简体繁体 English

接收不同MAC地址的数据包

[英]Receiving packets for different MAC address

原文 2010-02-16 13:08:31 8 3 c/ windows/ networking/ packet-capture/ winpcap

is it possible to capture some packets in promiscuous mode (eg using winpcap) and than force OS (applications) to receive them as they were sent for our MAC? 是否有可能以混杂模式（例如，使用winpcap）捕获某些数据包，然后迫使OS（应用程序）在为我们的MAC发送数据包时接收它们？

My observation is following. 我的观察如下。 We can: 我们可以：

capture all network traffic using promiscuous mode (winpcap) 使用混杂模式（winpcap）捕获所有网络流量
filter/modify the packets using firewall-hook/filter-hook 使用防火墙钩子/过滤器钩子过滤/修改数据包
send packets to the network with altered MAC 使用更改后的MAC将数据包发送到网络

I am not sure if firewall-hook can access all the packets which are available thanks to promiscious mode. 由于不确定模式，我不确定防火墙挂钩是否可以访问所有可用的数据包。 Isn't it on the lower layer? 不是在下层吗？ If it can't, the only solution would be to capture desired packets and then resend them to the network with altered MAC? 如果不能，唯一的解决方案是捕获所需的数据包，然后将它们重新发送到具有更改的MAC的网络？

I am networking novice so please be easy on me :) 我是网络新手，所以请对我方便：)

Any help is appreciated. 任何帮助表示赞赏。 Thanks in advance. 提前致谢。

3 个解决方案

You have your toes at the line of white hat/black hat hackers. 您的脚趾在白帽/黑帽黑客的行列中。 I know that my company actively watches for promiscuous NICs, hunts down the owners and kills (fires) them. 我知道我的公司积极监视混杂的NIC，追捕所有者并杀死（开除）它们。 Maybe if you ask us what you're trying to do, we can offer some suggestions. 也许如果您问我们您要做什么，我们可以提供一些建议。

If you're trying to analyze your network, there is software and/or hardware solutions that will probably do a better job. 如果您要分析网络，则可能有一些软件和/或硬件解决方案可能会做得更好。 If you're just trying to watch interesting text flow across your network, well ... maybe you're still in college. 如果您只是想观察整个网络中有趣的文本流，那么……也许您还在上大学。

First, yes if your interface operates in promiscuous mode then you will receive everything 'on the wire'. 首先，是的，如果您的界面在混杂模式下运行，那么您将“在线”接收所有信息。 Which is already one difficulty, nowadays many (if not all) networks are switched, which means a piece of hardware exterior to your system will already do some filtering before packets arrive at your system, so you'll first need to trick a switch into transmitting those packets to your end (can be done by sending out dummy arps, by configuring the switch, or by bad intent ;-) ). 这已经是一个难题，如今已经切换了许多（如果不是全部）网络，这意味着在数据包到达系统之前，系统外部的硬件已经进行了一些过滤，因此，您首先需要欺骗交换机将这些数据包传输到您的终端（可以通过发送虚拟arp，配置交换机或出于恶意；-)来完成）。 Then if these packets receive at your system, what do you plan to do with them ? 然后，如果这些数据包在您的系统上收到，您打算如何处理它们？ There ethernet frames will carry ip packets, typically with a destination ip address, which is already something which will not be on your host (and if it is, this implies that you will have duplicate ip addresses on your network, causing problems as well. 那里的以太网帧将携带ip数据包，通常带有目标ip地址，该地址已经不在主机上了（如果是，这意味着您的网络上将有重复的ip地址，同样会引起问题。）

So the main question is, what do you really really really want to do ? 因此，主要的问题是，您真正真正想做什么？

Once you have recieved a packet, it has already been clean through the protocol stack. 收到数据包后，就已经通过协议栈将其清除了。 I don't think Windows gives you the access into the middle of Winsock that would be required to somehow stick it back in. 我认为Windows不会为您提供进入Winsock中间的访问权限，而需要以某种方式将其重新插入。

More importantly, this is a really dodgy think to be looking to do. 更重要的是，这是一个非常狡猾的想法。 Whatever it is you are looking to do, I can guarantee you there is some better way to do it. 无论您打算做什么，我都可以保证您有更好的方法。