Sparrow1
Published in: 2003-12-21 21:40 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Before entering the text, you must first thank some seniors, their articles and words have given me a lot of help. So I will thank the article in front of the article. 1, Douglas E. Comer - "Internet Interconnection with TCP / IP" This is my only reference book, a good book that is easy to understand. 2, Sendarp.c This is a program source code for sending ARP packages under Linux. It is widely circulated on the Internet. I am sorry, I can't find its author. 3, HiHint - IPMAN A old senior writes the DOS command line program written directly in the Win95 environment in 1998, although the implementation method is not the same, but I still from him during the development process. There have been many guidelines there. 4. REFDOM - Sniffness and ARP spoof (http://www.xfocus.net/articles/200204/377.html) A predecessor in security focus, guided me to achieve specific ARP package is sent. Recently, I have fallen, so I have found some time to learn the ARP protocol, and wrote a related tool - SenDarp, but also wrote such a document, the document is divided into two parts, the previous part is an introduction to the ARP protocol, the latter part is Tool Sendarp usage documentation. If you have already understood the ARP protocol, you can skip the first half of this document, go directly to the program documentation, but if you have time, or help me see, see if I described clearly, is there any mistake? So I will correct it as soon as possible, thank you in advance. Let's first introduce the ARP protocol, but ... due to personal level, the following article may bother, it is difficult to understand, and you may look at me, why not give an example? Rest assured, insist on it, the example is behind. When I can't stand, I will tell me that let us let this document become easy to understand. First lead the two protagonists, they are computer A and computer B, which are connected to the same hub or switch, belonging to the same LAN, their respective network hardware devices (typically a network card) physical address (also known as hardware address, Mac) Address) is PA and PB, respectively, and the IP addresses are assigned to their respective network connections (also known as network addresses, protocol addresses), which are IA and IB. Or I give a few specific values, so it is convenient to understand. Machine name physical address (hardware address, MAC address) IP address (network address, protocol address) A 11-22-33-44-55-66 192.168.0.10 B AA-BB-CC-DD-EE-FF 192.168.0.20 When a computer is to communicate with another computer, we generally believe that only the IP address of the other party needs to know the IP address of the other computer and the corresponding port number. However, these are the concepts provided in the network layer, then go down? Finally, you should also know the physical address of the other computer during the underlying communication, because the network hardware device can only identify the physical address. You may ask why not all use physical addresses, that is because the physical address is very complicated, and it is fixed for each hardware device, not as simple as IP addresses, easy to organize.
It is assumed that the machine A is to send a packet to the machine B, but the machine A only knows the IP address IB of the machine B. If you don't know the physical address of the machine B, how to get the physical address PB of machine B by this IP address? Then there is an ARP protocol ... ARP, full name is an address conversion protocol on an Ethernet Address Resolution Protocol, Ethernet, and by following this protocol, as long as we know the IP address of a machine, you can know its physical address. Below I will describe the communication process of machine A and Machine B according to the ARP protocol: 1. Machine A said: "There is a program called me to send data to the machine B, but they only tell my machine B IP address, you can me and machine B is through the physical address. Well ... If a broadcast packet is broadcast, then the machine B can be received, but if I broadcast all the packets, it is not very piglet! Still trying to know the machine B Physical address, I contact her directly. Yes! It is said that there is an ARP protocol to help me, um, let me try. "2, according to the format specified in the ARP protocol, machine A construct a packet, including machine B IP address IB, we call it a request package, and then broadcast it out. Incidentally, this also contains the IP address of the machine A and the physical address, first buried a film. 3, the machine A said: "This package has been broadcast out, and now I will wait for the machine B to respond me ..." 4. All machines in this LAN received the request package of this broadcast, and all checked this package. However, most of the machine discovers the IP address IB mentioned in the package is different from your IP address, so I will discard this package. 5. Only one machine discovers the IP address in the package, like his IP address, this machine is the legendary machine B ... 6, machine B said: "There is a pig head broadcasts an ARP request package, mentioned inside My IP address, he probably wants to contact me alone, but I don't know my physical address, so I am broadcast ... Well! I will give him a chance to talk to me once, I will tell the physical address first. He "7, so the machine B also constructed another packet according to the ARP protocol, which contains its own physical address PB, we call it answering package, and intend to send the answering package to the machine A. 8, machine B said: "How to send this answer to a? Learn it, continue broadcasting? Can I not, how can I be as pig head like him! Check what he gives me a request package, maybe what can be found? Information is coming ... Search ... Search ... Search ... found, here is placed in his IP address and physical address! Ok, use this physical address and him. "9, so that machine B will just construct The responding package is sent out ... I have reached the machine A. 10, "Thank you! Thanks to the long wait, finally received the response, um, this package is really the machine B sent to me, yes, I also read the physical address of the machine B, good, after I later Just use this physical address and machine B separately ... "Put a few sentences, although the machine A and machine B I really want to contact alone, but it is not what they want to do, but also look at the underlying physical equipment, if they They are connected to the same hub, then they are destined to have no secrets, because Hub will send all ports for all packets.
Is there a kind of device not so pig? Yes, that is, the legendary Switch, Switch will establish a correspondence between the physical address of each machine and the port number they connect to their own port numbers, and give any machine's packets only send to the corresponding port, This allows you to meet the wishes of machine A and Machine B. However, all of this is transparent to the upper application software, they don't have to communicate with the transition process and results in the desired layer, just only need to know the other IP address and the corresponding port. So what is the specific format of the ARP packet? From the underlying layer of the network, such a packet is mainly divided into two parts. One is a physical frame header, and one is an ARP frame. Physical frame header, it will exist in front of any protocol packet, refer to the named rule of Sniffer Pro, because this frame head is constructed in the data link layer, and its main content is physics that transceivers both parties Address so that hardware device identification. DLC Header Field Name Length (byte) Meaning Default Note Destination 6 Receiver Ethernet Hardware Address Length is 6 bytes When broadcasting, the physical address is 0xfffffffff (FF-FF-FF-FF-FF-FF) Source 6 Sender's physical address Ethernet hardware address length is 6 bytes EtherType 2 frame type 0x0806 ARP frame type value is 0x0806 Then is the ARP frame, here is called ARP Framerp Frame field name length (byte) meaning Default Note Hardware Type 2 Hardware Type 0x1 LAN Type of 0x1 Protocol Type 2 Upper Protocol Type 0x0800 Because this is prepared for the IP protocol, the upper layer protocol is an IP protocol, and its type value is 0x0800 Length of Hardware Address 1 Hardware address length 0x6 Ethernet hardware address length is 0x6 Length Of Protocol Address 1 protocol address length 0x4 IP protocol address length is 0x4 opcode 2 Operation code 0x1 Represents ARP request package 0x2 Represents ARP response package Sender's hardware address 6 sender Hardware address Ethernet hardware address length is 0x6 Sender's protocol address 4 Sender's protocol address IP protocol's address length is 0x4 Due to the upper layer protocol is an IP protocol, this is the hardware address of the IP address Target Hardware Address 6 Receiver hardware address Ethernet Hardware address length is 0x6 Target Protocol Address 4 Receiver's protocol address IP protocol's address length is 0x4 Since the upper protocol is an IP protocol, this is an IP address frame padding 18 physical frame filler with all fields to add a total length of 42. Bytes, the other physical frame, there are 4 bytes of CRC, in order to achieve the minimum length of the physical frame, the number of bytes to be filled is 64-42-4 = 18, and we will refer to the protocol regulations. The packet format interprets the above steps. We will take the physical address and IP address of the two machines. Time: machine name hardware address IP address A 11-22-33-44-55-66 192.168.0.10 B AA-BB-CC-DD-EE-FF 192.168 .0.20 Now that machine A only knows that the IP address of the machine B is 192.168.0.20, which will broadcast such an ARP request package, then wait for the ARP answering package of the machine B.
When the machine A broadcasts the ARP request package, where Destination is 0xfffffffffff (FF-FF-FF-FF-FF), Source is your hardware address, OPCode is 1, and fills the IP address of the machine B in Target Protocol Address. The Sender's Hardware Address and Sender's Protocol Address fill in their hardware addresses and IP addresses, respectively. The content of the ARP request package is as follows: Field name length (byte) value memo Description Destination 6 FF FF FF FF FF broadcast address is FF-FF-FF-FF-FF DLC Header Source 6 11 22 33 44 55 66 Machine A Hardware Address 11-22-33-44-55-66 EtherType 2 08 06 ARP frame type value 0x0806 Hardware Type 2 00 01 LAN Type 0x1 ARP FRAME PROTOCOL TYPE 2 08 00 Upper Protocol is an IP protocol , Type value is 0x0800 Length of Hardware Address 1 06 Ethernet hardware address length is 0x6 Length of protocol address 1 04 IP protocol address length is 0x4 opcode 2 00 01 0x1 Representation ARP request package sender's hardware address 6 11 22 33 44 55 66 Machine A Hardware Address 11-22-33-44-55-66 Sender's Protocol Address 4 C0 A8 00 0A Machine A IP Address 192.168.0.10 Target Hardware Address 6 00 00 00 00 00 00 00 00 here 6 bytes Is a random Target Protocol Address 4 C0 A8 001 machine B IP address 192.168.0.20 frame padding 18 00 00 00 00 00 00 00 00 00 00 00 00 00 bytes for filling machine B After the ARP request package, the hardware address and IP address of the machine A are extracted, then send an ARP answering package to the machine A, where destination is the hardware address of the machine A, Source is your hardware address, opcode 2, in Sender's Hardware Address and Sender's Protocol Address fill in your hardware addresses and IP addresses, respectively, in Target Hardware Address and Target Protocol Address, separately fill in the hardware address and IP address of the machine A, respectively.
The contents of the ARP response package are as follows: Field name length (byte) value Remarks Description Destination 6 11 22 33 44 55 66 Machine A Hardware Address 11-22-33-44-55-66 DLC Header Source 6 AA BB CC DD EE FF Machine B Hardware Address AA-BB-CC-DD-EE-FF ETHERTYPE 2 08 06 ARP frame Type value 0x0806 Hardware Type 2 00 01 LAN Type 0x1 ARP Frame Protocol Type 2 08 00 Upper Protocol IP protocol, type value is 0x0800 Length of hardware address 1 06 Ethernet hardware address length is 0x6 Length of protocol address 1 04 IP protocol address length is 0x4 opcode 2 00 02 0x2 Representation ARP Answer package sender's hardware address 6 aa BB CC DD EE FF Machine B Hardware Address AA-BB-CC-DD-EE-FF Sender 'S Protocol Address 4 C0 A8 00 14 Machine B IP Address 192.168.0.20 Target Hardware Address 6 11 22 33 44 55 66 Hardware Address of Machine A 11-22-33-44-55-66 Target Protocol Address 4 C0 A8 00 0A Machine A IP address 192.168.0.0.10 frame padding 18 00 00 00 00 00 00 00 00 00 00 00 00 0018 00 00 00 0018 00 聽After the byte is used to fill the machine A After receiving the ARP answering package, you can get the physical address of the machine B, and the machine A has completed the IP address of the machine B to the translation process of the physical address, and the machine B has also been included in the machine. A The IP address to the translation process of the physical address. At this point, I believe that you have already understood the ARP protocol. If you still have a bit confused, come to me, I will tell you clearly, and modify the document, make it easier to understand. In addition, we describe some knowledge related to the ARP protocol. 1. In order to describe convenience, we call an IP address and a physical address for a corresponding entry. For a machine, this entry may be a lot, so it is necessary to use a table to manage, here we call As an ARP entry table. In the system, you can display the current ARP entry table by command "arp -a". 2. Due to various possible reasons, the correspondence of the IP address and physical address of a machine will not be fixed forever. For example, the machine B suddenly offline, or changed the network card, which changed a physical address, she won't inform the machine A, so a timeout time is set in the system, and after a life period of a corresponding entry reaches the timeout, it will be deleted so that it is actively maintained by the machine A to maintain the validity of the entry. 3. For a machine, if he receives an ARP answer package, he will not judge whether he has sent a request package, he will still extract relevant information. You may ask, why don't he judge? Please! You want to be exhausted ... But actually I don't feel tired, but he is not so real. In this way, there is a possible vulnerability, that is, the ARP spoofs I will mention below. Let's talk about some of the other features implemented by the ARP protocol. If you search on the dog (Google, my colleague habits this is called), you can find a lot of "ARP spoof" words, this is the alternative function we are about to tell.
Now we construct an ARP request package, and then imagine what will be generated. Field name length (byte) value note structure Description Destination 6 11 22 33 44 55 66 Machine A Hardware Address 11-22-33-44-55-66 DLC Header Source 6 88 88 88 88 88 88 Machine B hardware address 88-88-88-88-88-88 EtherType 2 08 06 ARP frame type value 0x0806 Hardware Type 2 00 01 LAN 0x1 ARP FRAME PROTOCOL TYPE 2 08 00 upper protocol is IP protocol, the type value is 0x0800 Length Of Hardware Address 1 06 Ethernet hardware address length is 0x6 Length of protocol address 1 04 IP protocol address length is 0x4 opcode 2 00 02 0x2 Represents ARP Answer package Sender's Hardware Address 6 88 88 88 88 88 88 Machine B hardware address 88-88-88-88-88-88 Sender's Protocol Address 4 C0 A8 00 14 Machine B IP address 192.168.0.20 Target Hardware Address 6 11 22 33 44 55 66 Machine A Hardware Address 11-22-33-44- 55-66 Target Protocol Address 4 C0 A8 00 0A Machine A IP address 192.168.0.10 frame padding 18 00 00 00 00 00 00 00 00 00 00 00 00 bytes for filling now Is it very familiar with a packet? You will think this is a response package that is sent to the machine A, including the hardware address of the machine B. However, the content of the package given above is different ... The difference is that the hardware address of the machine B is on the hardware address of the machine B. The hardware address of the machine B should be AA-BB-CC-DD-EE-FF, but this answer package The corresponding hardware address is 88-88-88-88-88-88, and it is imagined what effects occur after the machine A receives this package. He won't pay attention to whether he has sent a request package for the physical address of the machine B. He still directly extracts the IP address and physical address, so that the machine A will be wrong, the hardware address of the machine B is 88-88- 88-88-88-88, then machine A can not communicate with the machine B because he made the hardware address of the machine B. So now you will also believe this answering package is the machine B sent it? It is obviously another machine for their malicious attempt. But if it is really the machine b deliberately, then I don't say anything, but the system of machine B will be like this, these can only be artificial. This is the ARP spoofing mentioned earlier ... If machine A is the gateway of this LAN? Then, the machine B doesn't want to go online because she can't receive the information that the machine A should be sent to her. If the physical address of the machine B is given here is the physical address of another machine C? Then, the information sent to the machine B will be sent to the machine C. This allows the machine C to intercept some of the information sent to the machine B, but the communication of machine A and machine B will interrupt because there is a data package in the middle for the machine B. However, if the machine C will intercepted the data packet to continue forwarding to the machine B, of course, the machine C will be mounted into a machine A during the forwarding process, then the machine C is completely the data transfer station of the machine A to the machine B. Similarly, machine C can also be a data transfer station for machine B to machine A.
This is the data listening to the ARP spoof, about the monitoring, there is not much Luo Luo, huh, it's actually because I still don't, I will learn to write the relevant document again ... Oh, this article is more Point, I am really appreciated you can insist on seeing it. Here I will introduce some of the situation itself. After I have finished learning the agreement, it is the process of implementing the ARP package. Since I found Sendarp.c, this is a program that sends an ARP package under Linux, directly with Socket, but I have never found the method under Windows. Directly use Socket to send ARP packs, and later, I saw REFDOM's article "Sniffness and ARP spoof in the security focus", so I decided to use WinPCAP, powerful, easy to use, or free, huh, okay, Ok! I have no big role in this program, just used to send ARP packages. There are many programs that can be sent directly to the ARP package, but they are all command lines. In many people, the command line may be more convenient, but if you do some extensions on the graphical interface, the advantage of the graphics interface will be very obviously. In addition, I have not intended to make him a hacking tool, just just for learning research. Due to various reasons, the program itself has some limitations, first explain it. First, this program has the limitations of the running platform, only for Windows 2000 and Windows XP, mainly due to the two reasons. One is that my development platform is Win2000, WIN2000 and WIN9X series may not be the same in the network hardware, in order to avoid possible problems, the requesting program cannot be used on Win9x; Second, since WinPCAP is used in the program Send a packet, and this thing it does not support Windows 2003, but I have no problem when I test on Win2003. Second, running the program has a request for the system, that is, WinPCAP must be installed, because WinPCap is too much, I don't have a bunch of DLL and SYS files, so I will first compare WinPCAP running library. save trouble. The download address of this thing is in the end of the article. It is limited to a bunch of unlimited, that is, for the system platform of other machines within the LAN, whether it is Windows or Linux, there is a premise (depressed! It's still a limit), use TCP / IP! In addition, this program only provides the function of sending an ARP package. If you want to see the ARP answering package sent by the other machine, you still need to use the other Sniffer tool. I will not Sniffer, and I have learned, and I will integrate these two functions. As shown in the figure, this is the main interface of the program, the main function is to send an ARP package. Image Address: http://www.luocong.com/sparrow/arp/sendarp.jpg If you understand the previous article, then the various items on this interface don't need to explain more ... on the right side It is also the extension of this program, and it is also the difference between other similar tools.
In fact, when I first started to learn the ARP protocol, I found many of the arp tools, I did two experiments at the time, one was the simulation system to query another machine physical address, and the other is via ARP spoof The other machine could not be online, I said this machine is a mouse. In these two trials, I need to know the IP address and physical address of the mouse machine. If you plan to manually get these two information, you must first get the IP address of the machine. This method is too much, it's not Luo, then ping the IP address, at this time, the system has been related to the ARP protocol, so We can get the physical address of the machine through the "arp -a" command. I have always been a lazy person, so I think if I integrate this process into my own procedure, I am not better, so I plan to make a graphical interface, and have these auxiliary functions, so Sendarp has become this . You may ask me if you only know the other machine name, don't know if the other machine IP address can be integrated into the program, this ... this ... I am lazy ... interface right There are two ListView, one listView is a list of system currently available NICs, including the name, IP address, and physical address of each NIC in the network connection. One of the following ListView is the network in which the NIC is located in a network in the network. ARP corresponds to the entry list, including the IP address and physical address of each corresponding entry. You can choose which network card test, mainly for friends who are convenient for multi-NIC. If you want to know the physical address corresponding to an IP address, you can click the "Add" button, enter the IP address, if the IP address is in the local area network, then the system will complete the ARP conversion process, the program reads the conversion result Re-list all ARP correspondence entries. If you want to delete an ARP corresponding entry in the system, you can select it, then click the "Delete" button. Two examples: 1. Improve a machine to get the physical address of your machine by broadcasting the ARP request package, then populate a packet to describe this ARP request package, send this package out. The package will affect the ARP entry on your machine, then you can click on the "Refresh" button to view all ARPs on the system, which will find the imaginary machine to correspond to the ARP on your own machine. 2, it is the example mentioned above, a machine that cannot communicate with the gateway is not more than Luo. There is also a small feature because the program often copies the address information on the right side of the interface to the left side of the interface, then you can click the right mouse button corresponding to the location in the listView. At this time, the content in the corresponding position has been copied to the clip On the board, you can go to the left side of the interface to paste it. There is also an input format that needs to be explained that the input IP address will only receive the type of point input, such as 192.168.0.1, the input physical address is recommended to be like this 11-22-33-445566 or 112233445566, I don't Do too much judgment, conversion, and fault tolerance, everyone should be careful ... It seems to be understood, and finally add, the Arp entry in the screenshot is all my own fake, the interface on the left side of the interface. Once you send it, you can generate a person-made ARP corresponding entry. This is the first example I mentioned above, but the sender's physical address of the DLC Header is different from the sender's physical address in the ARP frame. Test results, we can know which one will be taken under the Windows system, in fact, in theory, it should be taken behind.
Finally, let the program code, the code of this program is completely open, but the number of files is more, so it is not convenient to discipline, you can download the program source code below, compile the environment for Microsoft Visual Studio .NET 2003, the development language is VC, my code is not very standardized, everyone is criticizing while looking, don't forget to tell me to help me correct. I am particularly thanked to provide space for me. In addition, since WinPCAP is used, Winpcap is required at compile time, and the download address is below. Sendarp Source Code: http://www.luocong.com/sparrow/rp/sendarp_src.rarwinpcap Rage: http://winpcap.polito.it/install/bin/winpcap_3_0.exewinpcap Development Pack: http: // WinPCAP. Polito.it/install/bin/wpdpack_3_0.zipsparrow2003.12.21 sparrow1 Editorial to 2003-12-21 22:00 Sparrow1 Posted: 52 Points: 52 Points: 0 Registration: 2003-10-26 Since the HTML form and the image cannot be displayed normally, the HTM version and the MHT version of the document are provided, the address is as follows: http://www.luocong.com/sparrow/arp/sendarp_doc.htmhttp://www.luocong.com/sparrow /arp/sendarp_doc.mht source address is the last place. I hope to discuss learning with everyone, I hope everyone is correct, thank you! Quest
Published in: 2003-12-22 11:04 Reply Posting: 56 Points: 0 Registration: 2002-12-06 Nothing is not top is a bad behavior. Yes, learn ing
--- Learn and after knowing ... ~ _ ~ =. =
Yjyss1
Published in: 2003-12-22 23:02 Reply Posting: 30 Points: 0 Registration: 2003-10-14 If you want to improve the level, it is recommended to use pcap, use packet32 or directly with Writefile, hahaha, make a joke It is not bad.
--- Everything does not necessarily have to do it yourself, but you must do it.
Sparrow1
Published in: 2003-12-22 23:15 Reply Posting: 52 Points: 0 Registration: 2003-10-26: (The foundation is not solid enough, will not directly control hardware through the system interface, so it is temporarily borrowed the PCAP library, I want to have a certain understanding first, then gradually learn from the bottom. Sparrow1 Edited in 2003-12-22 23:16 Prfone
Published in: 2003-12-24 21:26 Reply Posting: 812 Points: 0 Registration: 2002-01-11arp Request package will not change the ARP table?
--- The edge of the edge is self-contained. . .
Sparrow1
Published in: 2003-12-25 13:08 Reply Posting: 52 Points: 0 Registration: 2003-10-26 That look at the Target Protocol Address specified in the bag, if the broadcast request package, then receive The IP Address Instation The machine will change its own ARP table using the Sender's Hardware Address and Sender's Protocol Address (ie, sender physical addresses and sender IP) in the request package, but other machines will not. In addition, it should also be noted that if the person is a broadcast request package, the machine specified by the sender IP specified in the package will also receive the package, and it is considered that someone is the same as his IP, thus triggering the IP conflict of the machine. At this time, the machine cannot communicate external communication, it is said that the machine automatically disables the protocol stack. Prfone Posted: 2003-12-25 20:48 Reply Posting: 812 Points: 0 Registration: 2002-01-11 It is reasonable!
--- The edge of the edge is self-contained. . .
Narcissis
Published in: 2003-12-29 15:27 Reply Posting: 3 Points: 0 Registration: 2003-12-29
Quote (Sparrow1 @ 2003-12-25 13:08)
That look at the Target Protocol Address (ie, Receiver IP) specified in the bag, if the broadcast request package, the receiver IP address The machine will use Sender's Hardware Address and Sender's Protocol Address in the request package (ie send party. Physical address and sender IP) Change their own ARP table, but other machines will not.
??Is that so? How do I remember that all machines will refresh their ARP table sparrow1 based on the source information in the broadcast package.
Published in: 2003-12-29 18:39 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Try again, the problem is indeed less simple, my previous understanding may be wrong. Thank you Narcissis reminder. There is a Win2000 machine A, then I broadcast a request package as the identity of the machine B, and ask the Mac C's Mac, and then observe the change of the ARP correspondence regarding the machine B. The results found that in both cases, the conclusion is different. 1. If the machine A does not have an ARP correspondence for machine B, the machine B is broadcast, and the machine A still has no entries for the ARP of machine B. 2, if the machine A originally has an ARP correspondence for machine B, after the machine B broadcast, the ARP corresponding to Machine B is updated according to the information in the broadcast package. Due to the test environment restriction, there is no further test for other systems. SPARROW1 Edited from 2003-12-29 18:40 HIDS_HIDS
Published in: 2003-12-29 18:59 Reply Posting: 10 Points: 0 Registration: 2003-11-23 Learning. . . . PRFONE
Published in: 2003-12-29 22:08 Reply Posting: 812 Points: 0 Registration: 2002-01-11 "I am using the identity broadcast of machine B", "I" "I" refers to a different from A, B, Is a machine D of C?
--- The edge of the edge is self-contained. . .
Sparrow1
Published in: 2003-12-29 23:48 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Oh, observe and carefully, "I" belongs to one of ABCs and "I" belongs to three The situation outside is done, the conclusion is the same. I just thought about it, this conclusion is actually very logical, looking back, I really have this. I am so understanding now, I don't want everyone to finish. Machine A knows the correct IP and Mac of the machine B, then the machine B suddenly changed a network card, and the machine B immediately broadcasts the ARP request. 1. At this time, the original ARP entry of the machine B should be updated after receiving the broadcast, and the ARP entry of the machine B should be updated to resume communicate with the machine B as soon as possible. 2, other original ARP entries without machine B receive the broadcast, and find that the request is not for yourself, there is no need to pay attention to it, because Joining a new entry will increase system consumption, and this machine is in close There is no contact with yourself during time, and it will not contact yourself later, so there is no need to add a new entry. The above guess is limited to the Windows system, and does not include Win2003, Win2003 is quite strange. For other platforms, they have to be further trial. At the same time, friends who want to be interested can do more tests. Some subjective guess may affect the completeness of the test, resulting in some error conclusions. Sparrow1 Editor Posted: 2003-12-30 16:13 Reposted Posting: 6 Points: 0 Registration: 2003-09-25 Write well!
---difficult? This is challenge!
ENTER2000
Published in: 2004-01-04 01:53 Reply Posting: 2 Points: 0 Registration: 2004-01-04 Look at the article written by the old brother, learn a lot, huh, thank you! I like Delphi to write the interface, so I used it to Delphi for a day. Of course, I didn't consider the interface, huh, huh, follow the heroes! Below is my Delphi revised hero's work http://hrdata.y365.com/sendpacket.rar sparrow1
Published in: 2004-01-04 10:09 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Thank Enter2000's support, I tried your procedure, function is normal, but there is 2 small questions. 1. The other party IP format displayed in the box in the bottom of the screen is not correct, such as "192.168.0.1", which is displayed as "1.0.168.192" 2, and there are 3 network cards on my machine, one of which is physics. NIC, the other two are the virtual network card after installing VMware 4.0. After testing When the virtual network card is enabled, the startup program will report an error, provide an error message for reference, "Access Violation At Address 00459FC2 in module 'sendpacket.exe'. Read of address 00000000". In addition, is your capture process to listen to PCAP? Oh, admire, I will not listen, so I read the ARP table directly in the program to get the physical address of the other party. SPARROW1 Editor at 2004-01-04 10:13 Backend
Published in: 2004-01-04 11:37 Reply Posting: 92 Points: 0 Registration: 2001-11-22 Pure programming (rather than research agreement): // C Implement #include "stdafx.h" #include Published in: 2004-01-04 11:38 Reply Posting: 92 Points: 0 Registration: 2001-11-22 // C # Implementation // Note: Only function, the MAC address is not converted to a host byte string. [DllImport ( "Iphlpapi.dll")] private static extern int SendARP (Int32 dest, Int32 host, ref Int64 mac, ref Int32 length); [DllImport ( "Ws2_32.dll")] private static extern Int32 inet_addr (string ip) ; static private Int64 getRemoteMAC (string localIP, string remoteIP) {Int32 ldest = inet_addr (remoteIP); ip Int32 lhost // destination = inet_addr (localIP); // local server ip try {Int64 macinfo = new Int64 () INT32 LEN = 6; int Res = Sendarp (LDEST, 0, REF MACINFO, REF LEN); RETURN MacInfo;} catch (Exception Err) {Console.Writeline ("Error: {0}", err.Message);} Return 0; ENTER2000 Posted: 2004-01-04 14:33 Reply Posting: 2 Points: 0 Registration: 2004-01-04sparrow1 heroes, about what you mentioned: The first is because I didn't do NTOHS The conversion is caused, and it is quite fun that it is like this. The second error problem I think that WinPCAP cannot be compatible with virtual driver. The listener is done with WinPCAP. If you don't want to use it, you want to write it yourself, there is a delphi example http://www.china-askpro.com/download/ipman1.zip can take a look Yinkai Published in: 2004-06-05 02:50 Reply Posting: 30 Points: 0 Registration: 2002-03-08 Boss! I haven't downloaded http://www.luocong.com/sparrow/rp/sendarp_src.rar --- http://www.techwh.net Sparrow1 Published in: 2004-06-07 09:26 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Halo ... Sorry ... I will send it to you alone ... Space problem has been very problematic, recently get it properly solve…… HIDS_HIDS Published in: 2003-12-29 18:59 Reply Posting: 10 Points: 0 Registration: 2003-11-23 Learning. . . . PRFONE Published in: 2003-12-29 22:08 Reply Posting: 812 Points: 0 Registration: 2002-01-11 "I am using the identity broadcast of machine B", "I" "I" refers to a different from A, B, Is a machine D of C? --- The edge of the edge is self-contained. . . Sparrow1 Published in: 2003-12-29 23:48 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Oh, observe and carefully, "I" belongs to one of ABCs and "I" belongs to three The situation outside is done, the conclusion is the same. I just thought about it, this conclusion is actually very logical, looking back, I really have this. I am so understanding now, I don't want everyone to finish. Machine A knows the correct IP and Mac of the machine B, then the machine B suddenly changed a network card, and the machine B immediately broadcasts the ARP request. 1. At this time, the original ARP entry of the machine B should be updated after receiving the broadcast, and the ARP entry of the machine B should be updated to resume communicate with the machine B as soon as possible. 2, other original ARP entries without machine B receive the broadcast, and find that the request is not for yourself, there is no need to pay attention to it, because Joining a new entry will increase system consumption, and this machine is in close There is no contact with yourself during time, and it will not contact yourself later, so there is no need to add a new entry. The above guess is limited to the Windows system, and does not include Win2003, Win2003 is quite strange. For other platforms, they have to be further trial. At the same time, friends who want to be interested can do more tests. Some subjective guess may affect the completeness of the test, resulting in some error conclusions. Sparrow1 Editor Posted: 2003-12-30 16:13 Reposted Posting: 6 Points: 0 Registration: 2003-09-25 Write well! ---difficult? This is challenge! ENTER2000 Published in: 2004-01-04 01:53 Reply Posting: 2 Points: 0 Registration: 2004-01-04 Look at the article written by the old brother, learn a lot, huh, thank you! I like Delphi to write the interface, so I used it to Delphi for a day. Of course, I didn't consider the interface, huh, huh, follow the heroes! Below is my Delphi revised hero's work http://hrdata.y365.com/sendpacket.rar sparrow1 Published in: 2004-01-04 10:09 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Thank Enter2000's support, I tried your procedure, function is normal, but there is 2 small questions. 1. The other party IP format displayed in the box in the bottom of the screen is not correct, such as "192.168.0.1", which is displayed as "1.0.168.192" 2, and there are 3 network cards on my machine, one of which is physics. NIC, the other two are the virtual network card after installing VMware 4.0. After testing When the virtual network card is enabled, the startup program will report an error, provide an error message for reference, "Access Violation At Address 00459FC2 in module 'sendpacket.exe'. Read of address 00000000". In addition, is your capture process to listen to PCAP? Oh, admire, I will not listen, so I read the ARP table directly in the program to get the physical address of the other party. SPARROW1 Editor at 2004-01-04 10:13 Backend Published in: 2004-01-04 11:37 Reply Posting: 92 Points: 0 Registration: 2001-11-22 Pure programming (rather than research agreement): // C Implement #include "stdafx.h" #include Published in: 2004-01-04 11:38 Reply Posting: 92 Points: 0 Registration: 2001-11-22 // C # Implementation // Note: Only function, the MAC address is not converted to a host byte string. [DllImport ( "Iphlpapi.dll")] private static extern int SendARP (Int32 dest, Int32 host, ref Int64 mac, ref Int32 length); [DllImport ( "Ws2_32.dll")] private static extern Int32 inet_addr (string ip) ; static private Int64 getRemoteMAC (string localIP, string remoteIP) {Int32 ldest = inet_addr (remoteIP); ip Int32 lhost // destination = inet_addr (localIP); // local server ip try {Int64 macinfo = new Int64 () INT32 LEN = 6; int Res = Sendarp (LDEST, 0, REF MACINFO, REF LEN); RETURN MacInfo;} catch (Exception Err) {Console.Writeline ("Error: {0}", err.Message);} Return 0; ENTER2000 Posted: 2004-01-04 14:33 Reply Posting: 2 Points: 0 Registration: 2004-01-04sparrow1 heroes, about what you mentioned: The first is because I didn't do NTOHS The conversion is caused, and it is quite fun that it is like this. The second error problem I think that WinPCAP cannot be compatible with virtual driver. The listener is done with WinPCAP. If you don't want to use it, you want to write it yourself, there is a delphi example http://www.china-askpro.com/download/ipman1.zip can take a look Yinkai Published in: 2004-06-05 02:50 Reply Posting: 30 Points: 0 Registration: 2002-03-08 Boss! I haven't downloaded http://www.luocong.com/sparrow/rp/sendarp_src.rar --- http://www.techwh.net
