Hallo Ancient,
mit der Fälschung des IPHeader hast Du recht. Naja da kommen wir um eine stat. Definition der Gateways nicht umhin.....hmmm!
Ich hab Deine Lösung mal umgesetzt, funktioniert wirklich!
Zufrieden ?
Auszug :
Code:
public pvampDB DB;
Hashtable ARPRequest = new Hashtable();
Hashtable StaticGatewayRecord = new Hashtable();
int request_lifetime_sec = 5;
public pvampARPInspector(pvampDB pDB)
{
DB = pDB;
StaticGatewayRecord["192.168.0.1"] =
PhysicalAddress.Parse("000102030405");
}
public void putPacket(ARPPacket P)
{
// delete unresolved arp requests
ArrayList Dumps = new ArrayList();
foreach (DictionaryEntry DE in ARPRequest)
{
TimeSpan TW =DateTime.Now - (DateTime)DE.Value;
if (TW.TotalSeconds > request_lifetime_sec)
{
Dumps.Add(DE.Key);
}
}
foreach (string dumpPK in Dumps)
{
ARPRequest.Remove(dumpPK);
Console.WriteLine("handle: arp: request " + dumpPK +
" could not be resolved");
}
if (P.ARPOperation == (int)ARPOperations.Request)
{
// case selection for gratious, direct arp requst
if (P.ARPSenderProtoAddress == P.ARPTargetProtoAddress)
{
Console.WriteLine("handle: arp: gratious arp from "
+ P.ARPSenderProtoAddress.ToString() +
" is at " + P.ARPSenderHwAddress.ToString());
// in case of gateway participation, inspect validity of phys. address
if (StaticGatewayRecord[P.ARPSenderProtoAddress.ToString()] != null)
{
if (StaticGatewayRecord[P.ARPSenderProtoAddress.ToString()] !=
P.ARPSenderHwAddress.ToString())
{
Console.WriteLine(
string.Format("handle: arp: arp poisoning detected (gateway)"));
}
}
}
else
{
// direct arp
Console.WriteLine(string.Format("handle: arp: {0}/{1} requests the hwaddress of {2}",
P.ARPSenderProtoAddress.ToString(),
P.ARPSenderHwAddress ,
P.ARPTargetProtoAddress.ToString()));
string PK = string.Format("{0}|{1}|{2}",
P.ARPSenderProtoAddress.ToString(),
P.ARPSenderHwAddress, P.ARPTargetProtoAddress.ToString());
ARPRequest[PK] =DateTime.Now ;
}
}
else if (P.ARPOperation == (int)ARPOperations.Reply)
{
Console.WriteLine(
string.Format("handle: arp: {0}/{1} replies the hwaddress {2} to {3}",
P.ARPSenderProtoAddress.ToString(),
P.ARPSenderHwAddress,P.ARPSenderHwAddress,
P.ARPTargetProtoAddress.ToString()));
string PK = string.Format("{0}|{1}|{2}",
P.ARPTargetProtoAddress.ToString(),
P.ARPTargetHwAddress,P.ARPSenderProtoAddress.ToString());
// in case of gateway participation, inspect validity of phys. address
if (StaticGatewayRecord[P.ARPSenderProtoAddress.ToString()] != null )
{
if (StaticGatewayRecord[P.ARPSenderProtoAddress.ToString()].ToString() !=
P.ARPSenderHwAddress.ToString())
{
Console.WriteLine(
string.Format("handle: arp: arp poisoning detected (gateway)"));
}
}
if (ARPRequest[PK] != null)
{
// this is ok, remove arp request
ARPRequest.Remove(PK);
Console.WriteLine("handle: arp: cleaned up " + PK );
}
else
{
// Arp poisoning detected
Console.WriteLine(
string.Format("handle: arp: {0} seems to be polluted with {1}/{2}",
P.ARPTargetProtoAddress.ToString(),
P.ARPSenderProtoAddress.ToString(),P.ARPSenderHwAddress ));
}
}
}