arp notes
disable ARP
Turning off ARP is useful for debugging and Packet sniffing. This helps ensure that your own machine does not add ARP traffic.
You can turn ARP off and on using `ifconfig`. This works on a running interface:
ifconfig eth0 -arp ifconfig eth0 arp
ARP can also be disabled via `sysctl`.
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
You can permanently set this by editing /etc/sysctl.conf:
net.ipv4.conf.eth0.arp_ignore = 1
ping sweep
When you ping a machine in addition to ICMP some ARP traffic will be generated. Linux will cache this information for a short period of time during which you can inspect the cached ARP table for useful information (mostly the MAC address of the machine you pinged.
The following is a fast, trivial scanner that shows machines in a given subnet range. This runs the pings in parallel and then waits for the results of all the pings. Once the responses are found it will print a report of all the IP addresses and the MAC address of the machine that responded to a given ping.
#!/bin/sh SUBNET="192.168.0" unset VERBOSE fourth_octet=1 while [ $fourth_octet -lt 255 ]; do # Note that this if statement is run in the background. if ping -c 1 -q $SUBNET.$fourth_octet 2>/dev/null >/dev/null; then if [ ${VERBOSE} ]; then echo ${SUBNET}.${fourth_octet} fi fi & fourth_octet=$(($fourth_octet + 1)) done # Wait for all the `ping` processes to finish. wait sleep 1 grep -v 00:00:00:00:00:00 /proc/net/arp