Incorrect Linux ARP behavior

[smm () WPI EDU (Seth McGann)]

After further investigation it appears neped.c (the Linux sniffer detector
by savage () apostols org ) operates due to a problem in
/linux/net/ipv4/arp.c.  The function arp_rcv() controls when to send ARP
responses.  The criteria for sending these responses is flawed, in that it
will respond to ARP requests regardless of the destination MAC address.
Normally only frames with a station's MAC address are processed so this is
not a problem.  In promiscuous mode, all frames are processed, and without
checking the destination MAC address there is no way to discern if the
packet was really bound for listening station.  To fix this problem all
that needs to be done is add the following check (pseudo code):

if(ether_header_destination != device_hardware_address) return;


Seth M. McGann / smm () wpi edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80