0
I am working on a research project involving ARP poisoning.
I would like to intercept packets on the IP level. If my machine receives a packet with an IP address not destined to it's own IP address, I would like that packet to be sent to a user space program.
I was thinking this could be accomplished using a TUN/TAP interface. So if my hardware interface had the IP address 192.168.1.3 and my TUN had the IP address 192.168.1.4, then the hardware interface could be set up to forward all 192.168.1.4 destined packets to the TUN which could then forward to the user space program.
The incoming packets will still be destined to my hardware interface because of ARP poisoning and have the IP address of my TUN. Devices will be connected under the same network by an ethernet switch or WiFi.
Is this a viable approach? Is there an easier/better way to accomplis this?
Conor Patrick
Posted 2014-07-31T02:57:55.197
Reputation: 222
You haven't mentioned much about your network topography. Are both devices connected via a network switch? Also, are you aware that normally your NIC will ignore any layer 2 traffic not addressed to its MAC address? (can be gotten around by putting the NIC into Promiscuous Mode). The problem with what you're suggesting, is that even with promiscuous mode enabled, any machine that tries to send traffic directly to 192.168.1.4 will probably fail on ARP lookup. – smashingly – 2014-07-31T05:49:25.093
PS: I've edited your post to include some more Unix-related tags, as it's more of an OS programming issue. – smashingly – 2014-07-31T05:51:07.840
Use
libpcap. Requires root, though, and is security critical. – Daniel B – 2014-07-31T07:15:47.690Bingo, that's the one I was thinking of! Thanks @DanielB. – smashingly – 2014-07-31T08:08:06.023
I've updated my post to reflect ARP poisoning and the network topology. – Conor Patrick – 2014-07-31T12:17:20.160