Hi,
I am just out of curiosity working with honeypot and found there are two way for arpd to route the unused IP to honeypot with blackhole and arp spoofing.
Now to test, I am arp spoofing 5 machines from 192.168.100.41 to .45 and also honeypot is monitoring this range too. But I have setup a real machine with webserver in between this range and gave IP address 192.168.100.45.
Now logically as arp and honeypot both are monitoring this range so they capture this request as below from log:
PHP Code:
arpd[1690]: arpd_lookup: no entry for 192.168.100.45
arpd[1690]: arpd_send: who-has 192.168.100.45 tell 192.168.100.10
arpd[1690]: arpd_send: who-has 192.168.100.45 tell 192.168.100.10
arpd[1690]: arp reply 192.168.100.45 is-at 08:00:27:00:76:e5
arpd[1690]: arp reply 192.168.100.45 is-at 08:00:27:00:76:e5
honeyd[1675]: Connection request: tcp (192.168.200.10:45935 - 192.168.100.45:80)
honeyd[1675]: Connection established: tcp (192.168.200.10:45935 - 192.168.100.45:80)
honeyd[1675]: Connection request: tcp (192.168.200.10:45936 - 192.168.100.45:80)
honeyd[1675]: Connection dropped with reset: tcp (192.168.200.10:45936 - 192.168.100.45:80)
Now arpd is redirecting the traffic to honeypot machine as there is a real system with real MAC address. But from 192.168.200.10 I can also view the webpage of 192.168.100.45 machine. But most of the time it says "Connection Timed out".
Should it be acting like this or it shouldn't be showing me the webpage at all?
thanks.
