Shulou(Shulou.com)06/01 Report--

"Network Law Enforcement Officer" is a local area network management assistant software, which adopts network bottom layer protocol and can penetrate each client firewall to monitor every host in the network (host in this paper refers to various computers, switches and other network equipment equipped with IP); it adopts network card number (MAC) to identify users, with high reliability; the software itself occupies less network resources and has no adverse impact on the network. The software does not need to run on a specified server. It can effectively monitor all the networks connected to the local computer by running on any host in the network (multi-segment monitoring is supported).

The ARP principle used by network law enforcement officers makes it impossible for the computer to access the Internet, so that the computer cannot find the MAC address of the gateway. ARP (Address Resolution Protocol) is an address resolution protocol that converts IP addresses into physical addresses. There are two ways to map IP addresses to physical addresses: tabular and non-tabular. ARP specifically refers to the network layer (IP layer, that is, equivalent to OSI layer 3) address resolution to the data connection layer (MAC layer, that is, equivalent to OSI layer 2) MAC address. ARP principle: A machine A to send messages to host B, will query the local ARP cache table, find B's IP address corresponding to the MAC address, will carry out data transmission. If not found, A broadcasts an ARP request message (carrying IP address Ia-physical address Pa of host A), requesting host B with IP address Ib to answer physical address Pb. All hosts on the network, including B, receive ARP requests, but only host B recognizes its IP address and sends an ARP response message back to host A. This includes B's MAC address, and A updates its local ARP cache after receiving B's response. Data is then sent using this MAC address (attached by the NIC). Thus, the ARP table in the local cache is the basis for local network traffic, and the cache is dynamic. ARP does not receive ARP replies only after sending ARP requests. When the computer receives an ARP reply packet, it updates the local ARP cache and stores the IP and MAC addresses in the reply in the ARP cache. Therefore, when a machine B in the local area network sends A its own forged ARP reply, and if this reply is forged by B posing as C, that is, the IP address of C and the MAC address are forged, then when A receives B's forged ARP reply, it will update the local ARP cache, so that in A's view, C's IP address has not changed, but its MAC address is no longer the original one. Because the network circulation of the local area network is not carried out according to the IP address, but according to the MAC address. Therefore, the forged MAC address is changed to a non-existent MAC address on A, which will cause the network to fail, resulting in A unable to ping C. This is a simple ARP scam. Cyber marshals use this principle. [

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.