exercising the "arp" and "arping" commands

 

arp is a protocol. Its operation is usually implicit in other network activities, transparent to users. Among other things the arp protocol maintains a table of IP-to-ethernet address mappings derived from its operation. There is a related command that's also named arp. Its focus is the table, and it is a tool whereby maintenance of the arp table can be done manually. Another command of interest is arping. It is to explicitly trigger the arp protocol to action, emitting arp packets.


The assignment for you to perform

Use the arp command to do some of its tricks.

Show the table

To print the arp table:

arp  -n

The table might be empty, especially if you just started your machine or haven't been using it for a little while.

Populate the table

It gets populated with machines' address pairs in the course of machine interaction. So populating the table calls for a little interaction. Pinging  nearby machines will do. But you can't ping a machine if you don't already know its address. The nmap utility could automatically ping the entire range of addresses in your subnet for you. But you can't nmap if you don't already know your subnet. It is defined by 1) its own address, called a network address, plus 2) a netmask. Find out:

ifconfig  eth0  |  grep  "inet addr"

The netmask value shown half-identifies your subnet. Convert it from a dotted quad (e.g., 255.255.255.0) into a corresponding CIDR bit count (e.g., 24) using the rules of CIDR. To fully identify your subnet, it remains to determine its network address. Note the IP address for your machine, which was also shown. Determine your subnet's network address:

ipcalc  -n  <your machine's IP address>  <the netmask>

Now have nmap ping all the other machines on your subnet (by trying all the address in the subnet):

nmap  -sP  -n  --send-ip  <subnet network address>/<CIDR bit count>

When this is done, again view the arp table. It should contain some fresh, further entries:

arp  -n

Delete a table entry

Now that the table has entries, choose one to manually delete. Note its IP address. Delete it:

arp  -d  <IP address>

Re-examine the arp table:

arp  -n

If you don't delete an entry manually (you hardly ever do), it will disappear after a certain timeout period.

Making an entry persistent

If you don't want an entry to disappear, you can immunize it against timeout. Note the matched IP and ethernet hardware addresses of one of the computers on your subnet. Enter that mapping into the table persistently:

arp  -s  <IP address>  <ethernet address>

Re-examine the arp table:

arp  -n

Note the "M" flag. The entry will not time out.

Implicit vs. explicit arp protocol activity

arp packets are usually issued by the network stack during operations, when needed. They can also be issued by explicit use of the arping command. Identify the IP address of a computer on your subnet. Check your arp table and if that computer appears, delete it. Now, in one virtual terminal or terminal window run tcpdump or wireshark, and in the other:

ping  -c 1  <IP address>

Note the arp actvity in the dump. Did you ask for it? Why was it performed? Now again, for the arp table entry of the target computer, delete it. In one virtual terminal or terminal window run tcpdump or wireshark, and in the other:

arping  -c 1  <IP address>

Note the arp actvity in the dump. Why was it performed?

Avoiding duplicate IPs

The -D option of arping is billed as the "duplicate address detection"  option. Determine an IP within your subnet not in actual use by any computer. In one virtual terminal or terminal window run tcpdump or wireshark, and in the other:

arping  -D  -I eth0  -c 2  <unused IP address>

How many arp replies were received? Check the exit status:

echo  $?

Choose an IP within your subnet that one of the computers is using. In one virtual terminal or terminal window run tcpdump or wireshark, and in the other:

arping  -D  -I eth0  -c 2  <in-use IP address>

How many arp replies were received? Check the exit status:

echo  $?

Arrange will fellow students to give the same IP address within your subnet to both their computers.

In one virtual terminal or terminal window run tcpdump or wireshark, and in the other:

arping  -D  -I eth0  -c 2  <twice-used IP address>

How many arp replies were received? Check the exit status:

echo $?

Read the documentation in the arping man page about its -D option. The exit statuses do not distinguish between single-use and double-use of an IP on your subnet. For that reason I'm not comfortable with the designation "duplicate IP detection." The exit statuses do distinguish between use and non-use of an IP on your subnet. Therefore, in scripts that self-assign an IP this command allows you to avoid producing a duplicate situation by letting you know if the address you propose to give yourself is already somebody else's. I would call the feature "IP usage detection," or possibly "IP duplicationavoidance," to accord with what it does.

IP spoofing

arping can compose and send an arp request that represents the machine to have an arbitrary (e.g., false) IP address. To allow that in the kernel:

echo  1  >  /proc/sys/net/ipv4/ip_nonlocal_bind

then choose both an IP address within your subnet that is not in actual use by any computer, and one that some other computer uses, and while running tcpdump or wireshark in another terminal:

arping  -c 1  -U  -s <unused IP>  -I eth0  <in-use IP>

Observe the outgoing arp request, and in particular the value in its sender IP field. With cooperation from your fellow student(s), print the arp table on the target machine to which you sent the arp request. Locate your "in-use IP" in that table and note the ethernet address that goes with it. Where/who does that ethernet address come from?