[Windump] Windump usage question

[Brian Rayne]

First of all, let me thank you guys for porting tcpdump to Windows.

I have been trying to get some programming exercise in and wanted to write a
program to watch for unsolicited arp replies and boot them out of the arp
table, defeating some arp cache poison attacks.  Using Windump, I can easily
just open a pipe and listen for arp requests coming from my machine, so I
can know which replies to expect.  However, the problem I have now is I
cannot determine whether an arp request is actually coming from my NIC and
not just being spoofed by another host on the network.  For example, if an
attacker knew how my program worked, they could just spoof an arp request,
my program would see it in the output and trust the next reply it gets for
that address.

I couldn't find any switch that would print out in the packet output if the
packet was inbound or outbound.  This is on a Windows machine, and maybe
it's just that on the layer that winpcap operates this cannot be achieved.
But please let me know if and how I can run Windump in this manner.  If I
have to, I can write my program to have two pipes, one connected to a
Windump instance only listening to inbound traffic, the other listening to
only outbound.  Thank you for your help.

-- 
If you look through windows you can see what people are doing. If you try to
look through a penguin it will bite you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/windump/attachments/20070428/8db9710f/attachment.htm