【正文】 judges if spoofed using set methods, and transmits results to the response module for the appropriate treatment in accordance with the results judged by the detection module[2]. PRINCIPLE OF ARP ARP is responsible for the agreement to host the target of 32bit IP address into the corresponding 48bit MAC address, so as to ensure smooth munication. Web hosting is usually included in the ARP cache multIPle forms of munication used to keep the last of the host IP address and MAC address of the corresponding resolution, thus greatly reducing the frequency of address resolution and expenses [3]. As the ARP is a stateless protocol, in the absence of a request being able to send the response packet, which for the ARP virus attacks can be provided for the machine.ARP virus is a ARP deceit Trojan horse virus. When the local area network with the virus in the host running the Trojan horse virus, ARP, will deceive all the local area network routers and hosts, so that all Internet traffic to go through the host virus, which inev。 FiltrateI. IntroductionARP protocol, located in the network layer of TCP / IP protocol stack is responsible for the resolution of IP address into a corresponding MAC address. As the final network is transmitted in accordance with the MAC address, as for LAN, ARP protocol is the normal munication of a network based on. ARP spoofing attacks exploit the flaw of ARP itself in TCP / IP protocols , that is, not to verify ARP response packet sent, but directly update ARP cache table. It sends ARP response package to the target host, makes the target host update their ARP cache table, the package sent to its own instead of the posing machine, through which spoofs information. The reason is that one or machines within LAN infected with some ARP virus, which lead to each machine under attack[1]. This paper achieves a packet capture and filtering through the data packet capture and filtering mechanisms in winPcaP, as well as related interface and data structure,。 Winpcap。 In the checking module, the system first judges whether the last number of the IP address is one, if not, the system gives up treating the packet, otherwise pares the IP/MAC to the right IP/MAC and sends the result to the response module。 參考文獻(xiàn)[1] [N].中國電腦教育報，2009，6.[2] 單國杰，徐夫田, ARP 欺騙攻擊的防御策略研究[J].計算機與現(xiàn)代化，2010(12):8588.[3] 胡曉元， 包截獲系統(tǒng)的分析及其應(yīng)用[J].計算機工程，2005，(2):9698.[4] 任俠， 欺騙原理分析與抵御方法[J].計算機工程,2003，9:2728.[5] 王燕，[J].信息安全,2007，23(12):7274.[6] 單國杰, [J].信息技術(shù)與信息化,2010(2):4749.[7] 吳高凱，、防范與追蹤，中國鐵道出版社[M], 2008，6.[8] [M].北京:電子工業(yè)出版社, 2007，6.[9] [J].網(wǎng)絡(luò)安全, 2007，2.[10] 陸余良，[J].計算機工程, 2004年.[11] [M]. 北京:中國鐵道出版社, 2008 年.[12] 郭浩，[J].信息安全與通信保密, 2005，10:6646[13] 林宏剛， ARP 攻擊的算法研究[J].四川大學(xué)學(xué)報，2008，40(3):143149.[14] [J].福建信息技術(shù)教育,2008,1(8):2024.[15] 徐華中，[J].中國水運，2007,3(5):9799.[16] (第三版)[M].北京:清華大學(xué)出版社，2009 年.[17] 鄭文兵，[J].江南大學(xué)學(xué)報(自然科學(xué)版), 2003，2(6):574577.[18] Bruschi D, Ornaghi A, Rosti E. SARP: A secure address resolution protocol[C]. Proceedings of the19thAnnual Computer Security Applications Conference. NV, USA:IEEE puter Society, 2003.[19] Goyal V, TrIPathy R. An efficient solution to the ARP cache poisoning problem[C]. 10th AustralasianConference on In formation Security and Privacy(ACISP2005).[20] 羅杰云，[J], 2003,5(12):43一45.附錄A外文文獻(xiàn)：Research on the defense against ARP Spoofing Attacks based on WinpcapWenjian XingThe Moden Education Technology Cnter Hebei University of Engineering HanDan Hebei ,ChinaxingwenjianAbstract：Based on the study of the existing methods and the WinPcaP, aimed with the ARP spoofing attacks achieved mainly by disguising the gateway, the thesis presents a method of defending ARP spoofing attacks based on WinPcaP. The method is: Setting filtering rules by filtering mechanisms of the WinPcaP, and the system just captures the ARP packets flowing through the local card, and then sends the packets to the analysis module。感謝我的同學(xué)在我的學(xué)習(xí)和生活中都給了我極大的幫助和關(guān)心，遇到問題時，經(jīng)常犧牲個人時間為我答疑解惑，經(jīng)常能得到他們的細(xì)心指點和啟發(fā)，在此向他們的無私精神表示誠摯的謝意。指導(dǎo)老師平易近人，對不懂的問題能給我們耐心的講述，給我留下了深刻的印象。然后，本文又分析探討了現(xiàn)有各種防范 ARP 欺騙攻擊的機制，以及它們的優(yōu)缺點。首先，本設(shè)計從理論入手，在掌握了 ARP 協(xié)議相關(guān)理論的基礎(chǔ)上對 ARP 協(xié)議的工作原理、通信模式以及 ARP 協(xié)議的固有缺陷作了深入分析。ARP 欺騙利用ARP協(xié)議的安全漏洞，給局域網(wǎng)內(nèi)各主機的安全通信帶來了極大地危害。 ，攻擊者的IP為：,，MAC為206A8A6DD1EB，所以試驗的結(jié)果達(dá)到了預(yù)期的效果，在模擬環(huán)境下可以檢測到ARP的攻擊，并能分析出攻擊者的IP和受害者的IP與MAC。 檢測的過程2. 首先用ARP泛洪攻擊進(jìn)行攻擊不斷地發(fā)送偽造的數(shù)據(jù)包。參數(shù) mask 表示是主機的IP地址的掩碼 。即BSD Packet Filter)。2 ) 編譯過濾條件的函數(shù),其原型為：1. int pcap_pile ( bpf_pro gramprog，char buffer，int opt_bpfu int 32mask )此函數(shù)操作成功返回0 ，操作失敗則返回1。1 )判斷網(wǎng)絡(luò)類型的函數(shù) ，其函數(shù)原型為 ：int pcap_datalink (pcap_t d )它的功能是返回主機所在的鏈路層上的一個適配器 ，即鏈路層的類型 ，如D1EN10MB指的就 是10 M以太網(wǎng)。最后一個參數(shù) err_buffer 用于存儲錯誤信息。pro 指明網(wǎng)卡是否處于混雜模式，默認(rèn)情況下值為l ，即處于混在模式 。 參數(shù)len主要用于數(shù)據(jù)包的捕獲上，默認(rèn)為65536。if ( (ad handle = pcap _open lived name ,65536,1 ,1000,errbuf) ) == NULL ){fprintf (stde rr，”\n 網(wǎng)卡打開失敗 ，WinPcap不支持%s\n ”)pcap_ free alldevs(alldevs)return 1 ： }此語句的功能是打開目標(biāo)網(wǎng)卡準(zhǔn)備捕獲數(shù)據(jù)包，函數(shù)原型如下 ：pcap_tpcap open_live feonstchadev，int len, int pro,int i_m , char err_buffer)第一個參數(shù)const char *dev 指的是要打開的網(wǎng)卡。其原型為：int fprintf( FILE stream ，const char format ，argm nent …) ，第一個參數(shù)是保存錯誤信息的文件指針，本程序用的參數(shù)是stderr，是系統(tǒng)默認(rèn)標(biāo)準(zhǔn)錯誤輸出文件的句 柄。此函數(shù)成功運行返回值為0：運行失敗返回值為1。)== 1{fpritf {stderr，”pcap_findalldevs出現(xiàn)錯誤：％skn”,errbuf)；return 1。具體流程圖如下: 開始獲取網(wǎng)卡列表打開網(wǎng)卡錯誤處理打印網(wǎng)卡信息成功？成功？成功？否 是否是否是成功？選擇網(wǎng)卡否編譯過濾條件是錯誤處理捕包分析 結(jié)束 檢測程序流程圖 核心函數(shù)說明(1) 獲得網(wǎng)卡信息列表模塊和選擇目標(biāo)網(wǎng)卡模塊中所使用的函數(shù)。,然后點擊flood進(jìn)行攻擊。當(dāng)你用鼠標(biāo)在上面移動時，會顯示對于該事件的說明。能夠檢測的事件列表請看英文說明文檔。Traffic：轉(zhuǎn)發(fā)的流量，是K為單位，這個信息在進(jìn)行SPOOF時才有用。： WinARPAttacker主界面：第一個區(qū)域：主機列表區(qū)，顯示的信息有局域網(wǎng)內(nèi)的機器IP、MAC、主機名、是否在線、是否在監(jiān)聽、是否處于被攻擊狀態(tài)。（1）用代碼實現(xiàn)對交換機的泛洪攻擊，然后選擇我的網(wǎng)卡：2。(2)導(dǎo)致IP沖