I'm studying the ICMP protocol and the tool traceroute. I don't understand how can traceroute look up the domain names of Hops if in the ICMP datagram only the IPs can be found. How does it work?
Thank you!
It's called reverse DNS, and is basically the opposite of a domain-to-IP lookup.
Related
Is it possible to check if host with secific MAC address are 'alive' ?
I do NOT want to use 3-rd layer ISO/OSI and ICMP ping message
You can do an ARP Ping. This only works when you are physically on the same network segment. Read more about this on Wikipedia's ARP Ping article.
Note that there are two different implementations of arping, one which can ping MAC addresses to resolve them to IP addresses and one that doesn't. The implementation in the iproute2 package does not do what you want, but Thomas Habets implementatation does. This is also explained in the Wikipedia ARP Ping article
I'm making application that can detact arp spoofing :]
My idea is that if there is attacker in subnet, and he tried to MITM using arp poisoning, then I exec traceroute to default gateway(or changed arp cache entry, whatever).
Cuz all my packets go through attacker's PC, so traceroute will show up some sign.
Is there any problem in my idea? Is it proper? or not?
The proper way to detect arp spoofing is with software like arpwatch.
arpwatch will see that two machines are fighting over the same IP address and notify you.
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6
(0:17:9a:a:f6:44)
If you see entries like this for your IP address, then start looking for the switchport that sources the hostile mac-address in question.
As a general answer to your question, traceroute is the wrong way to detect this. Just monitor ARPs and maintain a table of mac-address to IP mappings.
I understand that UDP resides on the transport layer and IP on the internet layer. I also get that they're both connectionless and unreliable. Then what is the point of UDP when we already have IP? The distinction is not very clear. Any help on this is greatly appreciated. Thanks!
Then what is the point of UDP when we already have IP?
To multiplex services. The UDP port number can differentiate between multiple services on the same host, using the same L3 identification. Using IP only it wouldn't be possible to host multiple services on the same station and easily differentiate between them.
Also, consider the case of UDP over IPv6. Since IPv6 doesn't have error-checking somebody has to perform it: the Checksum field of UDP is not optional.
Once a packet reaches a host using its IP address, the packet needs to be given to one of the applications on this machine. To determine which application should get the packet, it needs demultiplexing logic, which is based on ports. UDP has port information which is used by IP to deliver the packet to appropriate application.
I need to make a request with a spoofed IP address for testing purposes. What's the easiest way to do this?
For my own purposes, changing the HTTP header was enough, via the following:
curl --header "X-Forwarded-For: 1.2.3.4" "http://www.foobar.com"
You can't.
In general, spoofing IP addresses for TCP is remarkably difficult. Unless you have control of a router quite near your target or near the IP you're spoofing, consider it impossible.
The reply packets need a path back to you in order to complete even the three-way handshake. The most reliable way to do this is to have control over a router in the most common pathway between your target and your spoofed IP address: this would let you capture packets between the target and the spoofed address and forward them on to you.
You could also try injecting bogus BGP route advertisements, but doing so would doubtless be noticed and cost you dearly when your peers drop you completely.
Can I make libcurl fake or hide my real IP address?
No. libcurl operates on a higher level. Besides, faking IP address
would imply sending IP packet with a made-up source address, and then
you normally get a problem with receiving the packet sent back as they
would then not be routed to you!
If you use a proxy to access remote sites, the sites will not see your
local IP address but instead the address of the proxy.
Also note that on many networks NATs or other IP-munging techniques
are used that makes you see and use a different IP address locally
than what the remote server will see you coming from.
I'm looking for some Linux code to find an IP address from an Ethernet address. I suppose I have to do some inverse ARP trickery but I don't find any example...
http://compnetworking.about.com/od/networkprotocolsip/f/convertipmacadd.htm
Try sending an IP broadcast (e.g. ping 192.168.1.255 if your subnet is 192.168.1.0/24) to prime your ARP cache, followed by arp -a to spit it all out.
For computers that you have communicated with, you can look at their arp entry. This is available in text format in /proc/net/arp for example. Finding an IP address for a MAC that you know but haven't communicated with is significantly more difficult. The closest match, protocol-wise, would be RARP but that's hardly ever in use so your are not likely to get a response.
You can always scan your local subnet to make sure you get a full view in your arp table. See for example fping for an efficient way to do this. Note that hosts don't actually need to respond to the pings in question to appear in the ARP table, so this is useful even in the presence of local firewalls etc.
Take a look at Thomas Habet's Arping. I've not tried it, but the basic idea is to send an ICMP Ping network packet to the MAC address in question using a broadcast destination IP address in the IP header. Only the host with the specified MAC address will reply and the reply will (usually) contain its IP address. It won't always work but it might be good enough for you. See the project readme for limitations.