Difference between revisions of "Arping"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 62: | Line 62: | ||
60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=1 time=44.823 usec | 60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=1 time=44.823 usec | ||
60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=2 time=84.877 usec | 60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=2 time=84.877 usec | ||
+ | |||
+ | |||
+ | |||
+ | ==Cara Lain== | ||
+ | |||
+ | set up a tcpdump with "ether host aa:bb:cc:dd:ee:ff" option | ||
+ | |||
+ | |||
+ | It's easier to ping the subnet's broadcast address with "ping -b" then ^C and then look at "arp -a" | ||
+ | Rather than ^C it, just do 'ping -b -c1 192.168.1.0', but replace the IP with that of your network |
Revision as of 05:36, 30 March 2017
B.2. arping
An almost unknown command (mostly because it is not frequently necessary), the arping utility performs an action similar to ping, but at the Ethernet layer. Where ping tests the reachability of an IP address, arping reports the reachability and round-trip time of an IP address hosted on the local network.
There are several modes of operation for this utility. Under normal operation, arping displays the Ethernet and IP address of the target as well as the time elapsed between the arp request and the arp reply.
Example B.4. Displaying reachability of an IP on the local Ethernet with arping
[root@masq-gw]# arping -I eth0 -c 2 192.168.100.17 ARPING 192.168.100.17 from 192.168.100.254 eth0 Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E] 8.419ms Unicast reply from 192.168.100.17 [00:80:C8:E8:4B:8E] 2.095ms Sent 2 probes (1 broadcast(s)) Received 2 response(s)
Other options to the arping utility include the ability to send a broadcast arp using the -U option and the ability to send a gratuitous reply using the -A option. A kernel with support for non-local bind can be used with arping for the nefarious purpose of wreaking havoc on an otherwise properly configured Ethernet. By performing gratuitous arp and broadcasting incorrect arp information, arp tables in poorly designed IP stacks can become quite confused.
arping can detect if an IP address is currently in use on an Ethernet. Called duplicate address detection, this use of arping is increasingly common in networking scripts.
For a practical example, let's assume a laptop named dietrich is normally connected to a home network with the same IP address as tristan of our main office network. In the boot scripts, dietrich might make good use of arping by testing reachability of the IP it wants to use before bringing up the IP layer.
Example B.5. Duplicate Address Detection with arping
[root@dietrich]# arping -D -q -I eth0 -c 2 192.168.99.35 [root@dietrich]# echo $? 1 [root@dietrich]# arping -D -q -I eth0 -c 2 192.168.99.36 [root@dietrich]# echo $? 0
First, dietrich tests reachability of its preferred IP (192.168.99.35). Because the IP address is in use by tristan, dietrich receives a response. Any response by a device on the Ethernet indicating that an IP address is in use will cause the arping command to exit with a non-zero exit code (specifically, exit code 1).
Note, that the Ethernet device must already be in an UP state (see Section B.3, “ip link”). If the Ethernet device has not been brought up, the arping utility will exit with a non-zero exit code (specifically, exit code 2).
Yes, it's called "Unsolicited ARP" or "Gratuitous ARP". Check the manpage for arping for more details, but the syntax looks something like this:
arping -U 192.168.1.101
If you're spoofing an address, you may need to run this first:
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Finally, because of its spoofing ability, sending Unsolicited ARP packets is sometimes considered a "hostile" activity, and may be ignored, or might lead to being blocked by some third-party firewalls.
Maybe i am wrong, but how about "arping" ?
In my box it works ok:
root@box:~# arping -i eth1 00:E0:29:XX:YY:ZZ ARPING 00:E0:29:XX:YY:ZZ 60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=0 time=47.922 usec 60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=1 time=44.823 usec 60 bytes from 192.168.0.AAA (00:e0:29:XX:YY:ZZ): icmp_seq=2 time=84.877 usec
Cara Lain
set up a tcpdump with "ether host aa:bb:cc:dd:ee:ff" option
It's easier to ping the subnet's broadcast address with "ping -b" then ^C and then look at "arp -a"
Rather than ^C it, just do 'ping -b -c1 192.168.1.0', but replace the IP with that of your network