ARP tool introduction arptables arpwatch

 

I. Introduction to ARP
When the host needs to send a data to a destination IP address, the device driver cannot understand this IP address.
The system needs to convert the IP address to the network address, and then pass it to the device driver for sending.
ARP (Address Resolution Protocol) is a network protocol used to convert high-level protocol addresses (IP addresses) to physical
Network Address.
The Linux kernel stores an ARP table, which stores the correspondence between IP addresses and MAC addresses. Use ARP commands.
You can view the host's ARP table.

# ARP-
M1 (192.168.0.1) at 00: E0: 4C: FF: D7: 31 [ether] On eth0

Ii. ARP tools
1. arptables
A) arptables Introduction
Arptables is a user space tool used for management.
The ARP Rules table in the Linux kernel.
Check ARP frame. arptables is similar to iptables, but it is not that complicated. iptables works on the IP layer,
Used to manage IP packets. arptables work and ARP protocol layer, used to manage ARP data frames.
Arptables can set rules for ARP data frames like iptables, and can be accept,
Drop and so on.

B) Installation of arptables
In turbolinux 10.5 and 11, arptables commands have been integrated.
You can also install it from the source code:

# Wget-C

Http://jaist.dl.sourceforge.net/sourceforge/ebtables/arptables-v0.0.3-3.tar.gz
#

Tar zxvf arptables-v0.0.3-3.tar.gz
# Cd arptables-v0.0.3-3
# Make
#
Make install
C) syntax of the arptables command
Arptables [-T table]-[ad] Chain
Rule-specification [Options]
Arptables [-T table]-[ri] Chain rulenum
Rule-specification [Options]
Arptables [-T table]-D chain rulenum
[Options]
Arptables [-T table]-[lfz] [Chain] [Options]
Arptables [-T
Table]-[NX] Chain
Arptables [-T table]-e old-chain-name
New-chain-name
Arptables [-T table]-P chain target
[Options]
Chain)
The kernel table is used to differentiate different functions of different settings. Each setting of the rule is called a "chain ".
There is a list of sorted rules to match ARP frames. If a rule matches an ARP frame
A "operation description" provides the required operations. The operation description is called "target". However,
If the frame does not match the current rule in the current chain, it will continue to check with the next rule in the chain. Use
Users can establish a new chain and use it as the "goal" of the rule.

Target)
A firewall rule that includes an ARP frame and a frame processing description is called a "target ".
When the frame matches a rule, the Kernel performs the next operation according to the definition of "target". The "target" can be:
Accept, drop. Continue, return, extended definition or user-specified rule.
Accept indicates that this frame is allowed. Drop indicates that the frame will be discarded. Continue indicates that the frame will continue.
This allows you to conveniently calculate the number of frames passing through a rule. Return indicates the number of frames.
It does not continue matching in this chain and returns to the next rule of the previous chain.

Table)
There is only one ARP table in the kernel. This table is a filter. You can use it in the arptables command.
'-T
The-t parameter must be the first parameter of the arptables command.
-T,-table
Is a filter. There is only one table in the kernel. It contains two (2.4.x kernel) or three (2.6.x kernel) built-in rules:
Input (source host for sending frames), output (locally generated frames), and forward (frames forwarded by Bridge Code ).
2.4.x kernel does not have a forward rule.

Arptables Command Parameters
Command line parameters are divided into several parts: Command, miscellaneous, rule description, matching extension, and monitor extension.

Command)
The arptables command parameter is used to specify the execution actions in the table defined using the-t parameter. If you do not use
If the-t parameter specifies a table name, the command will apply to the default filter table. When the-Z command is used, the command line can only
Use a command.
-A,-append
Add a rule at the end of the specified chain.
-D,-delete
Delete a rule from a specified chain. This command has two usage options:
1. Specify the sequence number of the rule to be deleted. Syntax:
Start_nr [: end_nr], which can be negative.
2. specify the details of the rule to be deleted.
-I,-insert
Insert rules into the specified chain by sequence number. If the current sequence number is N, you can use-N to n + 1
Insert sequence number. No. 0 indicates that the new rule is inserted after the last rule, which is equivalent to the-a parameter.
-R,-replace
Replace the rule specified in the chain. If the current sequence number is N, the specified sequence number can be between 1 and N.
Number.
-P,-Policy
Set the target policy in the chain, which can be: Accept, drop or return.
-F,-flush
Clears the specified chain. If no chain is specified, all the chains will be cleared. Clearing the chain will not change the chain
Policy.
-Z,-zero
Set the counter of the specified chain to 0. If no chain is specified, all counters are set to 0.-Z.
-L commands are used in combination. When the-Z and-l commands are used at the same time, the counter value is first printed and then set to 0.
-L,-list
Outputs the rules in the specified chain. If no chain is specified, all the rules in the chain will be output.
-N,-New-chain
Create a new user chain. There is no limit on the number of user chains, but the user chain name can contain a maximum of 31 characters.
-X,-delete-chain
Deletes a specified user chain. The user chain must be empty. If no user chain is specified, all user chains are empty.
Will be deleted.
-E,-Rename-chain
Rename a specified chain. You can rename a user chain or a standard chain name.

<Other commands>
-V,-version
Displays the version number of the arptables program.
-H,-help
Output syntax help information.
-J,-jump
Target
The target of the rule. It can be: Accept, drop, continue, return, target extension or user.
Defines the chain name.

<Rule description>
-S,-source-IP [!] IP Address [/mask]
Source IP Address

-D,-destination-IP [!] IP Address [/mask]
Destination IP address

-Source-Mac [!] MAC Address [/mask]
Source MAC address

-Destination-Mac [!] MAC Address [/mask]
Target MAC address.

-I,-in-interface [!] Device Name
The interface used to receive frames (applied to input and forward chains).-in-if is the alias of this option.

-O,-out-interface [!]
Device Name
The interface used to send frames (used for output and forward chains).-out-if is the alias of this option.

-L,-H-length [/mask]
Hardware length (in bytes ).

-Opcode
Code [/mask]
Operation Code (2 bytes). Can Use: 1 = request, 2 = reply, 3 = anti-resolution request, 4 = anti-resolution reply,
5 = dynamic anti-resolution request, 6 = dynamic anti-resolution reply, 7 = dynamic anti-resolution error, 8 = reverse ARP request,
9 = arp_nak

-H-type [/mask]
Hardware type (2 bytes, hexadecimal). can be used: 1 = Ethernet.

-Proto-type [/mask]
Protocol type (2 bytes). Available: 0 × 800 = IPv4

D) arptables use instances
# ARP-
M1 (192.168.0.1) at 00: E0: 4C: FF: D7: 31 [ether]
On eth0
Displays information about the current ARP table.
The current ARP table contains the ARP information of a host, M1 host, and IP address 192.168.0.1.

# Arptables-D input-s 192.168.0.1-J
Drop
Set ARP rules to discard all ARP packets of 192.168.0.1.

# ARP-D 192.168.0.1-I eth0
Use the ARP command to delete the records of 192.168.0.1 In the ARP table.

# ARP-
M1 (192.168.0.1) at on
Eth0
There is no M1 host information in the ARP table.

# Ping 192.168.0.1
Ping M1 (192.168.0.1) 56 (84) bytes of data.
From m2
(192.168.0.2) icmp_seq = 2 destination host unreachable
From m2 (192.168.0.2)
Icmp_seq = 3 destination host unreachable
From m2 (192.168.0.2) icmp_seq = 4
Destination host unreachable
Because the Mac information of the M1 host cannot be obtained, it cannot communicate with the M1 host.

# Arptables-D input-s 192.168.0.1-J Drop
Delete An arptables rule.

# ARP-
M1 (192.168.0.1) at 00: E0: 4C: FF: D7: 31 [ether] On
Eth0
The Mac information of M1 is rerecorded In the ARP table.

# Ping 192.168.0.1
Ping M1 (192.168.0.1) 56 (84) bytes of data.
64 bytes
From M1 (192.168.0.1): icmp_seq = 1 TTL = 64 time = 0.315 MS

 

2. arpwatch
A) Introduction to arpwatch
Arpwatch is used to listen to and record ARP packets in the network.
The change is reported to the System Administrator via email.
Arpwatch uses pcap (3) to listen to ARP packets of local Ethernet interfaces.

B) Installation of arpwatch
In turbolinux 10.5 and 11, arpwatch has been integrated.
You can also install it from the source code:

# Wget-C ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
# Cd arpwatch-2.1a15
#
./Configure
# Make
# Make install
C) syntax of the arpwath command
Arpwatch [-DN
]
[-F datafile]
[-I interface]
[-N Net [/width]
[-R
File]
[-S sendmail_path]
[-P]
[-A]
[-M addr]
[
-U username]
[-R seconds]
[-Q]
[-Z ignorenet/ignoremask
]
-D mark is used to enable debugging mode.
-F indicates the database name used for setting. The default value is arp. dat.
-I is used to specify network interfaces.
-N
Used to describe the local network.
-R indicates to read an information file generated by tcpdump or pcapture, instead of from the network interface.

Read. //-S is used to specify the Sendmail program path.
-P indicates to disable "hybrid mode". When the network interface is not "hybrid mode", ARP broadcast can also pass.
-
By default, arpwatch only records the arp of the first ip address subnet on the default network interface.
Information. Use the-a parameter to record ARP information for all IP address subnets on the network interface.
-M
Specifies an email address used to receive change information.

D) arpwatch instance
# Arpwatch-I eth0-S
Root@localhost.localdomain
Listen to the eth0 interface and send ARP change information to the local root user mailbox.