Re: capturing arp

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

is that an MS "feature"? ;)

Because, to capture _only_ ARP packets in Ethereal you can specify the
filter arp after hitting Ctrl-K (Capture). Same effect with "tcpdump
-i eth1 arp". However, I didn't try that on Win yet...

ARP packets are not being handled by the hardware only. It would be
virtually impossible to create them with Nemessis then. Other wicked
things would not work too (ARP-Flooding, f. ex.). You can even change
your MAC jit, at least with Linux...

I suppose you have to turn the arpspof preprocessor on as well in
order to alert on ARPs.

Regards,

Edin

Spencer, Arthur wrote:
> In all of my tests you can't capture arp packets because they are
> handled in hardware.  If you use Nemesis and generate an ARP packet it
> isn't captured by Ethereal or Network General Sniffer.  
>
> * Arthur J. Spencer (CISSP, CCNP, CCDP, MCSE, CNE)
>  
>
> -----Original Message-----
> From: Patrick Amirian [mailto:pamirian () calculus ca] 
> Sent: Friday, April 11, 2003 3:41 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] capturing arp
>
> Hi guys,
> I'm trying to caputre all arp packets doing
>
>
> Alert arp any any <> any any
>
> But I'm getting a segfault.
> Ideas ?
>
> Thank you. 


--
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users