本論文提出一個在交換器網路架構下,透過APR技術來擷取網路封包的新方法並與以實現。由於ARP記錄有時間限制,會在固定的一段時間後被刪除,這會使得ARP-Spoofing技術無法修改該記錄對,使其無法應到所期望的MAC資訊,進而導致封包遺失以及擷取不完整。本論文所提出的方法,利用ARP request來取代ARP reply,利用不同的OP code迫使目標主機建立一個新的記錄,讓監控主機可以順利地擷取該主機進出的封包。 本論文分析並且實現所提出的方法,以及與既有的ARP-Spoofing封包擷取軟體進行效能的實驗和結果比較。實驗結果指出本方法顯著地改善封包遺失率,而且大幅提高監控主機所能負荷的監控網路流量。
This thesis proposes and implements a new method to capture the network packets via Address Resolution Protocol (ARP) within a switched network environment. Due to the time-out mechanism, the ARP entry record in a host usually disappears after a certain time period. Therefore, it prevents most conventional ARP-Spoofing techniques from counterfeiting the Media Access Control (MAC) address in that record and causes incomplete packet capturing. The proposed approach makes use of ARP request instead of ARP reply, a different OP code that instructs the target host to create a new entry record and allows the network monitor to successfully capture the packets from/to that host. This thesis presents an analysis and implementation of the proposed method. This thesis also illustrates some experiment results followed by the performance comparison between the proposed method and an existing ARP-Spoofing based packet capturing software. The test results indicate a significant improvement in reducing the miss rate of capturing network packets and in increasing the network data throughputs that the capturing application is still workable.