Manipulate the Linux ARP Cache in C


 
Thread Tools Search this Thread
Top Forums Programming Manipulate the Linux ARP Cache in C
# 1  
Old 08-14-2009
Manipulate the Linux ARP Cache in C

Hello,

I need help on how to "access" or manipulate the Linux ARP Cache in C, here is the description of the project i'm working in:

There are a lot of tools that analize ARP frames and send an e-mail to the sysadmin, that's easy. What i want to do is to inspect every ARP frame that arrives to my network interface and, if it "passes the tests", then, and ONLY THEN apply the changes in the ARP cache.

I'm able to analize every field of the ARP frame that i capture, but not to avoid the malicious frame to take effect over the cache because i can't stop the kernel.

So, how can i do that? how could i check the frame and if it's a valid one THEN apply it to the cache, just before the kernel does it?

Any help will be appreciated,
Thank you!
# 2  
Old 08-14-2009
I had to use strace on the arp utility to see what it was doing. It opens /proc/net/arp to see the current state, and uses ioctl calls to add or delete items. See here for details; I did the testing on linux, but HP seems to at least document those ioctls. May differ slightly across systems.

As for filtering arp packets, arptables sounds like the way to go.

Last edited by Corona688; 08-14-2009 at 12:26 PM..
# 3  
Old 08-14-2009
Hey Corona688!,
Thank you for your reply,

Yes, i want to implement something like arptables, but i need to filter also ethernet frame fields, so i can't use arptables.

I was thinking that it would be necessary to code a kernel module, but, for what i see, arptables does it and it's a user space aplication, so, what i need is the way to do it, i'll try arptables source code.

Thank you.

---------- Post updated at 11:45 AM ---------- Previous update was at 11:35 AM ----------

Ohhh no,
here's what i thought...
Code:
  if (!*handle) {
                arptables_insmod("arp_tables", modprobe);
                *handle = arptc_init(*table);
                if (!*handle) {

arptables uses a kernel module to block the arp table and allow data to it... Does anybody has a way better to to this?
# 4  
Old 08-14-2009
To prevent the kernel from doing kernel level things, you must modify the kernel. That's the only place where you can get the kind of raw, exclusive I/O you want.

Really, though, what is the goal here? Maybe there's a better way than hacking nonstandard behavior into your entire networking stack.

Or if you really want 100% raw access, just disable TCP/IP support in your kernel. No more TCP, no more ARP, no more kernel automatically managing either. You'd have to do it all yourself.

Last edited by Corona688; 08-14-2009 at 01:31 PM..
# 5  
Old 08-14-2009
What i need is simply avoid the kernel's action in the cache when receiving an arp frame, i don't think i must disable the entire TCP/IP stack for that.

i've been reading arptables code, but there's nothing that could give me a clue... only that i need to code a lkm to access to the kernel space and kinda "intercept" the frames before the kernel does, but not HOW.

The question always is how...
# 6  
Old 08-15-2009
Quote:
Originally Posted by semash!
What i need is simply avoid the kernel's action in the cache when receiving an arp frame, i don't think i must disable the entire TCP/IP stack for that.
ARP sits very near the base of that stack. Without it, not much else will work.
Quote:
The question always is how...
To reiterate, what is your goal? The answer is not "intercepting arp". The answer is whatever the ultimate purpose of this venture is. I suspect there might be a much, much better way to accomplish what you're thinking of since intercepting ARP is such an odd problem but without knowing your goal its hard to help.

Certainly you'll be causing a lot more problems for yourself than you'd ever solve by trying to hack your own backdoors into the kernel networking code. Bugs in kernel code have far more dire consequences than bugs in user code, for one thing. There's few to none of the niceties programmers have grown to expect over the last few decades either. For another you'll have to reinvent your code every time a kernel upgrade breaks compatibility -- that could be up to several times a year -- and installing your software on any other computer would be tantamount to reinstalling the OS with your own custom one. You'd be compatible with nothing else in the world but your own custom computing environment, not even other computers of the same distribution. And not all distributions take kindly to having their kernels arbitrarily replaced.

Last edited by Corona688; 08-15-2009 at 01:52 PM..
# 7  
Old 08-15-2009
IMO - you need to state what you are hoping to do - not merely "intercepting" - WHY are you intercepting - what are you trying to stop? You are where you are probably becuase you are unaware that other people had the same problem years ago. And there are solid solutions out there.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Clearing memory cache on Linux server

i wish to clear memory cache on a production box and i was wondering what is the worst that can happen if i do? i already tested this on a backup server and everything seemed fine. but i need to know from you experts what are the worst things that can happen when i run it on a real server: ... (5 Replies)
Discussion started by: SkySmart
5 Replies

2. Linux

Help Me: How to set ARP stale time interval on linux platform for Ipv6 interface

Hi, Can any one please help me increase the arp stale time of an ipv6 interface on linux platform ? I have tried increasing the variable gc_stale_time but that doesnt work. Thanks (2 Replies)
Discussion started by: dkothapa
2 Replies

3. Linux

Linux cache

Hi, We are working on OEL5.7 (Oracle Linux) OS. We have a server with 64GB RAM. When we issue free -m command which shows the used, available and cached space. Most of the space is shown in cached section, where as we are not really doing much activity on the server. It's like cached is... (5 Replies)
Discussion started by: shrshah64
5 Replies

4. Linux

File cache /Page cache Linux

Hi All, could any one point out any open source test-suites for "File cache" testing and as well as performance test suites for the same. Currently my system is up with Linux/ext4. Regards Manish (0 Replies)
Discussion started by: hmanish
0 Replies

5. UNIX for Advanced & Expert Users

linux memory buffers & cache usage

18:45:47 # free -m total used free shared buffers cached Mem: 96679 95909 770 0 1530 19550 -/+ buffers/cache: 74828 21851 Swap: 12287 652 11635 Hi all. The below output is from a RHEL 4.5... (0 Replies)
Discussion started by: drummerrob
0 Replies

6. Linux

getting info on Cache Size, Data Cache etc..

Hi all I saw in Microsoft web site www.SysInternals.com a tool called CoreInfo from able to print out on screen the size of the Data and Instruction caches of your processor, the Locigal to Physical Processor mapping, the number of the CPU sockets. etc.. Do you know if in Linux is available a... (2 Replies)
Discussion started by: manustone
2 Replies

7. Linux

Linux cache

Hi all I am trying to understand the kernel memory management and require assistance in this regard. Kernel first creates the cache memory to perform any subsequent allocation to processes. I could not figure out how it is accomplished. Do kernel directly allocates any hardware cache or allocates... (0 Replies)
Discussion started by: joshighanshyam
0 Replies

8. IP Networking

how can we spoof ethernet by ARP cache poisoning on unix through a program

how can we spoof ethernet by ARP cache poisoning on unix through a program... can anyone post the source code to achieve this... (1 Reply)
Discussion started by: ud4u
1 Replies

9. Solaris

ARP Cache

Dear all, We are testing two of our servers for mq series connectivity. The scenario is, when one machine is shutting down it's services there are some scripts that do a dns update, which removes the ip address and relates it to the ip address of the other node on our dns server, and the update... (7 Replies)
Discussion started by: earlysame55
7 Replies

10. UNIX for Advanced & Expert Users

UBC cache vs. Metadata cache

hi, What is the difference between UBC cache and Metadata cache ? where can i find UBC cache Hits and Metadata cache Hits in hp-ux? Advanced thanx for the help. (2 Replies)
Discussion started by: sushaga
2 Replies
Login or Register to Ask a Question

Featured Tech Videos