How to Get an ARP Table with an IP Helper API



Click here for a larger image.

Compiled on: Visual Studio 6.0 & Windows XP Pro.

Tested on: Win2K Server, WinXP Pro, WinXP Home Edition, & Win2003 Server

Introduction

There are some articles related to ARP, but I think it has been difficult to find a program to get an ARP table on a Windows system. This program provides you with the information on how to get an ARP table in VS60 on Windows by using iphlpapi.lib.

As you know, ARP stands for address resolution protocol and maintains IP address/physical address pairs.

By spoofing this ARP table, you can get a man-in-the-middle attack and sniff all the packets or even switch networks. Because of this, many programmers related to security should know to manipulate an ARP table.

Description

This program is very simple, at most 100 lines. I think this is easy to understand. None the less, I think that a description of some API functions related to ARP in iphlpapi.lib is needed.

The IP Helper APIs available for ARP on Windows are listed below:

  • GetIpNetTable: Retrieves address resolution table information.
  • SetIpNetEntry: Adds entry to the ARP table.
  • DeleteIpNetEntry: Deletes entry from the ARP table.
  • CreateIpNetEntry: Creates an entry in the ARP table.
  • FlushIpNetTable: Deletes all ARP entries for the specified interface from the ARP table
  • SendARP: Sends an ARP request to obtain the physical address that corresponds to the specified destination IP address

The structures available in IP Helper APIs for ARP follow:

  • MIB_IPNETTABLE: Contains a table of ARPentries.
  • PMIB_IPNETTABLE: Pointer to MIB_IPNETTABLE structure.
  • MIB_IPNETROW: Contains information for an ARPtable entry.
  • PMIB_IPNETROW: Pointer to MIB_IPNETROW structure.

In this program, GetIpNetTable of the API functions is used as follows:

ULONG nSize=400;

PMIB_IPNETTABLE pMib = (PMIB_IPNETTABLE)malloc(sizeof(
                        MIB_IPNETTABLE)+
                        sizeof(MIB_IPNETROW)*nSize);

DWORD dwRet = GetIpNetTable(pMib,&nSize,TRUE);

.
.
.

for (int i =0;i<nSize;i++)
{
  char ipaddr[20], macaddr[20];

  sprintf(ipaddr,"%d.%d.%d.%d",
    ( pMib->table[i].dwAddr&0x0000ff),
     ((pMib->table[i].dwAddr&0xff00)>>8),
    ((pMib->table[i].dwAddr&0xff0000)>>16),
     (pMib->table[i].dwAddr>>24)
    );

  sprintf(macaddr, "%02x-%02x-%02x-%02x-%02x-%02x",
    pMib->table[i].bPhysAddr[0],pMib->table[i].bPhysAddr[1],
    pMib->table[i].bPhysAddr[2],pMib->table[i].bPhysAddr[3],
    pMib->table[i].bPhysAddr[4],pMib->table[i].bPhysAddr[5]
  );

  printf("%-20s %-25s",ipaddr,macaddr);

  if (pMib->table[i].dwType == 3) printf("Dynamic\n");
    else if (pMib->table[i].dwType == 4) printf("Static\n");
}

Iphlpapi.lib is included in Platform SDK.

About the Author

Gordon Ahn is a software engineer and network security expert and works for www.nextsecurity.net.

If you have any questions, don't hesitate to e-mail me, or visit the above site.

Downloads

Download source code and demo project - 33 Kb


Comments

  • which device ?

    Posted by Legacy on 01/22/2004 12:00am

    Originally posted by: lolosoft

    which device (if many) for the ARP table

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • It's time high-level executives and IT compliance officers recognize and acknowledge the danger of malicious insiders, an increased attack surface and the potential for breaches caused by employee error or negligence. See why there is extra emphasis on insider threats.

  • Confused by all the agile advice? Relax! With the Agile for Dummies eBook by your side you'll learn the fundamentals of agile and how to increase the productivity of your software teams while enabling them to produce higher-quality solutions that better fulfill customer needs much faster.

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds