How to spoof ARP requests in the kern

Hi,


I'm least bothered about the packets other than IP, I'm using "IOEthernetController/IONetworkController/IONetworkInterfaceto create the network interface and able see data link layer (DLIL) packets [ARP, IP, etc ....], Is there a way, where I can get the only Network layer packets on interface in kernel space[now I'm able to strip ethernet header in case of IOEthernetController and continue further],


coming to my question:

I want to snoop the ARP requests within the driver space, I'm trying to use the following method as a reponse to the ARP request, does this solves my problem in spoofing,


unable to link/load with the "kern extension", what need to be added in OSBuldleLibraries so that it will load [tried with "kernlibs -xml" but didn't get the required info]

"inet_arp_handle_input()"



Thanks

Venkat

Replies

Able to compile and load the extn, thanks !!!

If you don’t want to act like an Ethernet, why are you plugging it via

IOEthernetController
? The preferred approach for IP-only interfaces is to create a Network Extension provider.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

The preferred approach for IP-only interfaces is to create a Network Extension provider.

- Please give me some info on how to create Network Extension provider, any documents/links/books

any sample open source codes for reference


Thanks

Venkat

The best starting point is WWDC 2015 Session 717 What’s New in Network Extension and VPN. Some small details are out of day (like the requirement for special entitlements) but the fundamentals haven’t changed.

You can also find reference documentation for the framework in the usual place.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"