Annotation of embedaddon/arping/README, revision 1.1.1.3

1.1       misho       1: arping/README
                      2: 
                      3:  ARP Ping
                      4: 
1.1.1.2   misho       5:     By Thomas Habets <thomas@habets.se>
1.1       misho       6: 
                      7:  http://www.habets.pp.se/synscan/
                      8:  http://github.com/ThomasHabets/arping
                      9:  git clone git://github.com/ThomasHabets/arping.git
                     10: 
                     11: Introduction
                     12: ------------
                     13: Arping is a util to find out it a specific IP address on the LAN is 'taken'
                     14: and what MAC address owns it. Sure, you *could* just use 'ping' to find out if
                     15: it's taken and even if the computer blocks ping (and everything else) you still
                     16: get an entry in your ARP cache. But what if you aren't on a routable net? Or
                     17: the host blocks ping (all ICMP even)? Then you're screwed. Or you use arping.
                     18: 
                     19: Why it's not stupid
                     20: -------------------
                     21: Say you have a block of N real IANA-assigned IP-addresses. You want to debug
                     22: the net and you don't know which IP addresses are taken. You can't ping anyone
                     23: before you take the IP, and you can't pick an IP before you know which are
                     24: already taken. Catch 22. But with arping you can 'ping' the IP and if you get
                     25: no response, the IP is available.
                     26: 
                     27: Example uses
                     28: ------------
                     29: If some box is dumping non-IP (like IPX) garbage and you don't know which box
                     30: it is, you can ping by MAC to get the IP and fix the problem.
                     31: 
                     32: If you are on someone else's net and want to 'borrow' a real IP address instead
                     33: of using one of those 10.x.x.x-addresses the DHCP hands out you probably want
                     34: to know which ones are taken, or people will get mad (a friend of mine got a
                     35: call on his cellphone about 15 seconds after he accidentally 'stole' an IP,
                     36: oops).
                     37: 
                     38: Compiling / installing
                     39: ----------------------
                     40: See INSTALL file.
                     41: 
                     42: I try to test arping on these platforms before any release:
                     43: * Latest Debian stable x86 and amd64
                     44: * Linux (Debian or Ubuntu) on arm
                     45: * Latest OpenBSD x86 or amd64
                     46: * FreeBSD x86
                     47: * Solaris 10 sparc
                     48: 
                     49: I don't have these systems up and runnig 24/7, but I try to get them tested
                     50: every now and then:
                     51: * MacOS X
                     52: * Debian alpha
                     53: * OpenBSD sparc64 (last test: 2009-10-02)
                     54: * IRIX 6.5 mips (last test 2009-09-27)
                     55: 
                     56: Mailing list
                     57: ------------
                     58: Check out http://www.habets.pp.se/synscan/mailinglists.php for information
                     59: on how to subscribe to help- and announce-lists.
                     60: 
                     61: How it does it
                     62: --------------
                     63: See 'Technical' at the bottom of this file.
                     64: 
                     65: FAQ
                     66: ---
                     67: Q: Where is Arping 1.x? I use libnet 1.0.x so I need that!
                     68: 
                     69: A: Arping 1 has finally been removed from the Arping 2.x tarball in 2.09.
                     70:    Arping 1.x currently only lives in the Arping packages 2.08 and lower. If
                     71:    features are to be added or bugs fixed it will show up again as a separate
                     72:    package forked from Arping 2.08.
                     73: 
                     74:    For now just get arping-2.08.tar.gz and use that.
                     75: ---
                     76: Q: Where's the Windows version? A compiled .exe would be nice.
                     77: 
                     78: A: I don't have a windows box, so the .exe I'm providing was NOT compiled
                     79:    by me. If something is strange about it tell me, but there won't be much
                     80:    I can do about it.
                     81:    That being said:
                     82: http://www.habets.pp.se/synscan/files/arping-for-windows-not-compiled-by-me.exe
                     83: ---
                     84: Q: After compiling arping without any problem, i test it first with
                     85:    localhost... but it doesn't respond. Isn't that strange?
                     86: 
                     87: A: Not really, as you can see by typing 'ifconfig' the lo (local) interface
                     88:    does not have a MAC address. It's not a physical device! MAC addresses are
                     89:    there to differentiate computers on a shared medium (the aether, or ether)
                     90:    and since packets to localhost does not go over any wire there is no need
                     91:    to identify which box is talking to which. There is only one.
                     92: ---
                     93: Q: Arping can't ping anything!
                     94: 
                     95: A: Check which interface is active with -v. If it's the wrong one, use -i
                     96:    to set it right.
                     97: ---
                     98: Q: Arping finds some hosts, but not others. why?   BTW, I have several NICs.
                     99: 
                    100: A: You have to choose interface with the -i switch if the default is wrong for
                    101:    you.
                    102: ---
                    103: Q: I tried to ping my own MAC address, but it doesn't work.
                    104: 
                    105: A: A sane OS will think it's suspicious if you send packets to yourself over
                    106:    the wire and will ignore them.
                    107: 
                    108:    And why would you want to lookup the IP or MAC of yourself? ifconfig
                    109:    can tell you that.
                    110: ---
                    111: Q: I can't ping any/some MAC address on my LAN.
                    112: 
                    113: A: Arping when pinging a MAC relies on the host to answer a broadcast ping
                    114:    (icmp echo request) properly (IIRC: not the windows way). If you want a
                    115:    host to pop up on MAC ping, you have to config it to respond to broadcast
                    116:    pings.
                    117:    (for linux, make sure /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts is 0)
                    118: A: -T <IP/host> allows you to restrict the arping to a limited subnet, which
                    119:    may or may not work for you. For example if the box 00:01:02:03:04:05 is on
                    120:    192.168.0.0/24 then the broadcast probably is 192.168.0.255, so try:
                    121:    # arping -T 192.168.0.255 00:01:02:03:04:05
                    122: ---
                    123: Q: ./configure says I need libnet and/or libpcap
                    124: 
                    125: A: Arping depends on libnet 1.1.x and libpcap, get libnet at:
                    126:    http://www.packetfactory.net/libnet and libpcap from http://www.tcpdump.org.
                    127: 
                    128:    Lately www.packetfactory.net seems to be down, so you can get the original
                    129:    tarball from the Debian archives:
                    130:    http://ftp.debian.org/debian/pool/main/libn/libnet/libnet_1.1.4.orig.tar.gz
                    131:    If that exact file doesn't exist there probably is one with a higher
                    132:    version number.
                    133: 
                    134:    Or github.com:
                    135:    http://github.com/sam-github/libnet
                    136:    http://github.com/ThomasHabets/libnet
                    137: ---
                    138: Q: I get bus error on my non-x86 box
                    139: 
                    140: A: Damn, I thought I fixed those. Tell me how you got it and I'll try to fix
                    141:    it. Attaching config.log always helps.
                    142: ---
                    143: Q: I get "libnet_get_ipaddr(): no error" when I run arping with IP (src or dst)
                    144:    255.255.255.255.
                    145: 
                    146: A: Use the -b/-B switches. Libnet sucks (ha ha only serious) and returns -1 for
                    147:    error == int32 encoded 255.255.255.255.
                    148: ---
                    149: Q: I used to be able to use -S 255.255.255.255, now it fails. What's going on?
                    150: Q: Why can't I arping 255.255.255.255?
                    151: 
                    152: A: Argh! Why would you want to? Anyway, this one is due to libnets resolving,
                    153:    and my unwillingness to reimplement it (in a portable manner, ugh).
                    154: 
                    155:    -S 255.255.255.255 can be replaced with -b, and pinging broadcast (why you
                    156:    would do that eludes me) -B.
                    157: 
                    158:    To be extra perverted, try:
                    159:    # ./arping -b -B
                    160:    (yes, I added -b and -B just so that version 1.0 should be complete)
                    161: ---
                    162: Q: 1.01 is out, didn't you just say 1.0 was supposed to be the last one?
                    163: 
                    164: A: Shut up.
                    165: ---
                    166: Q: The roundtrip times are off, sometimes by milliseconds!
                    167: 
                    168: A: I know.
                    169:    Short answer:
                    170:      'ping' does the same thing. (ping from iputils-ss010824 anyway)
                    171: 
                    172:    Long answer:
                    173:      I can't (portably anyway) do anything other than queue a packet
                    174:      to the network. That means I don't know exactly when it arrived. Also,
                    175:      I can't tell when a packet arrives on the wire, only when arping gets
                    176:      it from the kernel. Just make sure neither the network (whole segment
                    177:      if you are hubbed, just your NIC if you are switched) nor your box is
                    178:      loaded when you care about timing, and/or run arping with higher
                    179:      priority.
                    180: 
                    181:      # nice -n -15 arping foobar
                    182: 
                    183:      But if you find way to get more exact timing portably (or just for one
                    184:      OS really), let me know.
                    185: ---
                    186: Q: Is it OK to make arping suid root?
                    187: 
                    188: A: Be my guest, but if care about security *at all* you will have to restrict
                    189:    execution of arping to trusted users. I could remove "dangerous" features
                    190:    from the code when it's running suid, but I honestly don't want to. This is
                    191:    a network debugging tool, which generates low-level network packets that
                    192:    ordinary users have absolutely no business generating.
                    193: 
                    194:    If you are honestly debugging the network then I don't see why you aren't
                    195:    root already.
                    196: 
1.1.1.2   misho     197:    That being said, on Linux you can add the CAP_NET_RAW capability to arping
                    198:    limiting the damage if arping were to be compromised:
                    199:      sudo setcap cap_net_raw+ep  /usr/local/sbin/arping
1.1.1.3 ! misho     200:    This requires a libnet 1.1.5 or higher, which does not explicitly check for
        !           201:    uid 0.
1.1.1.2   misho     202: 
1.1.1.3 ! misho     203:    For older versions of Libnet:
1.1.1.2   misho     204:      http://github.com/ThomasHabets/libnet/commit/aaa383b5c816107082508b7646929a9479b81645
1.1       misho     205: ---
                    206: Q: What's this -A switch all about, I don't understand it.
                    207: 
                    208: A: Normally arping packets are sent out to some kind of broadcast (MAC or IPv4
                    209:    broadcast) and hosts reply with source address == their address.
                    210: 
                    211:    If -A is given, only packets coming in with a *source* address equal
                    212:    to the *destination* address in the query is accepted.
                    213: 
                    214:    If you don't understand, don't worry. You won't need it. But for an
                    215:    example use, see the arping-scan-net.sh script.
                    216: ---
                    217: 
                    218: License
                    219: -------
                    220: It's GPLv2, see the LICENSE file.
                    221: 
                    222: Technical
                    223: ---------
                    224: Yes, I've finally bothered to write how it works.
                    225: tcpdumps were taken with "tcpdump -vven 'arp or icmp'".
                    226: 
                    227: The source box is 192.168.0.2/0:10:5a:3e:c5:b4 and the target box is
                    228: 192.168.0.1/0:60:93:34:91:99.
                    229: 
                    230: For pinging IP addresses:
                    231:  When a host wants to send an IP packet to another host, it sends out an ARP
                    232:  packet asking what MAC the destination IP address has, a so-called 'who-has'
                    233:  packet. This is then answered by another ARP packet, the 'is-at' packet.
                    234: 
                    235:  18:16:07.179699 0:10:5a:3e:c5:b4 ff:ff:ff:ff:ff:ff 0806 42:
                    236:                  arp who-has 192.168.0.1 tell 192.168.0.2
                    237: 
                    238:  This is the packet generated by arping.
                    239:  An Ethernet frame from my 3com card to the broadcast address carrying an arp
                    240:  packet asking what MAC 192.168.0.1 has (who-has).
                    241: 
                    242:  18:16:07.180221 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0806 60:
                    243:                  arp reply 192.168.0.1 is-at 0:60:93:34:91:99
                    244: 
                    245:  The answer, that 192.168.0.1 has MAC 0:60:93:34:91:99 (is-at).
                    246: 
                    247: For pinging MAC addresses:
                    248:  A broadcast ping (255.255.255.255, or any address supplied with -T, see below)
                    249:  is sent out on the Ethernet, but in an Ethernet frame addressed to the target
                    250:  MAC only.
                    251: 
                    252:  18:20:09.627321 0:10:5a:3e:c5:b4 0:60:93:34:91:99 0800 42:
                    253:                  192.168.0.2 > 255.255.255.255: icmp: echo request
                    254:                  (ttl 48, id 17767, len 28)
                    255: 
                    256:  This is the packet generated by arping.
                    257:  Ethernet frame from my 3com NIC to the destination MAC, carrying a broadcast
                    258:  ping.
                    259: 
                    260:  18:20:09.628432 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0800 60:
                    261:                  192.168.0.1 > 192.168.0.2: icmp: echo reply
                    262:                  (ttl 255, id 7593, len 28)
                    263: 
                    264:  The answer, including the source address of the target host. Note that this
                    265:  is not how every OS responds to a broadcast ping (if at all). Some answer with
                    266:  a source address equal to the broadcast address, and others don't' answer at
                    267:  all.
                    268:  This is why pinging a raw MAC doesn't always work, and you may need to play
                    269:  with -T to get it to answer correctly (or at all). You can always brute-force
                    270:  if you can't even find a broadcast that the box will answer correctly to.
                    271:  -------
                    272:  for d in $(seq 0 255); do
                    273:      sudo arping -q -c 1 -T $a.$b.$c.$d 0:60:93:34:91:99
                    274:      if [ $? = 0 ]; then
                    275:        echo "Got answer with address: 192.168.0.$d"
                    276:      fi
                    277:  done
                    278:  --------
                    279:  Note that this script will take 1 second per IP since that is how long arping
                    280:  waits, so scanning a C-class net will take 256 seconds. If you have a bigger
                    281:  net, then write a program that will run several arpings at the same time to
                    282:  go through more in less time, or check out arping-scan-net.sh, which is a
                    283:  more capable script for scanning, but you need to edit it since the address
                    284:  range it searches is hard-coded.
                    285:  I may add this to arping some day, but don't hold your breath.
                    286: 
1.1.1.2   misho     287: -----------------------------------------------------------------------
                    288: Send questions/suggestions/patches/rants/money/envy to thomas@habets.se

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>