0
votes

I am trying to add an entry to ARP table in ubuntu by responding to ARP request on network interface.

I am capturing ARP requests with raw sockets, then I generate ARP reply and send it on the same interface. I can see my ARP reply in wireshark, but it is ignored and no ARP entry is added to ARP table and just another same ARP request is sent. Here is capture from wireshark. When i turn wifi back on and router actually responds, it's accepted immidiately.

Here is how i have set sockets sll:

struct sockaddr_ll sll;
sll.sll_family = PF_PACKET;
sll.sll_ifindex = ifr.ifr_ifindex;
sll.sll_protocol = htons(ETH_P_ALL);
for(int i=0;i<6;i++)
    sll.sll_addr[i] = targetMAC[i];

and how I am sending packets:

sendto(sockfd, ARPreply, 60, 0, (struct sockaddr*)&packet_info , sizeof(struct sockaddr_ll)) < 0)

I really have no idea what is wrong. I know it should work, because i have done something similar on windows(using sparppcap). I tried messing with sll settings, but as i can see that packet is actually sent to network interface, i think problem may be somewhere else. Could it be that some linux settings prohibit handling packets send from the same pc or something like that?

Thank you for any ideas

Dreamo

Edit 1: As requested, ARP frames content (As they are not very long, i put them in one image) The only difference between my generated reply and the one generated by router is source MAC address.

1
Can you make available the entire contents of the ARP frames (req and response) ? You can export them as text into a file. - cnicutar
Thank you for reply, I have edited my question with ARP frames content - Dreamo
Are you generating and receiving the frame on the same machine ? - cnicutar
Yes, what I am actually trying to do, is some kind of "virtual server", that could interact with other applications on network interface. For example: Load some webpages with browser without actual internet/network connection. This "virtual server" should respond on all generated requests(ARP,DNS,TCPSYN,HTTP...) such that browser thinks that he gets data from network. - Dreamo

1 Answers

0
votes

Could it be that some linux settings prohibit handling packets send from the same pc or something like that

In short, yes. The kernel already knows the MAC addresses, IP addresses, etc. of all its local interfaces. It makes no sense for the kernel to look for answers to its ARP requests in outgoing traffic.