ARP idea (conjecture)

[photon <photon () linux kgs com au>]

This would have limited usefulness even if it did work, but
it would evade most existing detection software...

Basically, o'er any ARP-utilising link-layer, I wonder if
it'd be possible to measure ARP timeouts and compare these
with a default-listing by OS?

Eg: ... arp stuff snipped ...
    Myhost -> Targethost [some higher-level protocol]
    Targethost -> MyHost [ARP REQ.]
    Myhost -> Targethost [ARP Response]
    ... wait predetermined period ...
    Myhost -> Targethost [some higher-level protocol]
    ... remember that this period DID/DIDN'T make targethost
ARP REQ again ...
    ... repeat with different period ...

I'm not even sure if arp timeouts are OS-specific (though
i'm pretty sure they are - steve's book states that
BSD-derived OSs noramlly have 20min timeout for completed
entries, 3min for incomplete) .. and obviously this method
would have problems with hardcoded arp table entries, and be
goddamned slow (patience is a virtue ;).  As a side note,
from memory some OSs do not handle gratituous ARP correctly
- this could be used to further-finetune such an ARP-based
OS determination. 

Or I could just be plain wrong. =)

Sorry to make such an up in the air post, but I dont really
have time to play with this stuff (evil final-year
assessment tomorrow ;) 

keep up the good work!

- pho