-1

This code is run every time a packet is detected, but the ARP IP addresses are not matching up to what they should be, the source IP address is not even local. I've added a test printout to try find the problem and I'm getting output like this when I run an ARP scan (on 192.168.1.*):

Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.42 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.43 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.44 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.45 (ff:ff:ff:ff:28:cf)
Message: [2054] Src IP: 18.0.255.255 (28:cf:e9:18:db:29) - Trg IP: 192.168.1.46 (ff:ff:ff:ff:28:cf)

What would cause this type of behaviour where the target IP (last field in struct) gets read correctly but the rest don't?

   const struct pkt_ethernet *ethernet = (struct pkt_ethernet*)(packet);

    char ether_src[48];
    char ether_dst[48];
    char ether_typ[8];
    int  ether_typ_dec;

    snprintf(ether_src, 48,  "%s", ether_ntoa(ethernet->ether_src));
    snprintf(ether_dst, 48,  "%s", ether_ntoa(ethernet->ether_dst));
    snprintf(ether_typ,  8,  "%d", ntohs(ethernet->ether_type));
    ether_typ_dec = ntohs(ethernet->ether_type);

    switch (ether_typ_dec)
    {
        case 2054: // ARP Packet
        {
            const struct pkt_arp *arp = (struct pkt_arp*)(packet + SIZE_ETHERNET);

            char arp_srcIP[INET_ADDRSTRLEN]; // ARP Source IP
            char arp_trgIP[INET_ADDRSTRLEN]; // ARP Target IP
            char arp_srcHW[48];
            char arp_trgHW[48];

            inet_ntop(AF_INET, &arp->srcIP, arp_srcIP, INET_ADDRSTRLEN);
            inet_ntop(AF_INET, &arp->trgIP, arp_trgIP, INET_ADDRSTRLEN);
            snprintf(arp_srcHW, 48,  "%s", ether_ntoa(arp->srcHw));
            snprintf(arp_trgHW, 48,  "%s", ether_ntoa(arp->trgHW));

            char test[300];
            snprintf(test, 300,  "[%d] Src IP: %s (%s) - Trg IP: %s (%s)", ether_typ_dec, arp_srcIP, arp_srcHW, arp_trgIP, arp_trgHW);

            capMessage(test);

            break;
        }
    }

ARP Struct:

struct pkt_arp
{
    u_int16_t htype;                              /* Hardware Type           */
    u_int16_t ptype;                              /* Protocol Type           */
    u_char hlen;                                  /* Hardware Address Length */
    u_char plen;                                  /* Protocol Address Length */
    u_int16_t oper;                               /* Operation Code          */
    struct ether_addr srcHw[ETHER_ADDR_LEN];       /* Sender hardware address */
    struct  in_addr srcIP;                        /* Sender IP address       */
    struct ether_addr trgHW[ETHER_ADDR_LEN];      /* Target hardware address */
    struct  in_addr trgIP;                        /* Target IP address       */
} __attribute__ ((__packed__));
Crizly
  • 971
  • 1
  • 12
  • 33
  • Just starting to look... It is inadvisable to use decimal numbers to look for values in packets like the ether type.. 0x0800, 0x0806, etc... these are what network people know to look for and how RFCs are written. Translating to decimal can lead to lots of hair pulling. – David Hoelzer Jul 24 '17 at 19:29
  • I might be tired, but the `&arp->` doesn't sit well with me. It's already a pointer.. I feel as though I'd try that as a `arp->` without the &, but it could just be my sleepy brain. – David Hoelzer Jul 24 '17 at 19:31
  • The target HW address is suspicious as well... From my memory, again, that should be 0x0000000 in the arp request. The 0x28cf on the end looks mighty odd though – David Hoelzer Jul 24 '17 at 19:35
  • @DavidHoelzer if I remove the & I get an error: `error: passing 'const struct in_addr' to parameter of incompatible type 'const void *'` but the man page says: `The function inet_ntop() converts an address *src from network format (usually a struct in_addr` – Crizly Jul 24 '17 at 19:54

1 Answers1

0

So the problem was in the struct:

struct pkt_arp
{
    u_int16_t htype;                              
    u_int16_t ptype;                              
    u_char hlen;                                  
    u_char plen;                                  
    u_int16_t oper;                               
    struct ether_addr srcHw[ETHER_ADDR_LEN]; <---- HERE  
    struct  in_addr srcIP;                       
    struct ether_addr trgHW[ETHER_ADDR_LEN]; <---- and HERE      
    struct  in_addr trgIP;                       
} __attribute__ ((__packed__));

That should have been struct ether_addr srcHw; and in the code should be referenced with ether_ntoa(&ethernet->ether_dst) including the ampersand.

Crizly
  • 971
  • 1
  • 12
  • 33