How do I know which PC in LAN send an ARP packet

Question

0.00/5 (No votes)

See more:

Hi All,

I have write a packet sniffer program by SharpPcap module introduced in this web site.

I found when I capture TCP packet, I can know source IP address of the packet, but I don't know how to get source MAC and IP of PC who send a ARP spoofing packet captured by my sniffer.

Thanks

Posted 22-Apr-15 5:51am

rr12

Add a Solution

Comments

virusstorm 22-Apr-15 14:00pm

I'm not an expert on this, but I know the ARP cache is managed by your router and or switch. I think you might be able to use the SNMP protocol to talk to your switches and routers to determine where the packet came from.

rr12 23-Apr-15 10:24am

Hi virusstorm,

Thanks for your advice. But if the ARP spoofing packet's Source MAC and Source IP address are also not true, does it mean that looking for ARP cache has no help?

virusstorm 24-Apr-15 8:54am

The switch maintains it's own ARP cache so it knows when traffic comes back, what port to send the traffic to. So even if the MAC and IP are spoofed, the switch knows what port the traffic originated from. So you can literally follow it back to the device that sent the traffic.

Florian Braun 22-Apr-15 16:13pm

as you say spoofing is possible. but as arp is used to get an IP-adress for a MAC-adress spoofing makes only sense to fake an IP-adress to the MAC-adress of the "bad guy". So if you fear spoofing don't trust the IP, trust the MAC-adress.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)