PDA

View Full Version : ARP generation



SyntaXe
09-08-2008, 10:53 AM
Recently I got my Asus EEE pc 900 <3
Finally trying out wireless penetration for my very first time.
When I sat right next to my router, with a power of 50+ I got it data in airodump real quick.
But after I tried with different distances (power 10-) I dint get a ARP packet to regenerate. What I would like to know is...
When is a ARP packet generated? And can the distance from you and the AP play a role if your getting the ARP packets or not?

Any reply is appreciated :)

imported_cybrsnpr
09-12-2008, 03:10 PM
SyntaXe: There are lots of variables, but briefly:
1. Distance counts. There could be a dead zone if you are too close. Next to the router may work, 2 feet away may not, but 4 feet away may. So, give yourself at least 4 feet or so and you should have complete coverage.
2. Distance counts (part II): The weaker the signal, the greater the packet loss = the greater chance you won't capture ARP packets (or any other packet).
3. ARP: ARP packets are created in reply to a request by a packet to go to an IP address. ARP is layer 2 which is how packets are addressed by NICs. IP is layer three which is understood further up the stack. It's a bit more complicated than that with some more going on, but thats the basic gist. When you want a packet to go to 10.0.0.1, one of the first packets generated is an ARP request asking who has 10.0.0.1. The reply will be that 10.0.0.1 is at MAC address "blah". Fire up wireshark and sniff your interface, you'll see what I'm talking about.
4. Depending on what your victim network is doing, if you are doing and active measures and what O/S your victim is using all have effect on ARP packets being generated. IMHO, *Nix and OS/X cache their ARP entries longer than Windows, so they aren't as "ARP chatty". If you are forcing deauth's to a Windows O/S using a Wireless connection, just wait a few minutes and you should start getting the ARP packets you need.
5. If all else fails: If you still can't get the ARP packets and you are just testing (i.e. have access to the "victim" box), just run some ping's from the victim to some IP. That should create ARPs.

I assume you are also using aireplay-ng for this in addition to airodump-ng?

Hope this helps...