INTRODUCING THE PACKET WHACKER

THE MAGAZINE FOR COMPUTER APPLICATIONS
Circuit Cellar Online offers articles illustrating creative solutions
and unique applications through complete projects, practical
tutorials, and useful design techniques.

INTRODUCING THE PACKET WHACKER

Applications Part 2: Setting a Course with Code
by Fred Eady

Start ı Packet Whacker Utilities ı Receiving Packets ı Who ARP You?ı Ping ı UDP ı TCP ı FIN ı Sources and PDF

WHO ARP YOU?

Of course, ARP has nothing to do with Roger Daltry and The Who. ARP is short for address resolution protocol. ARP is used to dig out the MAC address (0CCINK for the PICDEM.net) behind the IP address (192.168.1.150 for the PICDEM.net). To receive an ARP request the Packet Whacker must be configured to accept broadcast packets. For the Packet Whacker, this means that bit 2 (AB) of the NICıs RCR must be set. Checking out the rcrval (0x04) in Listing 4, the AB (accept broadcasts) bit is indeed set.

Turning our attention to the ARP request in Photo 4, notice the set of six 0xFFs at the beginning of the hex dump. The 0xFFs signify a broadcast address, which in this case is coming from the tbird900. At this point, via information gleaned from the application (ping in this case), the tbird900 knows the PICDEM.netıs IP address. The Packet Whacker has accepted the broadcast packet, and now itıs up to the get_packet routine to determine what to do with it. Looking at Listing 5, note that the Ethernet packet type is used to sort the packet into either an ARP or IP bucket. The sort is coarser at the IP bin than the ARP bin as there are three more ways to get out of the IP bucket and only one way to be poured from the ARP bucket.

Looking again at Photo 4, youıll see that by using the protocol header fields, the Sniffer has determined that the packet type is ARP and the IP address matches the PICDEM.netıs. ARP packets are simple, and if everything in the ARP request packet matches up with the code in Listing 5, the ARP reply routine in Listing 6 is called.

Listing 6ıThe ARP code is simple. Basically, add your MAC address, turn the IP source and destination addresses around, set the reply bits, and send it back.

Crafting the ARP reply is a breeze. Most of the information needed to build the ARP reply packet is contained in the ARP request packet. The source MAC address becomes the destination MAC address as the ARP request sender is interested only in determining your MAC address, which is added as the new source MAC address in the ARP reply packet. To make sure the ARP reply goes back directly to the ARP requester, the source IP address becomes the destination IP address in the ARP reply packet. The last thing to do is to change the opcode from ARP request to ARP reply. Everything else in the original ARP request packet remains the same. Photo 6 is the result of running the ARP response code through the Packet Whacker on the PICDEM.net.

Photo 6ıChange the opcode, swap the IP addresses, add your local MAC, and send the packet back. Thatıs all there is to an ARP reply.

Because the Sniffer PC is dedicated to running the Sniffer drivers, there are no processes that cache the ARP data, and every operation I initiate from the tbird900 begins with an ARP request. So, when I was developing the ARP firmware, I used the Snifferıs ping utility to force and ARP against the PICDEM.net. Of course, this failed because there was no ping code on the PICDEM.net yet. When I finally got the ARP code to run correctly on the PICDEM.net, it was time to move on to the next step on the Internet stairs, ping.

PREVIOUS • NEXT

Circuit Cellar provides up-to-date information for engineers. Visit www.circuitcellar.com for more information and additional articles.
For subscription information, call (860) 875-2199, subscribe@circuitcellar.com or subscribe online. ıCircuit Cellar, the Magazine for Computer Applications. Posted with permission.