ARP0c connection interceptor

[Download source (ARP0c2.c) ]

ARP0c is an ARP redirector and bridging engine. ARP requests from various sources in a switched environment get false ARP response packets which point to the host running ARP0c.
Packets from these hosts are bridged with an internal engine to the real destination address to allow normal network operation and keep TCP connections alive.

Normal operation without interception may look like this:

+--------+         +--------+         +-------+
| HOST1  |- - - - -+ SWITCH +- - - - -| HOST2 |
+--------+         +--------+         +-------+
                        |
			|
                   *********
		   * YOU   *   <-- this host gets not packets
		   *********
Here you sit on a switched network, just getting ARP requests and other kinds of broadcasts without seeing any interesting packet. This is what a switch is supposed to do.

When using ARP0c, ARP requests (which are normally send to all hosts) are responded by the real host and your ARP0c server. After the initial response, ARP0c continues to send out ARP response packets to keep the target host 'informed'. This causes most systems to discard the right answer and belive ARP0c.
Now, packets to HOST1 are send to the Ethernet address of ARP0c. It takes care of the layer 2 forwarding (bridging) to finally deliver the packets the the right recipient, because we don't want the connection to break.
+--------+         +--------+         +-------+
| HOST1  |- - - - .+ SWITCH +. - - - -| HOST2 |
+--------+         \--------/         +-------+
                    \   |  /   
	             \  | /
                   *********
		   * ARP0c *   <-- this host gets all packets
		   *********
The fact that most systems use an initially received Ethernet frame as source for the ARP cache entry leads to one-way interceptions, where one of the communication partners sends the frames already to ARP0c and the other still uses the real ethernet address. This is not a problem because by the time the cache expires the other direction is intercepted too, or just create a seperate file to intercept the connection anyway.

ARP0c uses some more features to keep the network functional. First of all, ARP based IP availability tests (primary used by Windoze boxes) are ignored.
The second major function is the possiblity to use a next hop gateway for traffic which is not part of this IP subnet. At the moment, ARP0c does support full IP routing.