Blocking ARP

[SFSxOI]

Been trying to create something that would allow me to block an ARP request for a computer NIC MAC address on any port. I think (or so i've been told) its possible to do on Linux. I've not been sucessful in my attempts so far for windows.

I know I can do it via some software firewalls (Sygate included the capability but Symantec bought them out and ruined the firewall).

I want to try to do it with Pure Basic if I can. Its just experimental and something to play around with a little as I continue to explore network or TCP/IP orientated Pure Basic uses.

Anyone got any code for this particular item or doing anything like this with Pure Basic?

[KarLKoX]

Might be usefull.

[Hi-Toro]

Someone posted this (ages ago) in response to some code I posted... can't remember who, sorry. It makes a call to ARP to retrieve a MAC address, though I don't know much about this stuff. It might be a start, anyway...

Code: Select all

EnableExplicit 

InitNetwork() 

Procedure.l GetNetworkComputerIP(computer$) ; returns ip adress of hostname/IP$ 
  ; Originally posted by Hi-Toro 
  ; Posted: Sun Feb 16, 2003 8:27 pm 
  ; http://purebasicforums.com/english/viewtopic.php?t=5151 
  ; modified on 1.3.2005 by ABBKlaus 
  ; modified on 8.12.2007 by ABBKlaus (unicode compatible) 
  Protected *Buffer,*host.HOSTENT,ip.l 
  
  If computer$ 
    *Buffer=AllocateMemory(MemoryStringLength(@computer$)+1) 
    If *Buffer 
      PokeS(*Buffer,computer$,-1,#PB_Ascii) 
      *host = gethostbyname_(*Buffer) ; Get host information for named computer... 
      If *host 
        ip = PeekL(PeekL(*host\h_addr_list)) 
      EndIf 
      FreeMemory(*Buffer) 
    EndIf 
  EndIf 
  
  ProcedureReturn ip 
EndProcedure 

Procedure.s MacToString(*membuffer) ; returns MAC adress in string format 
  Protected MAC.s,i.l 
  
  MAC = "" 
  For i=0 To 5 
    MAC+RSet(Hex(PeekB(*membuffer+i)&$FF),2,"0") 
    If i<5 
      MAC+":" 
    EndIf 
  Next 
  
  ProcedureReturn MAC 
EndProcedure 

Procedure.s GetMacFromIP(IP$) ; returns MAC adress from hostname or IP 
  ;ABBKlaus on 7.12.2007 
  ;http://msdn.microsoft.com/library/en-us/iphlp/iphlp/sendarp.asp 
  Protected ip.l,thisip.l,maclen.l,*buffer,mac.s="" 
  
  ip=GetNetworkComputerIP(IP$) 
  thisip=GetNetworkComputerIP(Hostname()) 
  
  maclen=6 
  *buffer=AllocateMemory(8) 
  If *buffer 
    If SendARP_(ip,thisip,*buffer,@maclen)=#NO_ERROR 
      mac=MacToString(*buffer) 
    Else 
      Debug "SendARP failed" 
    EndIf 
    FreeMemory(*buffer) 
  EndIf 
  
  ProcedureReturn mac 
EndProcedure 

Debug GetMacFromIP("127.0.0.1") ; Fill in the desired Computername 
Debug GetMacFromIP("Blofeld") ; Fill in the desired Computername

[SFSxOI]

KarLKoX and Hi-Toro;

Thank you both for your responses.

Hi_Toro - i've seen that code before but had forgotten about it. Yep, it does get the MAC from the IP via ARP, and it does provide a clue. Unfortunately that clue led me to ARP tables which i'm not about to get into.

KarLKoX - I used the link you posted from the wiki, one thing led to another to another to another, and so on, all around the 'net using the wiki as a starting point. Found several things, but not much for windows systems other then the IP helper functions that might do it or the thing about writing a driver of some sort (Ughhhhhh!) or even using a third party driver of some sort. Then I saw a bunch of things for linux based systems and saw a few for MAC (insert a "go buy a MAC" joke here) - evidently this is a common thing with Linux (insert a "switch to Linux" joke here).

I'm experimenting with the IP helper functions some maybe tomorrow and will see what comes form that.

Thank You both

[KarLKoX]

I thought that the link provided allowed you to find this but no
This is the hard way but the better, the easiest way could be using WinPCap and using it's filtering mechanism

[SFSxOI]

I thought WinPcap only filters for capture and not for blocking?

[Hi-Toro]

On reading a bit further, I'm almost certain you'd have to write a driver to do this...

Not that I read all that much about it!

The WinPCap docs state:

WinPcap receives and sends the packets independently from the host protocols, like TCP-IP. This means that it isn't able to block, filter or manipulate the traffic generated by other programs on the same machine: it simply "sniffs" the packets that transit on the wire. Therefore, it does not provide the appropriate support for applications like traffic shapers, QoS schedulers and personal firewalls.

[KarLKoX]

If winpcap can't block the traffic though go reading the ddk :-p

[SFSxOI]

Yep, i've come to the same conclusion that a driver might be needed. Although I have come across some interesting stuff with the Windows Filtering Platform for Vista and Vista is the OS i'm mostly interested in so i'm going to explore it a little further as it seems to indicate a seperate driver might not be needed if its done on Vista.

http://msdn.microsoft.com/en-us/library ... S.85).aspx

Take a look at : http://msdn.microsoft.com/en-us/library ... S.85).aspx - gives some code for blocking all IPv4 traffic, wonder if its adaptable for just ARP?

The Vista WFP seems almost easy in some aspects, for example opening a session to the filter engine is as easy as this:

Code: Select all

;DWORD WINAPI FwpmEngineOpen0(__in_opt  const wchar_t *serverName, __in      UINT32 authnService, __in_opt  SEC_WINNT_AUTH_IDENTITY_W *authIdentity, __in_opt  const FWPM_SESSION0 *session, __out     HANDLE *engineHandle)


#RPC_C_AUTHN_WINNT = 10

Procedure x_FwpmEngineOpen0(param1.l, param2.l, param3.l, param4.l, enginehandle.l)

Libef = LoadLibrary_("Fwpuclnt.dll")

  If Libef
    *FwpmEngineOpen0_x = GetProcAddress_(Libef, "FwpmEngineOpen0")
    If *FwpmEngineOpen0_x
    CallFunctionFast(*FwpmEngineOpen0_x, param1.l, param2.l, param3.l, param4.l, enginehandle.l)
    EndIf
  EndIf
  FreeLibrary_(Libef)
       
ProcedureReturn
EndProcedure

x_FwpmEngineOpen0(#Null, #RPC_C_AUTHN_WINNT, #Null, #Null, #Null)