networking · beginner · ~10 min · safe pentest lab

Classify an ARP frame

Read a fixed-offset big-endian field with bounds checks.

Challenge

Your job

#include <stdint.h>
#include <stddef.h>
int arp_opcode(const uint8_t *frame, size_t n);

The ARP opcode is a big-endian 16-bit value at byte offset 6. Return 1 (request) or 2 (reply); return -1 for NULL, n < 8, or any other opcode.

Hints

op = (frame[6]<<8) | frame[7].
Only 1 and 2 are valid here.

Why this matters

ARP request vs reply is the first thing an ARP-spoofing detector classifies. The opcode is two bytes at a fixed offset.

Starter code

#include <stdint.h>
#include <stddef.h>
int arp_opcode(const uint8_t *frame, size_t n) {
    /* TODO */
    (void)frame; (void)n;
    return -1;
}

Common mistakes

Reading the wrong offset. Forgetting the n>=8 bound.

Edge cases to handle

Unknown opcode. Short buffer. NULL.

Complexity

O(1).

Background lessons

Detecting port scans — flags and fan-out

Up next

Classify a TCP scan from its flag byte

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.