Page 1 of 1
Blocking ARP
Posted: Sat Jul 19, 2008 5:31 pm
by SFSxOI
Been trying to create something that would allow me to block an ARP request for a computer NIC MAC address on any port. I think (or so i've been told) its possible to do on Linux. I've not been sucessful in my attempts so far for windows.
I know I can do it via some software firewalls (Sygate included the capability but Symantec bought them out and ruined the firewall).
I want to try to do it with Pure Basic if I can. Its just experimental and something to play around with a little as I continue to explore network or TCP/IP orientated Pure Basic uses.
Anyone got any code for this particular item or doing anything like this with Pure Basic?
Posted: Sat Jul 19, 2008 11:36 pm
by KarLKoX
Posted: Tue Jul 22, 2008 7:26 am
by Hi-Toro
Someone posted this (ages ago) in response to some code I posted... can't remember who, sorry. It makes a call to ARP to retrieve a MAC address, though I don't know much about this stuff. It might be a start, anyway...
Code: Select all
EnableExplicit
InitNetwork()
Procedure.l GetNetworkComputerIP(computer$) ; returns ip adress of hostname/IP$
; Originally posted by Hi-Toro
; Posted: Sun Feb 16, 2003 8:27 pm
; http://purebasicforums.com/english/viewtopic.php?t=5151
; modified on 1.3.2005 by ABBKlaus
; modified on 8.12.2007 by ABBKlaus (unicode compatible)
Protected *Buffer,*host.HOSTENT,ip.l
If computer$
*Buffer=AllocateMemory(MemoryStringLength(@computer$)+1)
If *Buffer
PokeS(*Buffer,computer$,-1,#PB_Ascii)
*host = gethostbyname_(*Buffer) ; Get host information for named computer...
If *host
ip = PeekL(PeekL(*host\h_addr_list))
EndIf
FreeMemory(*Buffer)
EndIf
EndIf
ProcedureReturn ip
EndProcedure
Procedure.s MacToString(*membuffer) ; returns MAC adress in string format
Protected MAC.s,i.l
MAC = ""
For i=0 To 5
MAC+RSet(Hex(PeekB(*membuffer+i)&$FF),2,"0")
If i<5
MAC+":"
EndIf
Next
ProcedureReturn MAC
EndProcedure
Procedure.s GetMacFromIP(IP$) ; returns MAC adress from hostname or IP
;ABBKlaus on 7.12.2007
;http://msdn.microsoft.com/library/en-us/iphlp/iphlp/sendarp.asp
Protected ip.l,thisip.l,maclen.l,*buffer,mac.s=""
ip=GetNetworkComputerIP(IP$)
thisip=GetNetworkComputerIP(Hostname())
maclen=6
*buffer=AllocateMemory(8)
If *buffer
If SendARP_(ip,thisip,*buffer,@maclen)=#NO_ERROR
mac=MacToString(*buffer)
Else
Debug "SendARP failed"
EndIf
FreeMemory(*buffer)
EndIf
ProcedureReturn mac
EndProcedure
Debug GetMacFromIP("127.0.0.1") ; Fill in the desired Computername
Debug GetMacFromIP("Blofeld") ; Fill in the desired Computername
Posted: Wed Jul 23, 2008 12:38 am
by SFSxOI
KarLKoX and Hi-Toro;
Thank you both for your responses.
Hi_Toro - i've seen that code before but had forgotten about it. Yep, it does get the MAC from the IP via ARP, and it does provide a clue. Unfortunately that clue led me to ARP tables which i'm not about to get into.
KarLKoX - I used the link you posted from the wiki, one thing led to another to another to another, and so on, all around the 'net using the wiki as a starting point. Found several things, but not much for windows systems other then the IP helper functions that might do it or the thing about writing a driver of some sort (Ughhhhhh!) or even using a third party driver of some sort. Then I saw a bunch of things for linux based systems and saw a few for MAC (insert a "go buy a MAC" joke here) - evidently this is a common thing with Linux (insert a "switch to Linux" joke here).
I'm experimenting with the IP helper functions some maybe tomorrow and will see what comes form that.
Thank You both
Posted: Wed Jul 23, 2008 9:19 pm
by KarLKoX
I thought that the link provided allowed you to find
this but no
This is the hard way but the better, the easiest way could be using
WinPCap and using it's
filtering mechanism
Posted: Thu Jul 24, 2008 7:17 pm
by SFSxOI
I thought WinPcap only filters for capture and not for blocking?
Posted: Thu Jul 24, 2008 8:03 pm
by Hi-Toro
On reading a bit further, I'm almost certain you'd have to write a driver to do this...
Not that I read all that much about it!
The WinPCap docs state:
WinPcap receives and sends the packets independently from the host protocols, like TCP-IP. This means that it isn't able to block, filter or manipulate the traffic generated by other programs on the same machine: it simply "sniffs" the packets that transit on the wire. Therefore, it does not provide the appropriate support for applications like traffic shapers, QoS schedulers and personal firewalls.
Posted: Thu Jul 24, 2008 9:49 pm
by KarLKoX
If winpcap can't block the traffic though go reading the ddk :-p
Posted: Fri Jul 25, 2008 2:14 pm
by SFSxOI
Yep, i've come to the same conclusion that a driver might be needed. Although I have come across some interesting stuff with the Windows Filtering Platform for Vista and Vista is the OS i'm mostly interested in so i'm going to explore it a little further as it seems to indicate a seperate driver might not be needed if its done on Vista.
http://msdn.microsoft.com/en-us/library ... S.85).aspx
Take a look at :
http://msdn.microsoft.com/en-us/library ... S.85).aspx - gives some code for blocking all IPv4 traffic, wonder if its adaptable for just ARP?
The Vista WFP seems almost easy in some aspects, for example opening a session to the filter engine is as easy as this:
Code: Select all
;DWORD WINAPI FwpmEngineOpen0(__in_opt const wchar_t *serverName, __in UINT32 authnService, __in_opt SEC_WINNT_AUTH_IDENTITY_W *authIdentity, __in_opt const FWPM_SESSION0 *session, __out HANDLE *engineHandle)
#RPC_C_AUTHN_WINNT = 10
Procedure x_FwpmEngineOpen0(param1.l, param2.l, param3.l, param4.l, enginehandle.l)
Libef = LoadLibrary_("Fwpuclnt.dll")
If Libef
*FwpmEngineOpen0_x = GetProcAddress_(Libef, "FwpmEngineOpen0")
If *FwpmEngineOpen0_x
CallFunctionFast(*FwpmEngineOpen0_x, param1.l, param2.l, param3.l, param4.l, enginehandle.l)
EndIf
EndIf
FreeLibrary_(Libef)
ProcedureReturn
EndProcedure
x_FwpmEngineOpen0(#Null, #RPC_C_AUTHN_WINNT, #Null, #Null, #Null)