Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Firewall using libpcap and libnet (perplexing problem)

Posted on 2003-03-17
Medium Priority
Last Modified: 2010-04-21
Hi Experts,

I've got a rather perplexing problem. I want to create a firewall using libpcap (for sniffing) and libnet (for packet injection).

The idea is to have two NICs. To start, I just want to sniff the packets on one NIC and inject them onto the other (and vice-versa). This would create a basic bridge.

The problem comes due to this situation:

NIC A sniffs packet X
NIC B injects packet X
NIC B sniffs the same packet X that it just injected
NIC A injects packet X

I don't want to change anything about the packets (even MAC address), so I have no way of knowing if a packet is coming from me or not.

Any ideas?!?  Is there a way to set pcap to filter packets that come from me?

Thanks in advance

Question by:wearyweary
  • 2

Expert Comment

ID: 8175724
>I don't want to change anything about the packets (even
>MAC address), so I have no way of knowing if a packet is
>coming from me or not.

A packet that came from you is one whose source MAC address is the MAC address of your NIC.  

You cannot with an ordinary NIC make an outgoing packet have the MAC of some other NIC, so if you were hoping to make this into an Ethernet bridge, you've got the wrong hardware.  But you probably don't want an Ethernet bridge (an IP bridge is usually all you need), so you're fine.

Author Comment

ID: 8175894
I would like to make it an ethernet bridge for complete transparency, and it is possible to spoof MAC addresses using almost any standard NIC. However this isn't enough due to the case I mentioned.

I'm fine changing the source MAC address to my own if absolutely needed, but I'm not sure if ARP packets will work being altered this way.

Does an ARP packet keep the MAC/IP it is resolving in the payload of the packet, or does it rely on using the source address (the one I'm changing)?

Anyway. An ethernet bridge is not impossible using two NICs and a PC. That I am quite sure of.


Accepted Solution

bryanh earned 120 total points
ID: 8176434
I guess you know more about NICs than I do.

But I do know that the ARP packet payload contains the source MAC address and that is the one that gets entered into the table and to which any reply is sent.

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month11 days, 21 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question