#Arpspoof: couldn't arp for host mac#
Host B replies and a new ethernet frame from host R's mac to Host B's mac is formed and sent on the wire. It sees this IP and knows this address is on one of its locally connected interfaces (routing table at work again) and so on that interface it says "arp who-has Host B's ip". Host R sees this incoming frame, and looks at the frames payload, and notices its IP, so it looks to the IP destination address. Now host A forms an ethernet frame, with host R's MAC as the destination and sends in on the ethernet. Host A says "arp who-has host R's ip" and host R replies with its MAC. The kernel through its routing table knows that B's net is not locally connected, but accessed through its next-hop gateway R, so this is who the packet will be sent to. Then ping sends its packet down to the kernel.
It forms an ICMP packet, plugs in the IP address it found, sets itself to be an echo request, etc. Now host A's name resolution layer asks for a name lookup for B, and retrieved an IP address. Host A and B want to talk, and there is host R between them routing between thier networks. Now how does this all work in reality? consider this setup. Some implementations of ARP may not even require a "who-has" being sent to honor a "reply", and in that case, you can just form an arp reply to your liking and send it. This may look pointless, but now every host that can see ethernet broadcasts as recorded the association of 10.0.0.2 and 00:11:22:33:44:55 into its ARP cache. When it comes up, it may broadcast "arp who has 10.0.0.2 tell 10.0.0.2", and then immediatly reply with a broadcast of "arp reply 10.0.0.2 is at 00:11:22:33:44:55". What this is, for example, take an ethernet host 00:11:22:33:44:55 with an ip of 10.0.0.2. What arp spoofing or poisoning does, is a modified gratuitous ARP. If its thier mac, they strip the ethernet frame off and pass the datagram to the appropriate higher level protocol stack, if its not thier MAC, they silently ignore the packet (except in case of a promiscious interface, then all recieved packets are looked at). The recieving host(s) look at this frame as it come in, and check the destination MAC. The ethernet address from the arp reply is used as the destination address in the ethernet frame, and the frame is sent off on its way. Now the sending host records this in its arp cache so it wont need to re-look this up until the cache data expires. If any host on the ethernet thinks he has the ip adress x.x.x.x, then he will respond with "arp reply x.x.x.x is-at y:y:y:y:y:y".
the originating host broadcasts out onto the ethernet "arp who-has x.x.x.x tell me". To get to the other ethernet host, it needs a MAC address, and this is where ARP comes in. To get an IP datagram from host A to host B, over ethernet, basically means the IP datagram gets stuffed into an ethernet frame, and that frame is sent to another ethernet host. Just like IP has no concept of names and needs the DNS system to translate them to IP addresses, ethernet has no concept of IP. em mumbles quietly in a corner, hub hub hub hub hub hub hub hub hub hubįYI, my post saying I was interested in that utility was purely intellectual curiosity, not for Seq's sake in any wayĪRP is used to translate between ip addresses and hardware addresses. (Boy, let the flaming begin! :) ) /rant off Switch = Complex Configuration (usually bad for SEQ)
Oh, did I mention that you can buy a cheap hub? You'll be a lot happier when it works because you bought a cheap hub. I know I went a little over the edge here, but come on, go buy a hub. that's all, go get a cheap hubĪ cheap hub, keep repeating it, a cheep hub. No one is doubting that, but remember people, YOUR DEALING WITH PEOPLE WHO CAN'T EVEN UNDERSTAND THE CONCEPT OF USING A HUB AND NOT A SWITCH! Yes, there are other ways to make it work. I mean, how many different ways does it need to be said that SEQ WORKS BEST with a HUB. You know, if those of you out there can't understand that the SIMPLEST solution to this is to go buy a ten dollar hub then I don't know how anyone else here is really going to help. MY GOD! I have never seen so many different posts about a $10 problem!!!