2

A product I'm testing appears to freak out when it receives an ARP request with a Sender IP Address of 0.0.0.0. This is not an ARP probe, as the request is addressed to my module, and the customer's system sends the request just before it starts using its own valid IP address, which is different than my module's IP address. The problem is recreating that here in the lab rather than having to travel to the customer's site.

Is there software I can use to generate an ARP request from a fake address? This is similar to, but not quite the same as, ARP spoofing, since I'm trying to fake the request and not the reply. Do any of the spoofing tools have this functionality? Or is there a way to force Windows or Linux to send an ARP probe?

Sam Skuce
  • 207
  • 1
  • 5

2 Answers2

4

I think arpspoof in the dsniff package will do what you need.

http://monkey.org/~dugsong/dsniff/

Matt
  • 1,903
  • 13
  • 12
  • 1
    Thanks, that wasn't quite it, but exploring the dependencies led me to the winpcap API, which has library functions to write any stream of bytes you want out on the wire. I can use that to make the fake ARP requests. – Sam Skuce Sep 27 '10 at 15:25
1

There's some sample code and documentation at

http://www.n3trino.com/papers/arp-poisoning

There's also a bit of additional background in this thread:

http://groups.google.com/group/jpcap/browse_thread/thread/7d31d417de7d70c1

Jeff Atwood
  • 13,104
  • 20
  • 75
  • 92
Ilias
  • 111
  • 4