Difference between revisions of "arp notes"

From Noah.org
Jump to: navigation, search
m (Created page with 'Category:Engineering Category:Networking == ping sweep == <pre> #!/bin/sh SUBNET="192.168.0" unset VERBOSE fourth_octet=1 while [ $fourth_octet -lt 255 ]; do …')
 
m
 
Line 1: Line 1:
 
[[Category:Engineering]]
 
[[Category:Engineering]]
 
[[Category:Networking]]
 
[[Category:Networking]]
 +
 +
== disable ARP ==
 +
 +
Turning off ARP is useful for debugging and [[Packet sniffing]]. This helps ensure that your own machine does not add ARP traffic.
 +
 +
You can turn '''ARP''' off and on using `ifconfig`. This works on a running interface:
 +
<pre>
 +
ifconfig eth0 -arp
 +
ifconfig eth0 arp
 +
</pre>
 +
 +
'''ARP''' can also be disabled via `sysctl`.
 +
<pre>
 +
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
 +
</pre>
 +
You can permanently set this by editing '''/etc/sysctl.conf''':
 +
<pre>
 +
net.ipv4.conf.eth0.arp_ignore = 1
 +
</pre>
  
 
== ping sweep ==
 
== ping sweep ==
  
 +
When you ping a machine in addition to ICMP some ARP traffic will be generated. Linux will cache this information for a short period of time during which you can inspect the cached ARP table for useful information (mostly the MAC address of the machine you pinged.
 +
 +
The following is a fast, trivial scanner that shows machines in a given subnet range.
 +
This runs the pings in parallel and then waits for the results of all the pings. Once the responses are found it will print a report of all the IP addresses and the MAC address of the machine that responded to a given ping.
 
<pre>
 
<pre>
 
#!/bin/sh
 
#!/bin/sh

Latest revision as of 20:38, 18 June 2011


disable ARP

Turning off ARP is useful for debugging and Packet sniffing. This helps ensure that your own machine does not add ARP traffic.

You can turn ARP off and on using `ifconfig`. This works on a running interface:

ifconfig eth0 -arp
ifconfig eth0 arp

ARP can also be disabled via `sysctl`.

echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore

You can permanently set this by editing /etc/sysctl.conf:

net.ipv4.conf.eth0.arp_ignore = 1

ping sweep

When you ping a machine in addition to ICMP some ARP traffic will be generated. Linux will cache this information for a short period of time during which you can inspect the cached ARP table for useful information (mostly the MAC address of the machine you pinged.

The following is a fast, trivial scanner that shows machines in a given subnet range. This runs the pings in parallel and then waits for the results of all the pings. Once the responses are found it will print a report of all the IP addresses and the MAC address of the machine that responded to a given ping.

#!/bin/sh

SUBNET="192.168.0"
unset VERBOSE

fourth_octet=1
while [ $fourth_octet -lt 255 ]; do
        # Note that this if statement is run in the background.
        if ping -c 1 -q $SUBNET.$fourth_octet 2>/dev/null >/dev/null; then
                if [ ${VERBOSE} ]; then
                        echo ${SUBNET}.${fourth_octet}
                fi
        fi &
        fourth_octet=$(($fourth_octet + 1))
done
# Wait for all the `ping` processes to finish.
wait
sleep 1
grep -v 00:00:00:00:00:00 /proc/net/arp