0

I recently started experimenting with ettercap, however, I quickly noticed that when I try and arp poison targets they can almost never communicate with each other.

Is this normal?

My computer is a macbook air with 1.4 Ghz cpu (Core 2 Duo). When I checked the execution cap it was around 50%.

What can I do to make arp poising usable? I need to give a presentation on this soon.

November
  • 505
  • 1
  • 5
  • 12

2 Answers2

2

ARP poisoning causes the traffic between those hosts to be forwarded through you, as part of the man in the middle attack.

This causes performance degradation on the targets for a few reasons:

  • There is increased latency due to the added network hop.
  • Your network card has to send and receive 2 to 4 times as much data as normal, since you're acting as a relay for both upstream and downstream traffic.
  • You have to commit the incoming packets to a system memory (RAM) buffer. This isn't so much of a problem on modern machines, but for embedded devices the memory bandwidth is tiny.
  • Your CPU has to process the packets in real-time.

From your scenario, it looks like the biggest bottleneck is the CPU. It's running at 50% because the program is using a single thread to handle the processing and you have two cores. As such, it's running all out and not quite keeping up with the traffic. To be fair, 1.4GHz isn't very fast, especially if you consider that it's running this operation at the equivalent of one core. The easiest solution is to get a faster computer to do the ARP poisoning. The harder solution is to re-write the ARP poisoning tool to use multiple threads to handle the packet processing workload.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    But there's something non-obvious going on here. A free OS c.2002 can saturate 100Base-T routing on a CPU at just over 200Mhz. http://www.linuxjournal.com/article/5826 If this isn't already on linux, I would find an appropriate LiveCD and see if it can do any better. I grant adding packet-sniffing into the mix makes it more complex, but it shouldn't be completely unusable. DNS+ARP traffic shouldn't be much, and most everything else should be TCP, which will throttle itself to match available throughput. – sourcejedi Sep 25 '12 at 09:27
  • @sourcejedi Keep in mind that the MitM isn't just a passthrough - it has to do packet inspection against a set of rules and perform modifications. Sure, it's a bit slower than it should be, but it's a pretty old CPU. Assuming it's running OS X alongside the MitM... ouch. – Polynomial Sep 25 '12 at 09:51
  • Hmm. Ok, so ettercap is designed for userspace interception, even though arp poisoning could be useful without it. (It'd wouldn't have been necessary when I was using it to kill housemates out-of-control torrents they left running :). But ettercap is over ten years old! I.e. it predates this Mac by at least a couple of years. Do you know why ettercap would have become unusuable on this hardware? – sourcejedi Sep 25 '12 at 20:08
  • all I can think is maybe the system api lib-net uses have been deliberately throttled. Would using an eternal adapter help? – November Sep 25 '12 at 20:50
0

It seems like you didn't setup your system well.

If the computers as you said:

can almost never communicate with each other

I'm guessing you are DoSing them instead of intercepting their communication, when from time to time the ARP poisoning fails and enables them to communicate with each other.

I would suggest you make sure you enable ip_forwarding in your computer, this is done by doing so (on OSX):

sysctl -w net.inet.ip.forwarding=1

And make sure you don't have any rules in your firewall preventing the victims from communicating.

Boaz Tirosh
  • 633
  • 2
  • 7
  • 18
  • Two things: a) I was streaming music at the time, when I stopped the targets were able to communicate. And b) Dont I want to be able to drop packet and wont enabling ip forwarding remove the capability? – November Sep 28 '12 at 21:16