[VLAN] 802.1Q - MAC Spoofing

[Ben Greear]

P Chaitra-A15829 wrote:
> Thanks for the reply Ben.
>  
> I haven't tried arp filter yet. But what I did was updated the arp 
> table of the other host (himadri) with the spoofed MAC address of 
> Linux machine.
> himadri :> arp -a | grep 210
> 7:qfe0   192.2.84.210         255.255.255.255 S     00:11:11:29:78:11
> I pinged 192.2.84.210 (spoofy Linux machine) from himadri.
>  
> The snoop at arabhi (192.2.84.210 ):
>
> 06:29:38.864074 00:03:ba:08:ac:eb > 00:11:11:29:78:11, ethertype IPv4 
> (0x0800), length 98: IP (tos 0x0, ttl 255, id 16047, offset 0, flags 
> [DF], proto 1, length: 84) himadri > 192.2.84.210: icmp 64: echo 
> request seq 119
> 06:29:39.864080 00:03:ba:08:ac:eb > 00:11:11:29:78:11, ethertype IPv4 
> (0x0800), length 98: IP (tos 0x0, ttl 255, id 16048, offset 0, flags 
> [DF], proto 1, length: 84) himadri > 192.2.84.210: icmp 64: echo 
> request seq 120
> 06:29:40.863960 00:03:ba:08:ac:eb > 00:11:11:29:78:11, ethertype IPv4 
> (0x0800), length 98: IP (tos 0x0, ttl 255, id 16049, offset 0, flags 
> [DF], proto 1, length: 84) himadri > 192.2.84.210: icmp 64: echo 
> request seq 121
> There is no response from 'arabhi' (spoofy Linux machine) on this MAC 
> address... the switch is forwarding the frames though.
>  
>  
> Do I need to change any configuration on the Linux host to associate 
> itself with this spoofed MAC interface ??
>  
> Regards,
> Chaitra

Are the frames being encapsulated on the VLAN?  If not, they will not be 
delivered to the VLAN
device in Linux.

Try this:

add vlan with VID 5 to the switch, IP addr: 10.10.1.2
add vlan with VID 5 to the Linux box, IP addr:  10.10.1.3

You should be able to ping between them, and sniffing the vlan eth0.5 
device on
the linux box should show traffic.

This assumes that your eth0 interface is on a different subnet, perhaps 
192.168.1.3....

Once that works, you can move on to arp-filter stuff.

Ben

-- 
Ben Greear <greearb at candelatech.com> 
Candela Technologies Inc  http://www.candelatech.com