ARP operations in Linux
1. Basic Principles
Address Resolution Protocol (ARP) is a TCP/IP Protocol for obtaining physical addresses based on IP addresses. When the host sends information, it broadcasts ARP requests containing the target IP address to all hosts on the network and receives the returned messages to determine the physical address of the target; after receiving the returned message, the IP address and physical address are stored in the local ARP cache and kept for a certain period of time. The next request directly queries the ARP cache to save resources. The Address Resolution Protocol is based on the mutual trust of each host in the network. hosts on the network can independently send ARP response messages, when receiving the response packet, other hosts will not check the authenticity of the packet and log it into the local ARP cache. Therefore, attackers can send a pseudo ARP response packet to a host, sending messages cannot reach the expected host or reach the wrong host, which constitutes an ARP spoofing. ARP commands can be used to query the correspondence between IP addresses and MAC addresses in the local ARP cache, and to add or delete static mappings. Related Protocols include RARP and proxy ARP. NDP is used to replace the Address Resolution Protocol in IPv6.
2. arp command
Arp commands are used to manage ARP cache
Arp-v verbose mode
$ Arp-v
Address HWtype HWaddress Flags Mask Iface
Xxxxx ether 00: 12: da: 46: 34: 00 C eth0
10.1.1.17 ether 00: 16: 3e: f2: 38: 33 C eth1
10.1.1.12 ether 00: 16: 3e: f2: 37: 6b C eth1
Entries: 3 Skipped: 0 Found: 3
Arp-n: Numeric address displayed
$ Arp-n
Address HWtype HWaddress Flags Mask Iface
Xxxxxxxx ether 00: 12: da: 46: 34: 00 C eth0
10.1.1.13 ether 00: 16: 3e: f2: 37: 7d C eth1
10.1.1.18 ether 00: 16: 3e: f2: 38: 35 C eth1
Arp-a: view the relationship between the IP address and MAC address of the specified host. All are displayed by default.
$ Arp-
? (Xxxxxxxxx) at 00: 12: da: 46: 34: 00 [ether] on eth0
? (10.1.1.13) at 00: 16: 3e: f2: 37: 7d [ether] on eth1
? (10.1.1.18) at 00: 16: 3e: f2: 38: 35 [ether] on eth1
[Gintama @ gintama-taiwan-lb1 ~] $ Arp-a 10.1.1.18
? (10.1.1.18) at 00: 16: 3e: f2: 38: 35 [ether] on eth1
Arp-d deletes the IP address and MAC relationship of the specified host
$ Sudo arp-d 10.1.1.18
Arp-I only displays the relationship between the IP address and MAC address of the specified Nic.
$ Arp-I eth0
Address HWtype HWaddress Flags Mask Iface
Xxxxxxxxxxxxx ether 00: 12: da: 46: 34: 00 C eth0
$ Arp-I eth1
Address HWtype HWaddress Flags Mask Iface
10.1.1.13 ether 00: 16: 3e: f2: 37: 7d C eth1
10.1.1.18 ether 00: 16: 3e: f2: 38: 35 C
Arp-s hostname hw_addr, -- set hostname manually sets the correspondence between the IP address and MAC address
$ Sudo arp-s 10.1.1.18 00: 16: 3e: f2: 38: 35
3. arping command
Arping [-AbDfhqUV] [-c count] [-w deadline] [-s source]-I interface destination
Send ARP requests to the target host
-A uses arp replay to replace arp request packets
$ Sudo arping-A-I eth1-s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 627.781 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 988.125 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 827.356 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 837.510 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 303.940 ms
-B only sends ARP broadcast packets on the MAC layer. Normally, arping is started by sending ARP broadcast packets. After receiving ARP REPLY packets, it is converted to unicast.
$ Sudo arping-B-I eth1-s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.764 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.843 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.744 ms
-C specifies the number of arp request packets sent. If the-w parameter is specified, arping waits for arp reply packets until the timeout period ends.
$ Sudo arping-c 5-I eth1-s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.771 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.744 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.741 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.806 ms
Unicast reply from 10.1.1.19 [00: 16: 3E: F2: 38: 3B] 0.731 ms
Sent 5 probes (1 broadcast (s ))
Received 5 response (s)
-W deadline
Specify the timeout time in seconds.
-D duplicate address Check Mode
$ Sudo arping-D 10.1.1.200
ARPING 10.1.1.200 from 0.0.0.0 eth0
Unicast reply from 10.1.1.200 [00: 16: 3E: F2: 37: 6B] 0.692 ms
Sent 1 probes (1 broadcast (s ))
Received 1 response (s)
-I: The NIC that sends the ARP REQUEST
-S specifies the source address
If you use the DAD mode, set it to 0.0.0.0.
If Unsolicited ARP mode is used, set it to the destination address.
In other cases, it is calculated based on the route table.
4. Stop ARP flux
ARP is used to convert an IP address to a physical address. By default, A Linux host with multiple NICS will respond to ARP requests from IP addresses bound to any Nic on the host.
Assume that A Linux host has two NICs A and B, and the IP address and MAC address are
Host
IP 10.10.41.102
MAC 08: 00: 27: 4B: 63: 93
Host B
IP 10.10.41.142
MAC 08: 00: 27: 47: 78: 55
Now, use the arping command to send ARP requests to the two IP addresses respectively.
$ Sudo arping 10.10.41.142
ARPING 10.10.41.142 from 10.10.41.17 eth0
Unicast reply from 10.10.41.142 [08: 00: 27: 4B: 63: 93] 1.721 ms
Unicast reply from 10.10.41.142 [08: 00: 27: 4B: 63: 93] 1.774 ms
Unicast reply from 10.10.41.142 [08: 00: 27: 4B: 63: 93] 2.626 ms
Unicast reply from 10.10.41.142 [08: 00: 27: 4B: 63: 93] 1.174 ms
Unicast reply from 10.10.41.142 [08: 00: 27: 4B: 63: 93] 1.164 ms
^ CSent 5 probes (1 broadcast (s ))
Received 5 response (s)
$ Sudo arping 10.10.41.102
ARPING 10.10.41.102 from 10.10.41.17 eth0
Unicast reply from 10.10.41.102 [08: 00: 27: 4B: 63: 93] 1.988 ms
Unicast reply from 10.10.41.102 [08: 00: 27: 4B: 63: 93] 1.266 ms
Unicast reply from 10.10.41.102 [08: 00: 27: 4B: 63: 93] 1.478 ms
Unicast reply from 10.10.41.102 [08: 00: 27: 4B: 63: 93] 1.243 ms
^ CSent 4 probes (1 broadcast (s ))
Received 4 response (s)
The IP address 10.10.41.142 does not return its MAC address.
This article permanently updates the link address: