[Snort-users] capturing arp

Edin Dizdarevic edin.dizdarevic at ...7509...
Mon Apr 14 07:34:02 EDT 2003


Hi,

is that an MS "feature"? ;)

Because, to capture _only_ ARP packets in Ethereal you can specify the
filter arp after hitting Ctrl-K (Capture). Same effect with "tcpdump
-i eth1 arp". However, I didn't try that on Win yet...

ARP packets are not being handled by the hardware only. It would be
virtually impossible to create them with Nemessis then. Other wicked
things would not work too (ARP-Flooding, f. ex.). You can even change
your MAC jit, at least with Linux...

I suppose you have to turn the arpspof preprocessor on as well in
order to alert on ARPs.

Regards,

Edin

Spencer, Arthur wrote:
> In all of my tests you can't capture arp packets because they are
> handled in hardware.  If you use Nemesis and generate an ARP packet it
> isn't captured by Ethereal or Network General Sniffer.  
> 
> * Arthur J. Spencer (CISSP, CCNP, CCDP, MCSE, CNE)
>  
> 
> -----Original Message-----
> From: Patrick Amirian [mailto:pamirian at ...8855...] 
> Sent: Friday, April 11, 2003 3:41 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] capturing arp
> 
> Hi guys,
> I'm trying to caputre all arp packets doing
> 
> 
> Alert arp any any <> any any
> 
> But I'm getting a segfault.
> Ideas ?
> 
> Thank you. 
> 


-- 
Edin Dizdarevic





More information about the Snort-users mailing list