void arp_insert_reply(struct arprarp *ea) { extern int arptable_add(u_char *ip, u_char *eth, u_int status); dprintf("arp_insert_reply\n"); arp_print(ea); arptable_add(ea->arp.arp_spa,ea->arp.arp_sha,RESOLVED); }
void got_arp_packet (u_char *args, const struct pcap_pkthdr *header, // statistics about the packet (see 'struct pcap_pkthdr') const u_char *packet) // the bytestring sniffed { const struct struct_ethernet *ethernet; const struct struct_arp *arp; int size_ethernet = sizeof(struct struct_ethernet); struct device_struct *dev = (struct device_struct*) args; u_int8_t da[6], // eth da sa[6], // eth sa smac[6], // source hw address sip[4], // source protocol address tmac[6], // target hw address tip[4]; // target protocol address u_int16_t op; // operation u_int32_t sec, nsec; u_int8_t *x; // These are the most important lines here: ethernet = (struct struct_ethernet*)(packet); arp = (struct struct_arp*)(packet+size_ethernet); sec = (u_int32_t) header->ts.tv_sec; nsec = (u_int32_t) ((header->ts.tv_usec) * 1000); op = arp->arp_op; // note that we don't have network byte order anymore! // tmact is: // 100 instead of 00:01 (request) // 200 instead of 00:02 (response) memcpy((void*) da, (void*) ethernet->eth_da, 6); memcpy((void*) sa, (void*) ethernet->eth_sa, 6); memcpy((void*) smac, (void*) arp->arp_smac, 6); memcpy((void*) sip, (void*) arp->arp_sip, 4); memcpy((void*) tmac, (void*) arp->arp_tmac, 6); memcpy((void*) tip, (void*) arp->arp_tip, 4); // Only handle the packet if it is really an ARP response! ////AND if it is not sent by THIS host! (not possible, we only scan inbound!) x = (u_int8_t*) & op; if (*(x+1) == 0x02) { // ARP RESPONSE: Update ARP table arptable_add(dev, sa, da, smac, sip, sec, nsec); } else if (*(x+1) == 0x01) { // ARP REQUEST: Detect poisoning attacks arpwatch(dev, sa, da, smac, sip, tmac, tip, sec, nsec); } // ARP binding consists of: sip (IP) - smac (MAC) // // User alert, 2 possibilities: // // 1. Learned new binding: does smac belong to sip? // // 2. Alert: Mismatch of stored versus announced sip-to-smac binding // // In both cases user action: [Learn] [Ignore] [Attack] [Amok Attack] // Countermeasures: Mausezahn him! // // ALSO correct ARP tables of other hosts, especially on the default gateway // that is, send arp replies with true binding // // Finally: Create logging message }