"Linux Environment Programming" ARP programming

(Note: part of "Linux C programming One-stop learning")

Ethernet (RFC 894) frame format

Figure One Ethernet packet type

The source address and destination address refers to the network card's hardware address (also called MAC address), the length is 48 bits, is in the network card Factory curing. Take a look at the ifconfig command, the "HWaddr 00:15:f2:14:9e:3f" section is the hardware address. The Protocol field has three values, corresponding to IP, ARP, RARP. The end of the frame is the CRC check code.


The length of the data in the Ethernet frame specifies a minimum of 46 bytes, a maximum of 1500 bytes, and the length of the ARP and RARP packets is not 46 bytes, to be padded at a later bit. The maximum value of 1500 is called the Maximum Transmission Unit (MTU) of the Ethernet, and different network types have different MTU, and if a packet is routed from Ethernet to a dial-up link, the packet length is greater than the MTU of the dial link, then the packet needs to be fragmented (fragmentation). There is also "mtu:1500" in the output of the Ifconfig command. Note that the concept index of the MTU is the maximum length of the payload in the frame, excluding the length of the frame header.

In the network communication, the source host's application knows the destination host's IP address and port number, but does not know the destination host hardware address, and the packet first is received by the network card to deal with the upper layer protocol, if the received packet hardware address and the local machine does not match, then directly discarded. Therefore, the hardware address of the destination host must be obtained before communication. The ARP protocol plays this role. The source host makes an ARP request, asks "What is the hardware address of the host that the IP address is 192.168.0.1", and broadcasts the request to the local network segment (the hardware address of the Ethernet frame header is filled FF:FF:FF:FF:FF:FF represents the broadcast), the destination host receives the broadcast ARP request, When the IP address is found to match the native computer, an ARP reply packet is sent to the source host, and its hardware address is filled in the reply packet.

Each host maintains an ARP cache table that can be viewed with the arp-a command. The table entries in the cache table have an expiration time (typically 20 minutes), and if a table entry is not reused within 20 minutes, the table entry fails and the next ARP request is sent to obtain the hardware address of the destination host. Think about why the table entry has an expiration time instead of always working?

Figure two ARP packet types

Note that the source MAC address, the destination MAC address appear once in the Ethernet header and ARP requests, are redundant for link layer Ethernet, but may be necessary if the link layer is a different type of network. The hardware type refers to the link layer network type, 1 is Ethernet, the protocol type is the address type to be converted, 0x0800 is the IP address, the last two address lengths are 6 and 4 (bytes) for the Ethernet address and IP address, the OP field is 1 for the ARP request, and the OP field is 2 for the ARP reply.

With the basic knowledge above, we will come to the actual combat programming:

1, determine the parameters of the socket

According to figure one, we can see that Arp,rarp and IP, while belonging to the network layer (aka IP layer), but their data packaging is independent. Although ICMP and IGMP are also in the IP layer, they require the wrapper of the IP datagram. So when we set up a socket for ARP and RARP, we can't take advantage of the original datagram (SOCK_RAW) of the IP, we need the most primitive Ethernet frames (Sock_packet), and on the choice of the network type, you can choose IPV4 as needed (af_ INET) or IPV6 (AF_INET6), the protocol type of ARP is the same as the Ethernet frame data type, so it should be 0x0806, defined in the "Ethernet Protocol ID" of Linux

#define ETH_P_ARP 0x0806

Then, we can simply think that the socket socket is created: SFD = socket (af_inet,sock_packet,htons (ETH_P_ARP));

2. Determine the structure of the ARP packet

According to figure two, the following structure is determined

struct arp_packet{    //Ethernet Header    unsigned char ap_dstmac[6];  6 bytes    unsigned char ap_srcmac[6];  6 bytes    unsigned short ap_frame;     2 bytes    //arp    unsigned short ap_hwtype;    2 bytes: Hardware address type    unsigned short ap_prototype;//2 bytes: Software address type    unsigned char  ap_hwlen;     1 bytes: Hardware address length       unsigned char  ap_prolen;    1 bytes: Software address length    unsigned short ap_op;        2 bytes: operation type    unsigned char  AP_FROMMAC[6];//6 byte    unsigned char  ap_fromip[4];//4 bytes    unsigned Char  ap_tomac[6];  6 bytes    unsigned char  ap_toip[4];   4 bytes    //18 bytes: padding bytes Because the Ethernet data is at least 46 bytes    unsigned char  ap_padding[18];};

3. Get local IP address and MAC address

Linux provides a MAC address and IP address to obtain the IOCTL parameters;

#define SIOCGIFADDR 0x8915/      * Get PA address       */#define SIOCSIFADDR 0x8916/      * Set PA address/       #define SIO Csifhwaddr   0x8924/      * Set Hardware address     */#define SIOCGIFHWADDR 0x8927/      * Get Hardware address     */

Before we get the native MAC address and IP address, we need to tell the IOCTL that we want to get the parameters for that Nic:

struct Ifreq  eth;strcpy (eth.ifr_name, "eth0");/* Get eth0 Hardware Address */int ret = IOCTL (fds,siocgifhwaddr,ð); if (Ret < 0) {perror ("Get Hardware Address Fail:"); goto Close_socket;} /* Get eth0 IP Address */ret = IOCTL (FDS, Siocgifaddr,ð), if (Ret < 0) {perror ("Get IP address Fail:"); goto Close_socket; }unsigned Char mac_addr[6];memcpy (mac_addr,eth.ifr_hwaddr.sa_data,6);/* in "struct sockaddr", IP address starts from ' SA _data ' bytes later*/unsigned char ip_addr[4];memcpy (ip_addr,eth.ifr_addr.sa_data+2,4);

4. Data package Data filling

struct Arp_packet Arp_in;bzero (&arp_in,sizeof (struct arp_packet)); unsigned char broadcast_mac[6] = {0xff,0xff, 0xff,0xff,0xff,0xff};memcpy (arp_in.ap_dstmac,broadcast_mac,6); memcpy (arp_in.ap_srcmac,mac_addr,6); arp_in.ap_ frame = htons (eth_p_arp); arp_in.ap_hwtype = Htons (0x0001); arp_in.ap_prototype = Htons (eth_p_ip); arp_in.ap_hwlen = 6; Arp_in.ap_prolen = 4;arp_in.ap_op = Htons (0x0001);//0x0001-arp req 0x0002-arp replymemcpy (ARP_IN.AP_FROMMAC,MAC_ADDR, 6); memcpy (arp_in.ap_fromip,ip_addr,4);

5. Data and reception

Because in this case, the other's MAC address is unknown, and the data is sent as broadcast mode.

So this time we just have to tell the bottom we need to use that NIC to send it.

struct SOCKADDR eth;eth.sa_family = af_inet;strcpy (Eth.sa_data, "eth0"); ret = sendto (fds,&arp_in,sizeof (struct ARP _packet), 0, (struct sockaddr *) ð,sizeof (struct sockaddr)), if (Ret < 0) {perror ("Send reqire ARP packet Fail:"); Goto Clos E_socket;} struct Arp_packet arp_rc;socklen_t slen = sizeof (struct sockaddr); Bzero (&arp_rc,sizeof (struct arp_packet)); ret = Recvfrom (fds,&arp_rc,sizeof (struct arp_packet), 0,   (struct sockaddr *) ð,&slen), if (Ret < 0) {perror (" Receive Replay ARP Packet Fail: "Goto close_socket;} Close_socket;close (FDS); return (Ret > 0 1:ret);

6, the problem to this end, the results after the test are as follows:

-----------------------------Sendto----------------------------Dest MAC:FF:FF:FF:FF:FF:FFSRC  mac:0 0:22:15:67:F8:16HW  type:0806from    : 210.42.158.204To      : 210.42.158.212ARP   op:0100----------------- ------------recvfrom-------------------------Dest mac:00:22:15:67:f8:16src  mac:00:e0:4c:dc:aa:1ehw  TYPE : 0806From    : 210.42.158.212To      : 210.42.158.204ARP   op:0200

As for the ARP attack, I tested a little, or I can. But many computers have ARP protection, or firewalls, which are not used by ARP attacks.

For the sake of social peace, I will not post the code of ARP attack here.

If there is any problem, please leave a message pointing! Thank you!

"Linux Environment Programming" ARP programming