I am trying to craft an ARP reply and send it (broadcast) to make every hosts on the network believe that a single host has a fake MAC address.
For instance, the target host to "isolate" is at 192.168.3.6 and has MAC 00:11:22:33:44:55. And my machine is at 192.168.3.9 and has MAC 66:77:88:99:aa:bb.
I am sending a packet containing the following information (using libcrafter and C++):
// Ethernet packet containing the ARP reply
Ethernet packet source MAC: 66:77:88:99:aa:bb
Ethernet packet destination MAC: FF:FF:FF:FF:FF:FF
// ARP reply
ARP operation: Reply
Sender IP: 192.168.3.6
Sender MAC: aa:bb:cc:dd:ee:ff
Target IP: 192.168.3.255
Target MAC: FF:FF:FF:FF:FF:FF
This is working but only for about 40s. I get the following arp cache entry:
? (192.168.3.6) at aa:bb:cc:dd:ee:ff [ether] on eth0
After 40s the fake MAC address is overwritten by the original, valid MAC address of 192.168.3.6 and I got:
? (192.168.3.6) at 00:11:22:33:44:55 [ether] on eth0
I am using debian 8 machines. Can someone tell me why this is working but only for a few seconds ?
Thanks in advance.
UPDATE:
I was sending one ARP reply per second. If I send one ARP reply every 5 seconds then it worked better, excpet their is some short periods during which the target host is able to recieve packets from another host. Is there any mechanism able to forget ARP replies from a flooder ?
