How to Get an ARP Table with an IP Helper API



Click here for a larger image.

Compiled on: Visual Studio 6.0 & Windows XP Pro.

Tested on: Win2K Server, WinXP Pro, WinXP Home Edition, & Win2003 Server

Introduction

There are some articles related to ARP, but I think it has been difficult to find a program to get an ARP table on a Windows system. This program provides you with the information on how to get an ARP table in VS60 on Windows by using iphlpapi.lib.

As you know, ARP stands for address resolution protocol and maintains IP address/physical address pairs.

By spoofing this ARP table, you can get a man-in-the-middle attack and sniff all the packets or even switch networks. Because of this, many programmers related to security should know to manipulate an ARP table.

Description

This program is very simple, at most 100 lines. I think this is easy to understand. None the less, I think that a description of some API functions related to ARP in iphlpapi.lib is needed.

The IP Helper APIs available for ARP on Windows are listed below:

  • GetIpNetTable: Retrieves address resolution table information.
  • SetIpNetEntry: Adds entry to the ARP table.
  • DeleteIpNetEntry: Deletes entry from the ARP table.
  • CreateIpNetEntry: Creates an entry in the ARP table.
  • FlushIpNetTable: Deletes all ARP entries for the specified interface from the ARP table
  • SendARP: Sends an ARP request to obtain the physical address that corresponds to the specified destination IP address

The structures available in IP Helper APIs for ARP follow:

  • MIB_IPNETTABLE: Contains a table of ARPentries.
  • PMIB_IPNETTABLE: Pointer to MIB_IPNETTABLE structure.
  • MIB_IPNETROW: Contains information for an ARPtable entry.
  • PMIB_IPNETROW: Pointer to MIB_IPNETROW structure.

In this program, GetIpNetTable of the API functions is used as follows:

ULONG nSize=400;

PMIB_IPNETTABLE pMib = (PMIB_IPNETTABLE)malloc(sizeof(
                        MIB_IPNETTABLE)+
                        sizeof(MIB_IPNETROW)*nSize);

DWORD dwRet = GetIpNetTable(pMib,&nSize,TRUE);

.
.
.

for (int i =0;i<nSize;i++)
{
  char ipaddr[20], macaddr[20];

  sprintf(ipaddr,"%d.%d.%d.%d",
    ( pMib->table[i].dwAddr&0x0000ff),
     ((pMib->table[i].dwAddr&0xff00)>>8),
    ((pMib->table[i].dwAddr&0xff0000)>>16),
     (pMib->table[i].dwAddr>>24)
    );

  sprintf(macaddr, "%02x-%02x-%02x-%02x-%02x-%02x",
    pMib->table[i].bPhysAddr[0],pMib->table[i].bPhysAddr[1],
    pMib->table[i].bPhysAddr[2],pMib->table[i].bPhysAddr[3],
    pMib->table[i].bPhysAddr[4],pMib->table[i].bPhysAddr[5]
  );

  printf("%-20s %-25s",ipaddr,macaddr);

  if (pMib->table[i].dwType == 3) printf("Dynamic\n");
    else if (pMib->table[i].dwType == 4) printf("Static\n");
}

Iphlpapi.lib is included in Platform SDK.

About the Author

Gordon Ahn is a software engineer and network security expert and works for www.nextsecurity.net.

If you have any questions, don't hesitate to e-mail me, or visit the above site.

Downloads

Download source code and demo project - 33 Kb


Comments

  • which device ?

    Posted by Legacy on 01/22/2004 12:00am

    Originally posted by: lolosoft

    which device (if many) for the ARP table

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Do you spend a lot of time thinking about your enemies? Attacker attribution - figuring out who's out to get you - is one of the most important things an organization can do to protect itself.  Because you have no hope of defending yourself if you don't understand who the attackers are. Good news? Every organization isn't targeted by all the attackers. Bad news? No one can identify your potential attackers as well as you. Read this graphics-rich threat summary for 2014 to determine who might be your next …

  • Intelligent N+X Redundancy, Placement Affinities, & Future Proofing in the Virtualized Data Center Virtualization brought about the ability to simplify business continuity management in IT. Workload portability and data replication capabilities mean that physical infrastructure failures no longer need impact application services, and they can rapidly be recovered even in the event of complete site failure. However, Enterprises and Service Providers face new challenges ensuring they have enough compute …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date