ARP-related operations under Linux

1. Fundamentals

Address Resolution Protocol, which is ARP (Resolution Protocol), is based onIP AddressGetPhysical Addressof aTCP/IP protocol. HostARP Request that contains the destination IP address when the message is sentBroadcastingto all hosts on the network, and receives a return message to determine the physical address of the target, and when the return message is received, the IP address and physical address are stored in the native ARP cache for a certain amount of time, and the ARP cache is queried directly on the next request to conserve resources. The Address Resolution Protocol is based on the trust of each host in the network, the host on the network can send the ARP reply message autonomously, and the other host will not detect the authenticity of the message when it receives the reply packet, which will be credited to the native ARP cache, thus the attacker can send a pseudo-ARP reply message to a host. The information it sends cannot reach the intended host or reach the wrong host, which constitutes aARP spoofing. ARP commandcan be used to query the native ARP cache for IP addresses andMAC address, add or remove static correspondence, and so on. Relevant agreements areRARP,Proxy ARP. NDPused inIPv6in place of the address Resolution Protocol.

2.arp command

The ARP command is used to manage the ARP cache

ARP-V verbose mode

$ arp -vaddress                   HWtype  HWaddress            flags mask            ifacexxxxx                      ether   00:12:da:46:34:00   C                      eth010.1.1.17                 ether    00:16:3e:f2:38:33   C                      eth110.1.1.12                 ether   00:16:3e:f2:37:6b   c                       Eth1entries: 3skipped: 0found: 3

ARP-N Display Digital Address

$ arp -naddress                   HWtype  HWaddress            Flags Mask             ifacexxxxxxxx                  ether   00:12:da:46:34:00   C                      eth010.1.1.13                 ether    00:16:3e:f2:37:7d   c                      eth110.1.1.18                 ether   00:16:3e:f2:38:35   c                      eth1

ARP-A view IP and Mac correspondence for the specified host, all by default

$ arp-a? (xxxxxxxxx) at 00:12:da:46:34:00 [ether] on eth0? (10.1.1.13) at 00:16:3e:f2:37:7d [ether] on eth1? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1[[email protected] ~]$ arp-a 10.1.1.18? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1

arp-d Delete IP and Mac correspondence for the specified host

$ sudo arp-d 10.1.1.18

Arp-i only displays IP and Mac correspondence for the specified NIC

$ arp -i eth0address                   HWtype  HWaddress            Flags Mask             Ifacexxxxxxxxxxxxx            ether    00:12:da:46:34:00   C                      eth0$ arp -i eth1address                    Hwtype  hwaddress           flags mask             Iface10.1.1.13                 ether   00:16:3e:f2:37:7d   c                       eth110.1.1.18                 ether   00:16:3e:f2:38:35   c

arp-s hostname hw_addr,--set hostname manually set the correspondence between IP and Mac

$ sudo arp-s 10.1.1.18 00:16:3e:f2:38:35

3.arping command

arping [-ABDFHQUV] [-C Count] [-W deadline] [-s source]-I interface destination

Want to send ARP request to target host

-A uses ARP replay to replace ARP Request messages

$ sudo arping-a-i eth1-s 10.1.1.12 10.1.1.19ARPING 10.1.1.19 from 10.1.1.12 eth1unicast reply from 10.1.1.19 [00:16: 3E:F2:38:3B] 627.781msUnicast reply from 10.1.1.19 [00:16:3e:f2:38:3b] 988.125msUnicast reply from 10.1.1.19 [00:16:3e:f 2:38:3B] 827.356msUnicast reply from 10.1.1.19 [00:16:3e:f2:38:3b] 837.510msUnicast reply from 10.1.1.19 [00:16:3e:f2:38 : 3B] 303.940ms

-B only sends ARP broadcast messages at the MAC level, normally, arping starts by sending an ARP broadcast message and then turns into unicast when the ARP reply message is received

$ sudo arping-b-i eth1-s 10.1.1.12 10.1.1.19ARPING 10.1.1.19 from 10.1.1.12 eth1unicast reply from 10.1.1.19 [00:16: 3E:F2:38:3B] 0.764msUnicast reply from 10.1.1.19 [00:16:3e:f2:38:3b] 0.843msUnicast reply from 10.1.1.19 [00:16:3e:f2:38 : 3B] 0.744ms

-c Specifies the number of ARP request messages sent. If you specify the-w parameter again, arping waits for the ARP reply message until the time-out expires

$ sudo arping-c 5-i eth1-s 10.1.1.12 10.1.1.19ARPING 10.1.1.19 from 10.1.1.12 eth1unicast reply from 10.1.1.19 [00:1 6:3E:F2:38:3B] 0.771msUnicast reply from 10.1.1.19 [00:16:3e:f2:38:3b] 0.744msUnicast reply from 10.1.1.19 [00:16:3E:F2:  38:3B] 0.741msUnicast reply from 10.1.1.19 [00:16:3e:f2:38:3b] 0.806msUnicast reply from 10.1.1.19 [00:16:3e:f2:38:3b] 0.731msSent 5 Probes (1 broadcast (s)) Received 5 response (s)

-W Deadline

Specifies the time-out in seconds.

Reference Documentation:

Http://baike.baidu.com/link?url=TrCbU1FJnpEU_ Mo209dolv6x2mw09rrw9xwjhnk5yadc0grommaijp-8lb6dvbxem4h1ywqq5qpqhyna8tj6ujtj77j0waydcpcqidjldcy

This article is from the Linux SA John blog, so be sure to keep this source http://john88wang.blog.51cto.com/2165294/1618047

ARP-related operations under Linux