Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

OSX and ARP spoofing

App & System Services Networking
RichColey
RichColey OP
Created Feb ’25
Replies 2
Boosts 0
Views 418
Participants 2

Here's a simple program that spoofs an ARP reply for a given IP address. If I spin up two terminal sessions on the same machine.

Run this code in one window

% ./spoof en0 192.168.1.7 Listening on en0 for ARP requests to 192.168.1.7 Spoofing MAC: 00:0c:87:47:50:27

And in the second window cause the OS to issue an ARP_REQ % ping 192.168.1.7

You will see the program respond to the ARP request. (Wireshark will see the ARP_REQ and ARP_REPLY packets) however my arp table isn't updated with the MAC for the IP address. There is no firewall active.

% arp -a|grep 192.168.1.7 (192.168.1.7) at (incomplete) on en0 ifscope [ethernet]

This is running on a MacBook pro M3 (OSX 15.4).

HOWEVER, on a MacBook pro M4 (OSX 15.2) is does Work !!!!!

Can anyone explain why its not working?

spoof.txt
Replies  2
Boosts  0
Views  418
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Feb ’25
Can anyone explain why its not working?

I don’t have a definitive answer for you here, but there are two common causes of problems like this:

  • There’s ongoing tension as to whether Ethernet-like drivers should allow you to change the local MAC address.

  • Wi-Fi STAs [1] typically supports a single MAC address, meaning that higher-level tools, like the Virtualization framework, have to implement the ‘fun’ that is MAC-NAT [2].

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Using the terms from Wi-Fi Fundamentals.

[2] Which is not well covered by our documentation (r. 127734903).

0
RichColey
RichColey OP
Feb ’25

Hi,

Thanks for the response.

The code isn't trying to actually change any MAC address, its issuing a valid ARP response..

It doesn't really explain why it worked on the M4 either of course. Undeterministic behaviour feels like a bug to me...

When you talk to virtualisation frameworks are you eluding to tools like Fusion or VirtualBox that essentially provide network bridging? I'll go read the referenced 127734903.

0
OSX and ARP spoofing
First post date Last post date
 
 
Q