This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Filter for Arp poisoning

0

Can you create a capture filter where you specify the packet offset and value of the gateway's ip address and then have a not value for the packet offset and value of the gateway's mac address. In this way the only packet's captured would be the poisoner's mac address.

I can certainly create one as a post filter:

arp.src.proto_ipv4 == xxx.xxx.xxx.xxx && !arp.src.hw_mac == xx:xx:xx:xx:xx:xx

Filtering in the capture would be far more efficient.

Thanks

Victor

asked 10 May '12, 10:03

VictorD's gravatar image

VictorD
1222
accept rate: 0%


One Answer:

1

You can use

arp and ether[28:4]=0xc0a83001 and not (ether[22:2]=0x000c and ether[24:4]=0x29caffee)

ether[28:4] must specify the hexadecimal notation of your arp.src.proto_ipv4 address

ether[22:2]=0x000c and ether[24:4]=0x29caffee are representing your arp.src.hw_mac split up into the first 2 bytes and the last 4 bytes. I don't know why, but the ether[xx:length] command does not seem to accept other "length" values for the number of following bytes other than 1,2 or 4. If someone has an idea why that is or what I'm missing, please feel free to add more information about that.

answered 10 May '12, 11:24

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Thanks. I'll try that.

(10 May '12, 12:24) VictorD
1

You can only use 1, 2 or 4 because the BPF virtual machine only knows how to handle bytes, 16 bit words and 32 bit words. The parser to compile your capture filter into BPF machine code is not enhanced to split "ether[22:6]" into bytes, 16 bit words or 32 bit words, so you need to do that manually.

(10 May '12, 15:32) SYN-bit ♦♦

Here is the resulting machine code on 1, 2 or 4 byte comparisons:

[email protected]:~$ sudo tcpdump -d "ether[24:1]=0x11"
(000) ldb      [24]
(001) jeq      #0x11            jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[email protected]:~$ sudo tcpdump -d "ether[24:2]=0x1122"
(000) ldh      [24]
(001) jeq      #0x1122          jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[email protected]:~$ sudo tcpdump -d "ether[24:4]=0x11223344"
(000) ld       [24]
(001) jeq      #0x11223344      jt 2    jf 3
(002) ret      #65535
(003) ret      #0
[email protected]:~$

As you can see, the BPF virtual machine has separate instructions to fetch a 1, 2 or 4 byte value from the packet.

(10 May '12, 15:33) SYN-bit ♦♦