Vineet, I would assume that it would be the last ARP response that the system receives that ends up in the arp table, because i believe that it will setup an entry for each response and since the last one will overwrite the first one the second will be there. But ARP spoofing tools dont bother to wait for the computer to send a request and then try enter a race condition with the other node. They just send a reply to the system and most systems will just put it in their arp table regardless if they have sent a request or not. Also sending a spoofed arp request will work on a lot of operating systems because they create an entry in the arp table based on it to cut down on traffic. Do a quick search at sourceforge.net for arpoison if you want to look at a simply arp spoofing tool.
hopes this helps john fastabend On 23 Jul 2003, Vineet Mehta wrote: > Hi all members, > > I have a small question. I was reading about ARP Spoofing and here is my > question. > > When Node A wants to send some packets to Node C, it sends a ARP > Broadcast to find out the MAC address of Node C. This broadcast reaches > all nodes in a network in a switched or Hub network. So when Node B is a > attacker he catches the ARP Request and sends his MAC address in reply > to Node A. This way Node B gets the packets destined for Node C. > > Q1.My Question is, Node C will also reply to that request of Node A. SO > now Node A has 2 different MAC for the same IP. How is Node A handling > this situation??? > > Q2.The switch also updates its table of IP/MAC address bindings, so how > is switch handling this situation??? > > Is it "first-come-first-serve" methodology which Node A/Switch takes??? > > Thanks in advance > Regards, > > -- > Vineet Mehta > Network Security Consultant > Kuwait Linux Company > Kuwait > Ph-2412552/2463633 > <vineet [at] linux [dot] com [dot] kw> > www.linux.com.kw > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
