arp notes

From Noah.org
Revision as of 19:38, 18 June 2011 by Root (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


disable ARP

Turning off ARP is useful for debugging and Packet sniffing. This helps ensure that your own machine does not add ARP traffic.

You can turn ARP off and on using `ifconfig`. This works on a running interface:

ifconfig eth0 -arp
ifconfig eth0 arp

ARP can also be disabled via `sysctl`.

echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore

You can permanently set this by editing /etc/sysctl.conf:

net.ipv4.conf.eth0.arp_ignore = 1

ping sweep

When you ping a machine in addition to ICMP some ARP traffic will be generated. Linux will cache this information for a short period of time during which you can inspect the cached ARP table for useful information (mostly the MAC address of the machine you pinged.

The following is a fast, trivial scanner that shows machines in a given subnet range. This runs the pings in parallel and then waits for the results of all the pings. Once the responses are found it will print a report of all the IP addresses and the MAC address of the machine that responded to a given ping.

#!/bin/sh

SUBNET="192.168.0"
unset VERBOSE

fourth_octet=1
while [ $fourth_octet -lt 255 ]; do
        # Note that this if statement is run in the background.
        if ping -c 1 -q $SUBNET.$fourth_octet 2>/dev/null >/dev/null; then
                if [ ${VERBOSE} ]; then
                        echo ${SUBNET}.${fourth_octet}
                fi
        fi &
        fourth_octet=$(($fourth_octet + 1))
done
# Wait for all the `ping` processes to finish.
wait
sleep 1
grep -v 00:00:00:00:00:00 /proc/net/arp