Q: What is APR ?

A: APR (ARP Poison Routing) is a feature of the program. It enables sniffing on switched networks hijacking IP traffic of multiple hosts in the same broadcast domain. APR uses ARP Poisoning technique to achieve this goal, so you can't use this feature to redirect traffic between hosts on different subnets or VLANs. You can find more information about this feature here.

Q: What does the APR state Broadcasting means ?

A: That state means that APR  received a packet from a host that reside on a different network and directed to an IP address of your broadcast domain. That packet must be routed by APR but the correct MAC destination address is not present in the host list. In this situation APR will broadcast that packet to all hosts in your LAN.

Q: What does the APR state Half-Routing means ?

A: That state means that APR is routing the traffic correctly but only in one direction (ex: Client->Server or Server->Client). This can happen if one of the two hosts cannot be poisoned or if asymmetric routing is used on the LAN. In this state the sniffer looses all packets of an entire direction so it cannot grab authentications that uses a challenge-response mechanism.

Q: What does the APR state Full-Routing means ?

A: That state means that the IP traffic between two hosts has been completely hijacked and APR is working in FULL-DUPLEX. (ex: Server<->Client). The sniffer will grab authentication informations accordingly to the sniffer filters set.

Q: Can I spoof my identity while using APR ?

A: Yes, your IP and MAC addresses can be spoofed and never sent on the network. You can set this option using the configuration dialog under the APR tab.

Q: When IP and MAC spoofing can be used ?

A: For IP and MAC spoofing you have to choose addresses that are not already present on the network. By default Cain uses the spoofed MAC "001122334455" for two reasons: first that address can be easily identified for troubleshooting and second it is not supposed to exist in your network.


IMPORTANT !  You cannot have on the same Layer-2 network two or more Cain machines using APR's MAC spoofing and the same Spoofed MAC address.


Please note that there is another limitation for the MAC spoofing. Network switches can be configured to use a feature called "Port Security"; this instructs the switch to accept on a particular port only Ethernet frames coming from specified MAC addresses. If your real MAC address is the only one allowed on that port you cannot use APR's MAC spoofing. However the "Port Security" feature does not prevent ARP Poisoning attacks so you can still use APR with your real MAC address.

Q: Why the spoofing MAC address in the configuration dialog cannot be changed ?

A: In the same broadcast domain you can have two IP address that share the same MAC address. On the contrary the presence of two identical MAC addresses on the same Layer-2 LAN  can cause switches convergence problems. For this reason I decided to not let you easily set the spoofing MAC of your choice from the configuration dialog. However it is possible to change the spoofing MAC address in the registry modifying the value "SpoofMAC" at this location: "HKEY_CURRENT_USER\Software\Cain\Settings".

Q: I used APR last week and it worked correctly but today there are problems on the network, why ?

A: If your network uses DHCP the information in the Hosts and APR lists may be changed. In this case APR re-routes packets to the wrong destination. The IP-MAC associations contained in these lists MUST reflect the current situation of the network so you have to scan for MAC addresses another time. To do so, simply remove all associations in the "Hosts" and "APR" lists and restart configuring them.

Q: There are two lists in the APR tab, why ?

A: The upper list shows the traffic between poisoned hosts. The packet counters reflect the number of IP packets re-routed from HostA and HostB for example. The bottom list is used for WAN traffic. If HostA or HostB is a router, APR must also manage packets coming from or directed to other networks outside your LAN. This list automatically filled on IP address basis.