Receiving packets for different MAC address

0
votes

is it possible to capture some packets in promiscuous mode (e.g. using winpcap) and than force OS (applications) to receive them as they were sent for our MAC?

My observation is following. We can:

  • capture all network traffic using promiscuous mode (winpcap)
  • filter/modify the packets using firewall-hook/filter-hook
  • send packets to the network with altered MAC

I am not sure if firewall-hook can access all the packets which are available thanks to promiscious mode. Isn't it on the lower layer? If it can't, the only solution would be to capture desired packets and then resend them to the network with altered MAC?

I am networking novice so please be easy on me :)

Any help is appreciated. Thanks in advance.

3
cwindowsnetworkingpacket-capturewinpcap

3 Answers

1
votes

You have your toes at the line of white hat/black hat hackers. I know that my company actively watches for promiscuous NICs, hunts down the owners and kills (fires) them. Maybe if you ask us what you're trying to do, we can offer some suggestions.

If you're trying to analyze your network, there is software and/or hardware solutions that will probably do a better job. If you're just trying to watch interesting text flow across your network, well ... maybe you're still in college.

1
votes

First, yes if your interface operates in promiscuous mode then you will receive everything 'on the wire'. Which is already one difficulty, nowadays many (if not all) networks are switched, which means a piece of hardware exterior to your system will already do some filtering before packets arrive at your system, so you'll first need to trick a switch into transmitting those packets to your end (can be done by sending out dummy arps, by configuring the switch, or by bad intent ;-) ). Then if these packets receive at your system, what do you plan to do with them ? There ethernet frames will carry ip packets, typically with a destination ip address, which is already something which will not be on your host (and if it is, this implies that you will have duplicate ip addresses on your network, causing problems as well.

So the main question is, what do you really really really want to do ?

0
votes

Once you have recieved a packet, it has already been clean through the protocol stack. I don't think Windows gives you the access into the middle of Winsock that would be required to somehow stick it back in.

More importantly, this is a really dodgy think to be looking to do. Whatever it is you are looking to do, I can guarantee you there is some better way to do it.