tags:

views:

159

answers:

3
Q: 

Receiving packets for different MAC address.

Hello,

is it possible to capture some packets in promiscuous mode (e.g. using winpcap) and than force OS (applications) to receive them as they were sent for our MAC?

My observation is following. We can:

  • capture all network traffic using promiscuous mode (winpcap)
  • filter/modify the packets using firewall-hook/filter-hook
  • send packets to the network with altered MAC

I am not sure if firewall-hook can access all the packets which are available thanks to promiscious mode. Isn't it on the lower layer? If it can't, the only solution would be to capture desired packets and then resend them to the network with altered MAC?

I am networking novice so please be easy on me :)

Any help is appreciated. Thanks in advance.

+1  A: 

You have your toes at the line of white hat/black hat hackers. I know that my company actively watches for promiscuous NICs, hunts down the owners and kills (fires) them. Maybe if you ask us what you're trying to do, we can offer some suggestions.

If you're trying to analyze your network, there is software and/or hardware solutions that will probably do a better job. If you're just trying to watch interesting text flow across your network, well ... maybe you're still in college.

No Refunds No Returns  2010-02-16 13:16:45
All I want to do is to have 2 MAC/IP addresses on a single NIC. Unfortunatelly the NIC does not support this feature, but I am sure there are workarounds ... and ofcoarse I am curious :)
Petr Peller  2010-02-16 13:21:16
@Petr Why would you *need* two MAC addresses? It's perfectlyvalid for a single NIC, with a single MAC address to have many IP addresses
Rowland Shaw  2010-02-16 13:25:11
@Rowland Yes, but it still looks like one device for other peers. I would like to simulate two separate devices from a single one.
Petr Peller  2010-02-16 13:29:47
All I can suggest is to try HyperV or a similar VM environment that will virtualize a network through your single NIC. I know that I type in the MAC address and that's what gets reported to the world.
No Refunds No Returns  2010-02-16 13:32:11
+1  A: 

First, yes if your interface operates in promiscuous mode then you will receive everything 'on the wire'. Which is already one difficulty, nowadays many (if not all) networks are switched, which means a piece of hardware exterior to your system will already do some filtering before packets arrive at your system, so you'll first need to trick a switch into transmitting those packets to your end (can be done by sending out dummy arps, by configuring the switch, or by bad intent ;-) ). Then if these packets receive at your system, what do you plan to do with them ? There ethernet frames will carry ip packets, typically with a destination ip address, which is already something which will not be on your host (and if it is, this implies that you will have duplicate ip addresses on your network, causing problems as well.

So the main question is, what do you really really really want to do ?

amo-ej1  2010-02-16 13:26:12
Thanks fot the answer. I have no problems with promiscious mode (already tested with Wireshark). The trick is that the packets will actully be responses for my requests (sent with my "virtual" MAC). I plan to make a tool which would allow different applictions to communicate with network both using different MAC/IP addresses simultaneously.
Petr Peller  2010-02-16 13:48:09
Then why do you still need al this rewriting etc ? Or why don't you simply use your native mac address and do your filtering on ip level ?
amo-ej1  2010-02-16 13:56:37
Because this way, with two MAC addresses I could use two different internet connections and combine their bandwidth :) ... I can act as two peers => I have doubled bandwidth.
Petr Peller  2010-02-16 14:17:20
+1 very good point about switches. This is precisely why I keep around an old dumb hub for when I need to do sniffing on a link.
T.E.D.  2010-02-19 14:57:29
A: 

Once you have recieved a packet, it has already been clean through the protocol stack. I don't think Windows gives you the access into the middle of Winsock that would be required to somehow stick it back in.

More importantly, this is a really dodgy think to be looking to do. Whatever it is you are looking to do, I can guarantee you there is some better way to do it.

T.E.D.  2010-02-16 13:56:43
It's why I have to use firewall-hook driver isn't it? I know there is better way - to buy a hardware which will support this, but I would like to do that software way.
Petr Peller  2010-02-16 14:19:52

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS