labrea creates virtual machines for unused IP addresses in the specified block of IP addresses. LaBrea sits and listens for ARP “who-has” requests.
When an ARP request for a particular IP goes unanswered for longer than its “rate” setting (default: 3 seconds), labrea crafts an ARP reply that routes all traffic destined for the IP to a “bogus” MAC address. labrea sniffs for TCP/IP traffic sent to that MAC address and then responds to any SYN packet with a SYN/ACK packet that it creates.
labrea tries very hard to NEVER capture an IP that has a live machine sitting on it.
The following automatic mechanisms are provided:
- If labrea sees a gratuitous ARP signalling the arrival of a new machine, it marks the corresponding IP address as excluded. (“new kids on the block” logic)
- Each ARP response is noted and the corresponding IP address is marked as excluded.
- At startup, a systematic sweep is done of the entire capture subnet (as long as the subnet is not too big). All IP addresses that respond are marked as excluded.
Then there are ways of manually specifying the exclusion of certain addresses, and otherwise ensuring safe operation:
- The EXC config stmt allows specified IP addresses to be manually excluded from capture.
- The IPI config stmt causes packets with the specified IP source address(es) to be ignored.
- -s –switch-safe parameter causes mirroring of ARP requests in a switched environment
-X –exclude-resolvable-ips says to exclude all IPs that have a corresponding Dns entry
For this example I used the following command:
labrea -z -s -v -v -f -b -X -d -o -p 2000000 –init-file toto.conf -i eth1 -T