Using JPCAP to prevent

man-in-the-middle attacks in a
local area network environment
Faheem Fayyaz and Hamza Rasheed

nternal attacks are as dangerous and malicious as external

attacks. A man-in-the-middle
(MITM) attack is a serious problem. The attacker can hijack the
connection between two communicating parties and capture
the packets between them. He
or she can modify, add, or prevent the data from reaching
the victim. Address resolution
protocol (ARP) poisoning can
easily exploit the vulnerability
present in ARP. Through this,
an attacker can easily perform
further attacks such as sniffing,
denial of service, and MITM
among others.
The attacker sends the forged
ARP replies containing false <IP,
MAC> association, [IP address of
other host and network and own
media access control (MAC)
address] to the victim with the
intent to poison the ARP cache
with forged information, which
redirects all traffic toward the
attacker. The attacker can then
launch a MITM attack. By using
the right tools (which are open
source and easily available), any
novice or script kiddy attacker
can perform this type of attack.
The methodology to prevent MITM attacks conducted by
ARP spoofing is to first assign unique IP addresses to every
node on the local area network (LAN) based upon their MAC
address. The algorithm by which IP addresses are assigned is
DepMAC-IP proposed in 2010. For example, when working in
the Windows OS environment, the existing ARP cannot be
changed. The JPCAP (a Java library for capturing and sending
Digital Object Identifier 10.1109/MPOT.2012.2187102
Date of publication: 27 July 2012

JULY/AUGUST 2012

SHADOWS COURTESY OF STOCK.XCHNG/CHARLIE BALCH. DIGITAL CITY COURTESY OF STOCK.XCHNG

network packets) must be used to capture ARP replies. JPCAP is

open source and is licensed under GNU LGPL. It can capture
Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4 packets.

Defining the problem

MITM attack
An MITM attack can be described as active eavesdropping,
where the attacker intrudes into existing connections between
two communicating parties to intercept the exchanged data and

0278-6648/12/$31.00 2012 IEEE

35

MAC Address
00:14:c2:c9:6b:e5
Network Prefix
192.168.1.0

Calculate Seed
c+9+6+b+e+5
57

First Generation
57 XOR 9 =
48

Second Generation
48 XOR b =
59

MAC Address
00:14:c2:c9:6b:e5
Assigned IP
192.168.1.62

Third Generation
59 XOR 5 =
62

Fig. 1 The DepMAC-IP algorithm.

inject false information. In this attack,

both victims think that they are talking
directly to each other. The attacker has
hijacked the connection and he or she is
now able to intercept the data, alter data,
add new data, or even prevent the data
transfer to communicating parties.
Attackers can easily perform MITM
attacks by exploiting the vulnerability
present in ARP. ARP poisoning can be
performed by any novice or script kiddy
attacker as it only requires access to
open source tools. The attacker sends
malicious ARP replies to victims, which
results in the poisoning of their ARP
cache. The data is redirected to the
attacker instead of the original communicating parties.

ARP cache poisoning

In this article we have considered the
MITM attack, which is done through ARP

ARP Reply Packet

MAC Address
00:14:c2:c9:6b:e5
IP Address
192.168.1.62

A tt a c k e r s c a n e a s i l y
perform MITM attacks by
exploiting the vulnerability present in ARP.
ARP poisoning can be
performed by any novice
or script kiddy attacker as
it only requires access to
open source tools.

poisoning. An attacker can easily launch

an attack by maliciously exploiting the
vulnerability in existing ARP.
ARP is a trusted protocol and was
not designed to cope with a malicious
host. ARP does not authenticate the

Third Generation = 62

First Generation
59 XOR b =
48

No Poisoning

Sum = Seed

Sum =
c+9+6+b+e+5 =
57

Fig. 2 Detecting a malicious packet.

36

Second Generation
62 XOR 5 =
59

Seed
48 XOR 9 =
57

reply sent by anyone. The attacker

sends the forged ARP reply packet contacting the forged <IP, MAC> mapping,
attempting to poison the victims ARP
cache. Now the attacker can launch
MITM or Dos attacks.
For example, the attacker wants to
launch an attack between two hosts A
and B. He or she sends the ARP reply
to A containing the IP address of host
B and his or her own MAC address.
Similarly, the attacker sends the ARP
reply to B containing the IP address
of B and his or her own MAC address.
The result is that the ARP cache of
host A and host B are poisoned and
now the attacker can intercept all traffic between them and launch other
attacks. It is very easy to poison the
ARP cache in a switched LAN environment, anyone on the LAN can do this
by just using the right tools.

Defenses against an ARP

poisoning-based MITM attack
Assigning IP addresses
The solution proposed in this article
is to prevent an ARP poisoning-based
MTIM attack in a LAN environment. As
mentioned earlier, we use the DepMACIP algorithm. We use this algorithm to
assign an IP address to a host on a LAN.
This algorithm assigns IP address on the
basis of MAC address.
This algorithm can be implemented
on a dynamic host configuration protocol (DHCP) server or the network administrator can manually assign the IP
address using this algorithm. The reason
behind using this algorithm is to uniquely
identify every host on the LAN on the
basis of IP addresses. As shown in Fig. 1,
192.168.1.55 can only be assigned to
00:04:C2:C9:6B:E5. Similarly, every host
on the LAN has its unique IP address
and that IP address cannot be assigned
to any other host.

Preventing MITM attack

Now every host on the LAN has a
unique IP address. Any host can be
identified on the basis of the IP
address. As mentioned earlier, the
attacker uses ARP poisoning to poison
the victims ARP cache. After that, the
attacker can easily launch an MITM
attack. The attacker sends forged ARP
reply packets containing the fake <IP,
MAC> mapping to the victim. IP
addresses are assigned on the basis of
MAC addresses, so malicious ARP reply
packets can be detected. When the
IEEE POTENTIALS

ARP reply packets are captured, we

can check the packet for correct <IP,
MAC> mapping.

Capturing ARP reply packets

JPCAP (a Java library for capturing
and sending network packets) is used
to capture the network traffic. By using
this method, ARP reply packets are
captured.
It is impossible to change the Windows Address Resolution Protocol, as
Windows has its own limitations. Because
of this, there is no way to improve the
Address Resolution Protocol. The following is the code to filter network traffic
and only capture ARP reply packets.
//Object that captures all the packets
form NIC
static JpcapCaptor captor;
//ARP Reply packet
static ARPPacket p;
// Opens the NIC
captor = JpcapCaptor.openDevice
(devices[i], 65535, false, 20);
//Filter for NIC
captor.setFilter(arp, true);
//Reads ARP Reply Packets from
opened NIC
p = (ARPPacket) captor.getPacket();
if (p != null && p.operation == 2)
The above code does not block the
ARP reply packet; it just tells the senders
IP address and MAC address as well as
the destination IP address and MAC
address (just read header). The format of
captured ARP reply is
ARP REPLY 00:1e:e3:ee:e9:f7
(/192.168.1.1) -> 00:14:c2:c9:6b:e5
(/192.168.1.2)
Sender MAC = 00:1e:e3:ee:e9:f7
Sender IP = 192.168.1.1
Destination MAC = 00:14:c2:c9:6b:e5
Destination IP = 192.168.1.2

Detecting ARP cache poisoning

After receiving ARP reply packets,
there is no need to check whether they
are malicious or not. This algorithm is
repeated to check the correct <IP, MAC>
mapping.
By parsing the ARP reply, we can
extract the senders MAC and IP

JULY/AUGUST 2012

addresses. By again applying DepMAC-IP,

malicious ARP reply packets can be
detected. The following steps are calculated for every ARP reply packet received
to detect the malicious one (see Fig. 2). If
sum is equal to seed, then the packet is not
malicious. If sum is not equal to seed, then
the packet is malicious.

Deleting the malicious

entry form ARP cache
Now ARP poisoning is detected and it
is necessary to prevent the attacker from
intercepting the data. But at this time the
victims ARP cache has been poisoned.
As mentioned earlier, ARP does not

Conclusion
By using the right tools, an MITM
attack is possible, as ARP and other
secure protocols have some vulnerability. The proposed solution is much better
than the existing tools and techniques as
it does not change ARP
there are no hardware requirements
there is no cryptography
there is no computational cost.
The proposed solution not only detects
the ARP poisoning-based MITM attacks
but also prevents them. This methodology
does not slow down the network traffic
and very easy to implement.

Read more about it

The proposed solution

not only detects the ARP
poisoning-based MITM
attacks but also prevents
them. This methodology
does not slow down the
network traffic and very
easy to implement.

authenticate ARP replies, and it is very

difficult to modify the ARP for Windows
OS. That is why a simple technique is
used to prevent data from being intercepted by the attacker. IP and MAC
addresses in malicious packets are
known and Windows provides a cmd
command by which we can delete any
entry from the Windows ARP cache.
For example, we received a malicious
ARP reply and we can delete that entry
from the ARP cache using following
command in Java:
//delete the malicious entry
Runtime.getRuntime().exec(arp d
+ sub_ip),
where sub_ip is the IP address in the malicious ARP reply packet. After detecting
every malicious ARP reply, this command
is quickly executed and the malicious
entry is deleted from the ARP cache. This
methodology is so fast that the attacker
cannot intercept any data which he can
use or launch further attacks.

M. Ahmed and Z. M. Hazza, A

novel algorithm to prevent man in the
middle attack in LAN environment, in
Proc. 2010 SCS, pp. 1, 3, 5.
C. L. Abad and R. I. Bonilla, An
analysis of the schemes for detecting
and preventing ARP cache poisoning attacks, in Proc. IEEE 27th Int. Conf. Distributed Computing System Workshops
(ICDCSW), p. 1, 2007.
M. Al-Hemairy, S. Amin, and Z.
Trabelsi, Towards more sophisticated
ARP spoofing detecting/prevention system in LAN networks, in Proc. 2009
IEEE, p. 2.
S. Puangpronpaitag, An efficient
and feasible solution to ARP spoof problem, in Proc. 2009 IEEE, p. 2.
Z. Trabelsi and K. Shuaib, Man in
the middle intrusion detection, in Proc.
2006 IEEE, p. 4.
W. Xing, Y. Zhao, and T. Li, Research on the defense against ARP
spoofing attacks based on Winpcap, in
Proc. 2010 IEEE, p. 3.

About the authors

Faheem Fayyaz (faheem.fayyaz@hotmail.com) earned his bachelors degree
in computer science from COMSATS
University Pakistan. He is currently a
system support engineer at ACS. His
field of interests are enterprise level IT
management, computer networks, and
Web application security.
Hamza Rasheed (skull_crusher007@
hotmail.com) earned his bachelors degree in computer science from COMSATS University Pakistan. He is currently
a masters degree student at Iqra University, Islamabad, Pakistan.

37