Re: ProBLEM With Honeyd and Linux9

[Graeme Connell <gconnell () middlebury edu>]

In-Reply-To: <20040706010746.11415.qmail () web8307 mail in yahoo com>

> I'm running honeyd 0.6 with arpd 0.2 and Redhat 9. Here are some of the problems I am encountering

> 1.  I start arpd and honeyd and start pinging one the the virtual hosts -
> the first 4or 5 requests time out and pings normally after that. 

ArpD works like this:  If an arp request to an ip address in its range is broadcast, it first sends out its OWN arp 
request, to make sure that it's not disrupting traffic to actual machines.  Then it waits a bit, and if it gets no 
response to its own arp request, it sends out arp responses to the original requester.  The delay you see might be 
caused by arpd checking to see if the IP address requested is taken by an actual machine.

> 2. Other problem is that I can't see the virtual hosts from the box running honeyd. Other machines can connect to the 
> virtual hosts just fine.

Start up honeyd with the -d argument (do not daemonize), and you'll see the following (or something like it):

root # honeyd -d
Honeyd V0.8b Copyright (c) 2002-2004 Niels Provos
honeyd[20558]: started with -d
honeyd[20558]: listening promiscuously on eth0: (arp or ip proto 47 or (ip )) and not ether src MACADDRESS
honeyd[20558]: Demoting process privileges to uid 32767, gid 32767
.... etc.

The important line is the one that says "honeyd[#] listening promisc....".  Notice the "and not ether src MACADDRESS".  
This means that honeyd is promiscuously sniffing traffic, but it will reject all traffic originating from that mac 
address, which is the address of the honeyd computer.  Therefore, (unless your honeyd machine has two network devices), 
you can never connect to a virtual machine from the host computer.

Hope this helps.
   --Graeme Connell