Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-06-2010, 02:53 PM   #1
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Rep: Reputation: 39
real system in between honeypot monitoring range


I am just out of curiosity working with honeypot and found there are two way for arpd to route the unused IP to honeypot with blackhole and arp spoofing.
Now to test, I am arp spoofing 5 machines from to .45 and also honeypot is monitoring this range too. But I have setup a real machine with webserver in between this range and gave IP address
Now logically as arp and honeypot both are monitoring this range so they capture this request as below from log:
PHP Code:
arpd[1690]: arpd_lookupno entry for
[1690]: arpd_sendwho-has tell
[1690]: arpd_sendwho-has tell
[1690]: arp reply is-at 08:00:27:00:76:e5
[1690]: arp reply is-at 08:00:27:00:76:e5

[1675]: Connection requesttcp (
honeyd[1675]: Connection establishedtcp (
honeyd[1675]: Connection requesttcp (
honeyd[1675]: Connection dropped with resettcp (
Now arpd is redirecting the traffic to honeypot machine as there is a real system with real MAC address. But from I can also view the webpage of machine. But most of the time it says "Connection Timed out".

Should it be acting like this or it shouldn't be showing me the webpage at all?

Old 12-07-2010, 08:58 AM   #2
Registered: Dec 2002
Posts: 306

Rep: Reputation: 86
Why are you having arpd spoof ARP replies to a host that exists? Move the real webserver to an address that isn't between to .45.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
sample attack on honeypot system tanveer Linux - Security 2 11-23-2010 10:23 PM
squid real time monitoring Ammad Linux - Networking 2 02-08-2010 11:46 AM
Squid Real-time Monitoring molybtek Linux - Networking 1 10-10-2008 09:42 PM
Keylogger / session monitoring in real time? houler Linux - Security 2 04-06-2005 09:21 PM
Range of real out IP's - how to use it ?! Topper_BG Linux - Networking 2 09-01-2004 01:22 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:07 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration