ARP requests

Hello,

I have a project to do in ruby witch consist in recover the ARP requests
(who-has) on my local network and take the IP address if nobody answer
to the ARP requests.
I know identify an ARP request with “pcap” but I don’t know how to take
the IP address.

If someone want help me, I would be very happy

On 15.05.2007 12:21, ninny wrote:

I have a project to do in ruby witch consist in recover the ARP requests
(who-has) on my local network and take the IP address if nobody answer
to the ARP requests.
I know identify an ARP request with “pcap” but I don’t know how to take
the IP address.

I am not sure where your problems are but if you want to detect an IP
address you can take this regexp for a start:

/\d{1,3}(?:.\d{1,3}){3}/

Note that it does not match IPv6 addresses which might or might not be
an issue. Note also, that it might match strings that are not IP
addresses.

Kind regards

robert

Make a system call to ifconfig?

On 5/15/07, ninny [email protected] wrote:


Posted via http://www.ruby-forum.com/.

I get the impression you’re trying to supply a default ethernet address
to
any host that asks for a non-existent IP address. If I’m right, then how
are
you going to find out that no other station responded?

On 5/15/07, Abhijit G. [email protected] wrote:

Not really sure about how you’d do this in ruby, but I have a
suggestion, if you are trying to monitor ARP requests on the network
and also ARP replies I am afraid, you’d not see most (infact all
except your own) of the ARP replies (standards compliant ARP replies
are not sent to broadcast MAC address) and you might end up thinking
nobody replied.

Not sure how to do this from Ruby, but you can put the network adapter
into promiscuous mode. This causes the adapter to pass all traffic
into the OS, not just traffic addressed to the machine. This is how
tools like ethereal do this.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

On 5/15/07, ninny [email protected] wrote:

Hello,

I have a project to do in ruby witch consist in recover the ARP requests
(who-has) on my local network and take the IP address if nobody answer
to the ARP requests.
I know identify an ARP request with “pcap” but I don’t know how to take
the IP address.

Not really sure about how you’d do this in ruby, but I have a
suggestion, if you are trying to monitor ARP requests on the network
and also ARP replies I am afraid, you’d not see most (infact all
except your own) of the ARP replies (standards compliant ARP replies
are not sent to broadcast MAC address) and you might end up thinking
nobody replied. Not sure whether this really is a very good idea.

Coming back to ARP ( Here is how the frame is like)

EtherType : 0x0806
ARP Data: First 8 byte headers
Next : 6 byte (Sender MAC address - Assuming Ethernet)
Next : 4 byte (Sender IP Address)
Next : 6 byte (Destination MAC)
Next : 4 byte Destination IP…

So in short you’ve to match 4 bytes at offset 24, to find the Address
that doesn’t get replied. Don’t know how this is done with pcap in
ruby.

HTH,

-abhijit

If someone want help me, I would be very happy


Posted via http://www.ruby-forum.com/.


अभिजीत

[ written in http://www.paahijen.com/scratchpad ]

[ http://www.paahijen.com ]

BTW,

a google search on ruby packet sniffer came up with this:

which in turn led to this:
http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap/doc/index.html


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

Use a switch with a monitoring interface. Most managed switches offer
that
functionality.

Felix

On 5/15/07, Rick DeNatale [email protected] wrote:

into promiscuous mode. This causes the adapter to pass all traffic
into the OS, not just traffic addressed to the machine. This is how
tools like ethereal do this.

pcap will put the interface into promiscuous mode.

The problem is that switches will not forward the traffic.

Unfortunately, I don’t know any real solution to the problem.

Eivind.