On Monday 20 May 2002 7:46 pm, Ramin Alidousti wrote: > > If you spoof from x.y.z.52/24 to x.y.z.53/24, you can see the arp reply. > > The arp for what? Let's say x.y.z.52/24 is spoofed and x.y.z.53/24 > is being attacked. The first thing happening will be an arp request > (which I'm still not sure that the source would be x.y.z.52/24) > to figure out x.y.z.53/24's MAC. The reply coming in from x.y.z.53/24 > says "you can find x.y.z.53/24 at mac1". Then the actual spoofed packet > will be sent to x.y.z.53/24. Now the responses to that packet (whatever > they may be) will need to have a valid MAC for the spoofed x.y.z.52/24. > So, what happens is that x.y.z.53/24 issues an arp request to figure > out x.y.z.52/24's MAC; but nobody rightfully answers. Hence, your > arpwatch will never catch the spoofed scenarios.
I can certainly see Ramin's point here, and it's probably worth playing with arpwatch and a packet forger sometime to see quite how things do work and what does / doesn't get picked up. Maybe this is an opportunity for something as an extension or parallel to arpwatch, perhaps called spoofwatch, which builds up a similar list of MAC/IP pairs for arp requests on the network, but then continuously compares those against all the packets it sees, to check whether machine 1 with MAC address mac1 and IP address IP1 ever sends out a packet with IP address IP2 as the source, or alternatively if it ever sees a packet with a MAC address which doesn't belong to a system on the network. Antony.
