
Discussion started by: hmanish
0 Replies
8. Linux
Hi,
We are working on OEL5.7 (Oracle Linux) OS. We have a server with 64GB RAM. When we issue free -m command which shows the used, available and cached space. Most of the space is shown in cached section, where as we are not really doing much activity on the server.
It's like cached is... (5 Replies)
Discussion started by: shrshah64
5 Replies
9. Linux
Hi,
Can any one please help me increase the arp stale time of an ipv6 interface on linux platform ?
I have tried increasing the variable gc_stale_time but that doesnt work.
Thanks (2 Replies)
Discussion started by: dkothapa
2 Replies
10. UNIX for Dummies Questions & Answers
i wish to clear memory cache on a production box and i was wondering what is the worst that can happen if i do?
i already tested this on a backup server and everything seemed fine.
but i need to know from you experts what are the worst things that can happen when i run it on a real server:
... (5 Replies)
Discussion started by: SkySmart
5 Replies
ARP(8) BSD System Manager's Manual ARP(8)
NAME
arp -- address resolution display and control
SYNOPSIS
arp [-n] [-i interface] hostname
arp [-n] [-i interface] [-l] -a
arp -d hostname [pub] [ifscope interface]
arp -d [-i interface] -a
arp -s hostname ether_addr [temp] [reject] [blackhole] [pub [only]] [ifscope interface]
arp -S hostname ether_addr [temp] [reject] [blackhole] [pub [only]] [ifscope interface]
arp -f filename
DESCRIPTION
The arp utility displays and modifies the Internet-to-Ethernet address translation tables used by the address resolution protocol (arp(4)).
With no flags, the program displays the current ARP entry for hostname. The host may be specified by name or by number, using Internet dot
notation.
Available options:
-a The program displays or deletes all of the current ARP entries.
-d A super-user may delete an entry for the host called hostname with the -d flag. If the pub keyword is specified, only the
``published'' ARP entry for this host will be deleted. If the ifscope keyword is specified, the entry specific to the interface will
be deleted.
Alternatively, the -d flag may be combined with the -a flag to delete all entries.
-i interface
Limit the operation scope to the ARP entries on interface. Applicable only to the following operations: display one, display all,
delete all.
-l Show link-layer reachability information.
-n Show network addresses as numbers (normally arp attempts to display addresses symbolically).
-s hostname ether_addr
Create an ARP entry for the host called hostname with the Ethernet address ether_addr. The Ethernet address is given as six hex
bytes separated by colons. The entry will be permanent unless the word temp is given in the command. If the word pub is given, the
entry will be ``published''; i.e., this system will act as an ARP server, responding to requests for hostname even though the host
address is not its own. In this case the ether_addr can be given as auto in which case the interfaces on this host will be examined,
and if one of them is found to occupy the same subnet, its Ethernet address will be used. If the only keyword is also specified,
this will create a ``published (proxy only)'' entry. This type of entry is created automatically if arp detects that a routing table
entry for hostname already exists.
If the reject keyword is specified the entry will be marked so that traffic to the host will be discarded and the sender will be
notified the host is unreachable. The blackhole keyword is similar in that traffic is discarded but the sender is not notified.
These can be used to block external traffic to a host without using a firewall.
If the ifscope keyword is specified, the entry will set with an additional property that strictly associate the entry to the inter-
face. This allows for the presence of mutiple entries with the same destination on different interfaces.
-S hostname ether_addr
Is just like -s except any existing ARP entry for this host will be deleted first.
-f filename
Cause the file filename to be read and multiple entries to be set in the ARP tables. Entries in the file should be of the form
hostname ether_addr [temp] [pub [only]] [ifscope interface]
with argument meanings as given above. Leading whitespace and empty lines are ignored. A '#' character will mark the rest of the
line as a comment.
-x Show extended link-layer reachability information in addition to that shown by the -l flag.
SEE ALSO
inet(3), arp(4), ifconfig(8), ndp(8)
HISTORY
The arp utility appeared in 4.3BSD.
BSD
March 18, 2008 BSD