Compartir a través de


ARP invalid entry on Vista

On windows XP, it is easy to add one ARP entry, as well as on Vista, however, it is not easy to remove the existed ARP entry on Vista.

Try the following steps on Vista:

arp -d [Dynamic ARP entry]
arp -av

You will find a entry which is marked as "Invalid".

How to remove it now? It is not possible on Vista. Why? Because there is one magic structure _IP_NEIGHBOUR to manage the ReferenceCount of one ARP entry. There is no such a thing like that in XP, but in Vista, the ReferenceCount is very important, if we intend to delete one ARP entry, we must make sure this count is 1, so now we can remove it. If the ReferenceCount is not 1, even we perform the command "arp -d", it only mark it as Invalid but do not delete it. It will be waiting for other resources release this handle and decrease the ReferenceCount to 1.

Think about the following extreme situation.

1. One problematic computer (culprit01) got a ARP virus, it always sends the fake ARP packet in your local network (same subnet)
2. Your Vista got the ARP packet and build the ARP entry dynamically (from the kernel-mode NDIS driver)
3. Then you find it in your client PC, intend to remove this entry, but failed, then you try to set one new entry, but still failed...

What will you do now?

I do not know.

Here I have several ideas but none of them is the best:

1. Write one kernel-mode driver, once got the delete device control, decrease the ReferenceCount directly
2. Write one kernel-mode driver, prevent to receive the fake ARP packet (maybe difficult to judge it)
3. Setup the Switch or Router in the network, use IP-MAC binding technology

Will try to implement the first one and get back to this post later. 

Well, actually there is an alternate method to change the ARP - NETSH

Netsh interface ip delete arpcache
Netsh -c "interface ipv4" add neighbors IDX_NUMBER "IP_ADDRESS" "MAC_ADDRESS"

Comments