Hi, Hope this isent bending the Rules by posting this so ill keep at as gereral as possiable.
I am using Kdevelop to craft a Custom ARP packet and It works 100% when sending one to another machine. But the moment I chance the Src Mac Address to something else the packet shows leaving Wireshark but the other machine also running wireshark never gets it! The reason why Im doing this is so the Recv’ing Machine gets another address to forward information to another unit. The issue comes from is I dont know if the Packet is being discarded from the Kernel of the OS, Im using SUSE 11.1 and AR928x Chipset.
If it shows in wireshark does that mean that its actuly been sent or does it go through the kernel then and then have the possibilty of being DROP?
Is the issue the OS or perhaps my Driver? The driver I use is the one that already came preinstalled with SUSE.
I hope I can get some enlightment on this or get pointed in the right direction, If its non of those two perhaps its securty on the router? but how would the router know if the MAC address is valid or not (DHCP Table)?
Thanks!
Try flushing the ARP cache on both machines before the test.
Also (duh … proof I’m ready for bed!) … don’t forget that at the Ethernet level, MAC address, and not IP, is what rules. That’s the whole point of ARP in the first place: “who has 192.168.1.1?” “I do, I’m at 00:00:CC:BB:AA.” The bottom network layers in your computer then send everything to that MAC address, not to an IP.
What I’m getting at (if I can keep my mind focused) is that, if you change the MAC address, then unless the target machine does in fact have that MAC address, you’re shooting that packet off into la-la land. Does that make sense?
I Agree! BUT! heres more detail to the issue. I send a 100% Valid arp packet. It works… but if I change my SRC MAC address on the Packet it gets Discarded! Its not the Dest Mac Im changing!
I hope that helps a little bit.
-Agent
AH HA! now a step forward a stuct for ARP reply looks like this
0 Hardware type (HTYPE) Protocol type (PTYPE)
32 Hardware length (HLEN) Protocol length (PLEN) Operation (OPER)
64 Sender hardware address (SHA) (first 32 bits)
96 Sender hardware address (SHA) (last 16 bits)
Sender protocol address (SPA) (first 16 bits)
128 Sender protocol address (SPA) (last 16 bits)
Target hardware address (THA) (first 16 bits)
160 Target hardware address (THA) (last 32 bits)
192 Target protocol address (TPA)
Now the issue comes from when Offset Byte 6 Sender hardware address, If thats incorrect the Packet will never be received on the other side, NOw what I want to know is WHY?! is it the operating System or the Router that is doing a lookup on the MAC address, Seeing its Invalid then Discarding it?!
Possibly the network switch between the two computers. Like I said, on the Ethernet wire itself, for the local LAN, it’s all MAC addresses.
“Smart” switches watch MACs and learn where they go. This speeds up switching packets between machines by an order of magnitude.
Normally, if you’re going to spoof the source MAC address, you do it in quasi-permanently: for example, you tell the driver for your NIC to use a different MAC, then restart the network on your machine. It stays that way. Or, you can clone the MAC address into your DSL router.
In both examples, though, the MAC isn’t changing in mid-conversation. I’m not sure what happens on a LAN if you change MACs on the fly. Try connecting the two machines with a crossover cable. Eliminate the switch. My knowledge on this is entirely theoretical, though: it’s not something I’ve actually done. Someone who really, really knows the Ethernet transport layer might be able to give you a more definitive answer.
If it is the switch, by the way, and it’s configurable, you can try forcing it into “promiscuous” mode. That’ll slow transfers down dramatically, but your approach might work then.
Again, this is just a guess. You have been warned.
One other idea: the firewall on the target machine might be blocking the changed MAC, thinking that it has been spoofed. I just did a Web search and saw a few posts about that. If the firewall sees the MAC change in mid-conversation, it might think a man-in-the-middle or other spoof is going on and prevent it.
Thanks ALOT! That right there is Useful Information your the only one that has posted a reply in a week ive posted this in severeal forums scraching for the Answer.
Well Something that I have done is used a Suse Desktop box with the same code and Spoofing the EthHeader mac works but not ever on the 802.11, Which Narrows it down to Wireless Clients and the Chipset im using on my Laptop which is a RA-Link ar921x. What are your search terms on Google?
I think I searched with something like “+firewall +spoof +MAC” or something like that.
I ALWAYS put “+” marks in front of words to require them. Likewise, if you’re getting a lot of useless hits, put “-” in front of words to exclude them.
Google and Me, we’re old pals.
Lmao, Lawl. Good tip I was never aware of that.