I read http://www.ethicalhacker.net/content/view/66/24/ article and wanted to experiment with this as a recognized that i might have a lack in understanding the osi layer concept.
Experiment: Arppoison my machine and redirect it to a simple testpage.
I used arpspoof for the arppoisoning, enabled ip forwarding and everything worked, as traceroute, ping, arp -a and wireshark told me.
Because i didn't want to sniff, i disabled ip_forwarding on the attackers vm.
Now the questions:
With ip forwarding the ethernet frame, with the ip packet containing the icmp message, was send to the attacker and than redirected/forwarded to the gateway. Wireshark also gave a message, like ICMP redirect, between the two machines.
Without ip forwarding, the ethernet frame arrives the attacker, but as the ip packet is not for him, he doesn't answer and the victim gets an icmp unreachable.
Same with DNS, HTTP and other traffic going over the gateway.
First question: Why doesn't wireshark recognize, that a ethernet frame was send to the attacker (does it only show layer3+ protocols)?
Second question: The ethernet frames are arriving the attacker, so if he wanted to stay unrecognized or redirect the victim to his own site/server he would write a program which reads the ip-packages and redirect them to himself plus he would ip-spoof the answer remaining the victim unaware.
E.g.: An ICMP is send from the victim to the gateway. The ethernet frame arrives at the attacker, the attacker reads the ip packet of the frame, recognizes that it's an ICMP and answers?
Which means with a bit if iptables NAT, ip forwarding and maybe a bit of extra coding it would be able not to only sniff, but "to become the gateway" without actually being the gateway, or am I totally wrong?
So if one uses a more quiet route of arp poisoning, like arp tabling or something else, it would be hard to detect intrusion of a MITM.
How would you protect your network from that?