Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spoofing the ethernet address

From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Wed, 1 Mar 2000 09:31:51 -0800

On Tue, 29 Feb 2000, Bobby, Paul wrote:

Been playing with hping, and I imagine other IP spoofing tools generate the
same types of packets.

The spoofed packet contains a bogus IP address, yes. However the ethernet
address (MAC) is the address of the sending machine.

Is it possible to spoof this address also? Would someone have to write a
custom ethernet driver?


IIRC, if you're using Berekely Packet Filter (BPF -- Digital Unix, *BSD)
then the source MAC will be copied into the ethernet frame by the driver.
It isn't, of course, much of a kernel hack to modify this under *BSD. I
don't know what the behavior of other packet filters is (Sun, IRIX, Linux,
etc).  To write ethernet frames, you just open a packet filter interface
rw and then write to the fd.  Its fairly easy to take the code in libpcap
and modify to allow sending ethernet frames (at least for the couple of
platforms that I've tried this on).
Previous By Date Next
Previous By Thread Next

Current thread: