Arping

From OnnoWiki
Jump to navigation Jump to search

Arping is a computer software tool for discovering and probing hosts on a computer network. Arping probes hosts on the attached network link by sending Link Layer frames using the Address Resolution Protocol (ARP) request method addressed to a host identified by its MAC address of the network interface.[1] The utility program may use ARP to resolve an IP address provided by the user.

The function of arping is analogous to the utility ping for probing the network with the Internet Control Message Protocol (ICMP) at the Internet Layer of the Internet Protocol Suite.

Two popular arping implementations exist. One is part of Linux iputils suite,[2] and cannot resolve MAC addresses to IP addresses. The other arping implementation, written by Thomas Habets,[3] can ping hosts by MAC address as well as by IP address, and adds more features. Having both arping implementations on a system may introduce conflicts. Ubuntu, for example, handles this by removing iputils arping if Habets's arping is installed (NetworkManager will also be removed, because it requires the iputils arping).

In networks employing repeaters that implement proxy ARP, the ARP response may originate from such proxy hosts and not directly from the probed target.


B.2. arping

An almost unknown command (mostly because it is not frequently necessary), the arping utility performs an action similar to ping, but at the Ethernet layer. Where ping tests the reachability of an IP address, arping reports the reachability and round-trip time of an IP address hosted on the local network.

There are several modes of operation for this utility. Under normal operation, arping displays the Ethernet and IP address of the target as well as the time elapsed between the arp request and the arp reply.

Example B.4. Displaying reachability of an IP on the local Ethernet with arping

[root@masq-gw]# arping -I eth0 -c 2 192.168.100.17
ARPING 192.168.100.17 from 192.168.100.254 eth0
Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E]  8.419ms
Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E]  2.095ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)
       


Other options to the arping utility include the ability to send a broadcast arp using the -U option and the ability to send a gratuitous reply using the -A option. A kernel with support for non-local bind can be used with arping for the nefarious purpose of wreaking havoc on an otherwise properly configured Ethernet. By performing gratuitous arp and broadcasting incorrect arp information, arp tables in poorly designed IP stacks can become quite confused.

arping can detect if an IP address is currently in use on an Ethernet. Called duplicate address detection, this use of arping is increasingly common in networking scripts.

For a practical example, let's assume a laptop named dietrich is normally connected to a home network with the same IP address as tristan of our main office network. In the boot scripts, dietrich might make good use of arping by testing reachability of the IP it wants to use before bringing up the IP layer.

Example B.5. Duplicate Address Detection with arping

[root@dietrich]# arping -D -q -I eth0 -c 2 192.168.99.35
[root@dietrich]# echo $?
1
[root@dietrich]# arping -D -q -I eth0 -c 2 192.168.99.36
[root@dietrich]# echo $?
0
       


First, dietrich tests reachability of its preferred IP (192.168.99.35). Because the IP address is in use by tristan, dietrich receives a response. Any response by a device on the Ethernet indicating that an IP address is in use will cause the arping command to exit with a non-zero exit code (specifically, exit code 1).

Note, that the Ethernet device must already be in an UP state (see Section B.3, “ip link”). If the Ethernet device has not been brought up, the arping utility will exit with a non-zero exit code (specifically, exit code 2).




Yes, it's called "Unsolicited ARP" or "Gratuitous ARP". Check the manpage for arping for more details, but the syntax looks something like this:

arping -U 192.168.1.101

If you're spoofing an address, you may need to run this first:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind

Finally, because of its spoofing ability, sending Unsolicited ARP packets is sometimes considered a "hostile" activity, and may be ignored, or might lead to being blocked by some third-party firewalls.

Maybe i am wrong, but how about "arping" ?

In my box it works ok:

root@box:~# arping -i eth1 00:E0:29:XX:YY:ZZ
ARPING 00:E0:29:XX:YY:ZZ
60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=0 time=47.922 usec
60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=1 time=44.823 usec
60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=2 time=84.877 usec


Cara Lain

set up a tcpdump with "ether host aa:bb:cc:dd:ee:ff" option


It's easier to ping the subnet's broadcast address with "ping -b" then ^C and then look at "arp -a" Rather than ^C it, just do 'ping -b -c1 192.168.1.0', but replace the IP with that of your network