How to Get an ARP Table with an IP Helper API



Click here for a larger image.

Compiled on: Visual Studio 6.0 & Windows XP Pro.

Tested on: Win2K Server, WinXP Pro, WinXP Home Edition, & Win2003 Server

Introduction

There are some articles related to ARP, but I think it has been difficult to find a program to get an ARP table on a Windows system. This program provides you with the information on how to get an ARP table in VS60 on Windows by using iphlpapi.lib.

As you know, ARP stands for address resolution protocol and maintains IP address/physical address pairs.

By spoofing this ARP table, you can get a man-in-the-middle attack and sniff all the packets or even switch networks. Because of this, many programmers related to security should know to manipulate an ARP table.

Description

This program is very simple, at most 100 lines. I think this is easy to understand. None the less, I think that a description of some API functions related to ARP in iphlpapi.lib is needed.

The IP Helper APIs available for ARP on Windows are listed below:

  • GetIpNetTable: Retrieves address resolution table information.
  • SetIpNetEntry: Adds entry to the ARP table.
  • DeleteIpNetEntry: Deletes entry from the ARP table.
  • CreateIpNetEntry: Creates an entry in the ARP table.
  • FlushIpNetTable: Deletes all ARP entries for the specified interface from the ARP table
  • SendARP: Sends an ARP request to obtain the physical address that corresponds to the specified destination IP address

The structures available in IP Helper APIs for ARP follow:

  • MIB_IPNETTABLE: Contains a table of ARPentries.
  • PMIB_IPNETTABLE: Pointer to MIB_IPNETTABLE structure.
  • MIB_IPNETROW: Contains information for an ARPtable entry.
  • PMIB_IPNETROW: Pointer to MIB_IPNETROW structure.

In this program, GetIpNetTable of the API functions is used as follows:

ULONG nSize=400;

PMIB_IPNETTABLE pMib = (PMIB_IPNETTABLE)malloc(sizeof(
                        MIB_IPNETTABLE)+
                        sizeof(MIB_IPNETROW)*nSize);

DWORD dwRet = GetIpNetTable(pMib,&nSize,TRUE);

.
.
.

for (int i =0;i<nSize;i++)
{
  char ipaddr[20], macaddr[20];

  sprintf(ipaddr,"%d.%d.%d.%d",
    ( pMib->table[i].dwAddr&0x0000ff),
     ((pMib->table[i].dwAddr&0xff00)>>8),
    ((pMib->table[i].dwAddr&0xff0000)>>16),
     (pMib->table[i].dwAddr>>24)
    );

  sprintf(macaddr, "%02x-%02x-%02x-%02x-%02x-%02x",
    pMib->table[i].bPhysAddr[0],pMib->table[i].bPhysAddr[1],
    pMib->table[i].bPhysAddr[2],pMib->table[i].bPhysAddr[3],
    pMib->table[i].bPhysAddr[4],pMib->table[i].bPhysAddr[5]
  );

  printf("%-20s %-25s",ipaddr,macaddr);

  if (pMib->table[i].dwType == 3) printf("Dynamic\n");
    else if (pMib->table[i].dwType == 4) printf("Static\n");
}

Iphlpapi.lib is included in Platform SDK.

About the Author

Gordon Ahn is a software engineer and network security expert and works for www.nextsecurity.net.

If you have any questions, don't hesitate to e-mail me, or visit the above site.

Downloads

Download source code and demo project - 33 Kb


Comments

  • which device ?

    Posted by Legacy on 01/22/2004 12:00am

    Originally posted by: lolosoft

    which device (if many) for the ARP table

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Who can you trust? Learn from the IBM X-Force team in this new quarterly report how the Internet of Things and IP reputation tracking are transforming the security landscape.

  • The 2014 State of DevOps Report — based on a survey of 9,200+ people in IT operations, software development and technology management roles in 110 countries — reveals: Companies with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals. IT performance improves with DevOps maturity, and strongly correlates with well-known DevOps practices. Job satisfaction is the No. 1 predictor of performance against organizational …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date