Pseudocode: Acting on the Main Data Structure

Scanning involves sending ARP who-has packets, receiving replies, and analyzing the received packets. A parent process will assemble the packet asking for the target IP address holder to reply with its MAC address. The parent process forks a child to receive replies, sends five packets, and then sleeps for 500 msecs. The child process receives packets and forks a child to handle each one. These grandchild processes compare the sender's MAC to the authorized MAC for the IP in ips_and_macs. On a mismatch, an alert is triggered.

// assemble packets of type arphdr
declare packet of type arphdr;
packet->ar_hrd = ARPHRD_ETHER; // 1
packet->ar_pro = ETHERTYPE_IP; //0x0800, per RFC 894
packet->ar_hln = 6 // IEEE 802.3 and IEEE 802.5 have 6-byte addresses
packet->ar_pln = 4;
packet->ar_op = ARPOP_REQUEST; // 1
packet->__ar_sha = local_ethernet_addr;
packet->__ar_sip = local_ip_addr;
packet->__ar_tha = ethernet_broadcast; // dest MAC address unknown
packet->__ar_tip = target_ip_addr; // queried addr from ips_and_macs

fork child process which
      Receive packets;
      When packet received, fork child process which
         if packet->__ar_tha = local_ethernet_address AND
          packet->ar_op = ARPOP_RESPONSE AND
          packet->__ar_sip = target_ip_address
             if packet->__ar_sha <> target_ethernet_addr
                send alert;
                destroy packet;
             destroy packet;
// Does not exit; runs until killed by parent process

repeat 5 times:
   send packet;

sleep for .5 seconds; // plenty of time for child to get all replies
kill child;