Re: ARP Spoof Question

[Stephane Nasdrovisky <stephane.nasdrovisky () uniway be>]

> I have a small question. I was reading about ARP Spoofing and here is my question.

> So when Node B is a attacker he catches the ARP Request and sends his
> MAC address in reply to Node A.

Node B can also send "gratuitous arp". Basically these are broadcasted arp replies without any request. Most hosts send 
gratuitous arp when they boot so that the neibourhood knows about them.

> Q1.My Question is, Node C will also reply to that request of Node A. SO
> now Node A has 2 different MAC for the same IP. How is Node A handling
> this situation???

Usually, the last arp reply override the existing one. Some ip stack may decide to make arp replies to their own 
queries more reliable than gratuitous arps, I'm not sure wether a required behaviour is described in the rfcs.

> Q2.The switch also updates its table of IP/MAC address bindings, so how
> is switch handling this situation???

Switches are layer 2 devices, IP begins at layer 3. A -switch- usually doesn't understand a single ip bit. The 
management side of the switch (snmp, http, telnet, whatever) are to be considered as any other networked host.




---------------------------------------------------------------------------
----------------------------------------------------------------------------