Annotation of embedaddon/arping/README, revision 1.1
1.1 ! misho 1: arping/README
! 2:
! 3: ARP Ping
! 4:
! 5: By Thomas Habets <thomas@habets.pp.se>
! 6:
! 7: http://www.habets.pp.se/synscan/
! 8: http://github.com/ThomasHabets/arping
! 9: git clone git://github.com/ThomasHabets/arping.git
! 10:
! 11: Introduction
! 12: ------------
! 13: Arping is a util to find out it a specific IP address on the LAN is 'taken'
! 14: and what MAC address owns it. Sure, you *could* just use 'ping' to find out if
! 15: it's taken and even if the computer blocks ping (and everything else) you still
! 16: get an entry in your ARP cache. But what if you aren't on a routable net? Or
! 17: the host blocks ping (all ICMP even)? Then you're screwed. Or you use arping.
! 18:
! 19: Why it's not stupid
! 20: -------------------
! 21: Say you have a block of N real IANA-assigned IP-addresses. You want to debug
! 22: the net and you don't know which IP addresses are taken. You can't ping anyone
! 23: before you take the IP, and you can't pick an IP before you know which are
! 24: already taken. Catch 22. But with arping you can 'ping' the IP and if you get
! 25: no response, the IP is available.
! 26:
! 27: Example uses
! 28: ------------
! 29: If some box is dumping non-IP (like IPX) garbage and you don't know which box
! 30: it is, you can ping by MAC to get the IP and fix the problem.
! 31:
! 32: If you are on someone else's net and want to 'borrow' a real IP address instead
! 33: of using one of those 10.x.x.x-addresses the DHCP hands out you probably want
! 34: to know which ones are taken, or people will get mad (a friend of mine got a
! 35: call on his cellphone about 15 seconds after he accidentally 'stole' an IP,
! 36: oops).
! 37:
! 38: Compiling / installing
! 39: ----------------------
! 40: See INSTALL file.
! 41:
! 42: I try to test arping on these platforms before any release:
! 43: * Latest Debian stable x86 and amd64
! 44: * Linux (Debian or Ubuntu) on arm
! 45: * Latest OpenBSD x86 or amd64
! 46: * FreeBSD x86
! 47: * Solaris 10 sparc
! 48:
! 49: I don't have these systems up and runnig 24/7, but I try to get them tested
! 50: every now and then:
! 51: * MacOS X
! 52: * Debian alpha
! 53: * OpenBSD sparc64 (last test: 2009-10-02)
! 54: * IRIX 6.5 mips (last test 2009-09-27)
! 55:
! 56: Mailing list
! 57: ------------
! 58: Check out http://www.habets.pp.se/synscan/mailinglists.php for information
! 59: on how to subscribe to help- and announce-lists.
! 60:
! 61: How it does it
! 62: --------------
! 63: See 'Technical' at the bottom of this file.
! 64:
! 65: FAQ
! 66: ---
! 67: Q: Where is Arping 1.x? I use libnet 1.0.x so I need that!
! 68:
! 69: A: Arping 1 has finally been removed from the Arping 2.x tarball in 2.09.
! 70: Arping 1.x currently only lives in the Arping packages 2.08 and lower. If
! 71: features are to be added or bugs fixed it will show up again as a separate
! 72: package forked from Arping 2.08.
! 73:
! 74: For now just get arping-2.08.tar.gz and use that.
! 75: ---
! 76: Q: Where's the Windows version? A compiled .exe would be nice.
! 77:
! 78: A: I don't have a windows box, so the .exe I'm providing was NOT compiled
! 79: by me. If something is strange about it tell me, but there won't be much
! 80: I can do about it.
! 81: That being said:
! 82: http://www.habets.pp.se/synscan/files/arping-for-windows-not-compiled-by-me.exe
! 83: ---
! 84: Q: After compiling arping without any problem, i test it first with
! 85: localhost... but it doesn't respond. Isn't that strange?
! 86:
! 87: A: Not really, as you can see by typing 'ifconfig' the lo (local) interface
! 88: does not have a MAC address. It's not a physical device! MAC addresses are
! 89: there to differentiate computers on a shared medium (the aether, or ether)
! 90: and since packets to localhost does not go over any wire there is no need
! 91: to identify which box is talking to which. There is only one.
! 92: ---
! 93: Q: Arping can't ping anything!
! 94:
! 95: A: Check which interface is active with -v. If it's the wrong one, use -i
! 96: to set it right.
! 97: ---
! 98: Q: Arping finds some hosts, but not others. why? BTW, I have several NICs.
! 99:
! 100: A: You have to choose interface with the -i switch if the default is wrong for
! 101: you.
! 102: ---
! 103: Q: I tried to ping my own MAC address, but it doesn't work.
! 104:
! 105: A: A sane OS will think it's suspicious if you send packets to yourself over
! 106: the wire and will ignore them.
! 107:
! 108: And why would you want to lookup the IP or MAC of yourself? ifconfig
! 109: can tell you that.
! 110: ---
! 111: Q: I can't ping any/some MAC address on my LAN.
! 112:
! 113: A: Arping when pinging a MAC relies on the host to answer a broadcast ping
! 114: (icmp echo request) properly (IIRC: not the windows way). If you want a
! 115: host to pop up on MAC ping, you have to config it to respond to broadcast
! 116: pings.
! 117: (for linux, make sure /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts is 0)
! 118: A: -T <IP/host> allows you to restrict the arping to a limited subnet, which
! 119: may or may not work for you. For example if the box 00:01:02:03:04:05 is on
! 120: 192.168.0.0/24 then the broadcast probably is 192.168.0.255, so try:
! 121: # arping -T 192.168.0.255 00:01:02:03:04:05
! 122: ---
! 123: Q: ./configure says I need libnet and/or libpcap
! 124:
! 125: A: Arping depends on libnet 1.1.x and libpcap, get libnet at:
! 126: http://www.packetfactory.net/libnet and libpcap from http://www.tcpdump.org.
! 127:
! 128: Lately www.packetfactory.net seems to be down, so you can get the original
! 129: tarball from the Debian archives:
! 130: http://ftp.debian.org/debian/pool/main/libn/libnet/libnet_1.1.4.orig.tar.gz
! 131: If that exact file doesn't exist there probably is one with a higher
! 132: version number.
! 133:
! 134: Or github.com:
! 135: http://github.com/sam-github/libnet
! 136: http://github.com/ThomasHabets/libnet
! 137: ---
! 138: Q: I get bus error on my non-x86 box
! 139:
! 140: A: Damn, I thought I fixed those. Tell me how you got it and I'll try to fix
! 141: it. Attaching config.log always helps.
! 142: ---
! 143: Q: I get "libnet_get_ipaddr(): no error" when I run arping with IP (src or dst)
! 144: 255.255.255.255.
! 145:
! 146: A: Use the -b/-B switches. Libnet sucks (ha ha only serious) and returns -1 for
! 147: error == int32 encoded 255.255.255.255.
! 148: ---
! 149: Q: I used to be able to use -S 255.255.255.255, now it fails. What's going on?
! 150: Q: Why can't I arping 255.255.255.255?
! 151:
! 152: A: Argh! Why would you want to? Anyway, this one is due to libnets resolving,
! 153: and my unwillingness to reimplement it (in a portable manner, ugh).
! 154:
! 155: -S 255.255.255.255 can be replaced with -b, and pinging broadcast (why you
! 156: would do that eludes me) -B.
! 157:
! 158: To be extra perverted, try:
! 159: # ./arping -b -B
! 160: (yes, I added -b and -B just so that version 1.0 should be complete)
! 161: ---
! 162: Q: 1.01 is out, didn't you just say 1.0 was supposed to be the last one?
! 163:
! 164: A: Shut up.
! 165: ---
! 166: Q: The roundtrip times are off, sometimes by milliseconds!
! 167:
! 168: A: I know.
! 169: Short answer:
! 170: 'ping' does the same thing. (ping from iputils-ss010824 anyway)
! 171:
! 172: Long answer:
! 173: I can't (portably anyway) do anything other than queue a packet
! 174: to the network. That means I don't know exactly when it arrived. Also,
! 175: I can't tell when a packet arrives on the wire, only when arping gets
! 176: it from the kernel. Just make sure neither the network (whole segment
! 177: if you are hubbed, just your NIC if you are switched) nor your box is
! 178: loaded when you care about timing, and/or run arping with higher
! 179: priority.
! 180:
! 181: # nice -n -15 arping foobar
! 182:
! 183: But if you find way to get more exact timing portably (or just for one
! 184: OS really), let me know.
! 185: ---
! 186: Q: Is it OK to make arping suid root?
! 187:
! 188: A: Be my guest, but if care about security *at all* you will have to restrict
! 189: execution of arping to trusted users. I could remove "dangerous" features
! 190: from the code when it's running suid, but I honestly don't want to. This is
! 191: a network debugging tool, which generates low-level network packets that
! 192: ordinary users have absolutely no business generating.
! 193:
! 194: For example, I don't protect against an ALRM signal flood, which will result
! 195: in a packet flood. (arping 2.x doesn't have this issue)
! 196:
! 197: If you are honestly debugging the network then I don't see why you aren't
! 198: root already.
! 199:
! 200: If you think I'm wrong, tell me why.
! 201: ---
! 202: Q: What's this -A switch all about, I don't understand it.
! 203:
! 204: A: Normally arping packets are sent out to some kind of broadcast (MAC or IPv4
! 205: broadcast) and hosts reply with source address == their address.
! 206:
! 207: If -A is given, only packets coming in with a *source* address equal
! 208: to the *destination* address in the query is accepted.
! 209:
! 210: If you don't understand, don't worry. You won't need it. But for an
! 211: example use, see the arping-scan-net.sh script.
! 212: ---
! 213:
! 214: License
! 215: -------
! 216: It's GPLv2, see the LICENSE file.
! 217:
! 218: Technical
! 219: ---------
! 220: Yes, I've finally bothered to write how it works.
! 221: tcpdumps were taken with "tcpdump -vven 'arp or icmp'".
! 222:
! 223: The source box is 192.168.0.2/0:10:5a:3e:c5:b4 and the target box is
! 224: 192.168.0.1/0:60:93:34:91:99.
! 225:
! 226: For pinging IP addresses:
! 227: When a host wants to send an IP packet to another host, it sends out an ARP
! 228: packet asking what MAC the destination IP address has, a so-called 'who-has'
! 229: packet. This is then answered by another ARP packet, the 'is-at' packet.
! 230:
! 231: 18:16:07.179699 0:10:5a:3e:c5:b4 ff:ff:ff:ff:ff:ff 0806 42:
! 232: arp who-has 192.168.0.1 tell 192.168.0.2
! 233:
! 234: This is the packet generated by arping.
! 235: An Ethernet frame from my 3com card to the broadcast address carrying an arp
! 236: packet asking what MAC 192.168.0.1 has (who-has).
! 237:
! 238: 18:16:07.180221 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0806 60:
! 239: arp reply 192.168.0.1 is-at 0:60:93:34:91:99
! 240:
! 241: The answer, that 192.168.0.1 has MAC 0:60:93:34:91:99 (is-at).
! 242:
! 243: For pinging MAC addresses:
! 244: A broadcast ping (255.255.255.255, or any address supplied with -T, see below)
! 245: is sent out on the Ethernet, but in an Ethernet frame addressed to the target
! 246: MAC only.
! 247:
! 248: 18:20:09.627321 0:10:5a:3e:c5:b4 0:60:93:34:91:99 0800 42:
! 249: 192.168.0.2 > 255.255.255.255: icmp: echo request
! 250: (ttl 48, id 17767, len 28)
! 251:
! 252: This is the packet generated by arping.
! 253: Ethernet frame from my 3com NIC to the destination MAC, carrying a broadcast
! 254: ping.
! 255:
! 256: 18:20:09.628432 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0800 60:
! 257: 192.168.0.1 > 192.168.0.2: icmp: echo reply
! 258: (ttl 255, id 7593, len 28)
! 259:
! 260: The answer, including the source address of the target host. Note that this
! 261: is not how every OS responds to a broadcast ping (if at all). Some answer with
! 262: a source address equal to the broadcast address, and others don't' answer at
! 263: all.
! 264: This is why pinging a raw MAC doesn't always work, and you may need to play
! 265: with -T to get it to answer correctly (or at all). You can always brute-force
! 266: if you can't even find a broadcast that the box will answer correctly to.
! 267: -------
! 268: for d in $(seq 0 255); do
! 269: sudo arping -q -c 1 -T $a.$b.$c.$d 0:60:93:34:91:99
! 270: if [ $? = 0 ]; then
! 271: echo "Got answer with address: 192.168.0.$d"
! 272: fi
! 273: done
! 274: --------
! 275: Note that this script will take 1 second per IP since that is how long arping
! 276: waits, so scanning a C-class net will take 256 seconds. If you have a bigger
! 277: net, then write a program that will run several arpings at the same time to
! 278: go through more in less time, or check out arping-scan-net.sh, which is a
! 279: more capable script for scanning, but you need to edit it since the address
! 280: range it searches is hard-coded.
! 281: I may add this to arping some day, but don't hold your breath.
! 282:
! 283: ----------------------------------------------------------------------------
! 284: Send questions/suggestions/patches/rants/money/alphas to thomas@habets.pp.se
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to README CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / arping