Closed san3Xian closed 2 years ago
I looked at the package data again and I guess the problem is caused by the broadcast address in the target mac address of the arp response packet ? or may be the filter is something wrong, so use "vlan xxx and arp" some time will get not packages https://github.com/ThomasHabets/arping/blob/5efae73f90d79da6723b1f364b4bdee8b121bbe9/src/arping.c#L2279-L2290
[root@test-node:/root/sanXian/arping]
# tcpdump -i eth1 -ennvv arp and vlan 217 and host 10.10.217.1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@test-node:/root/sanXian/arping]
# tcpdump -i eth1 -ennvv arp and host 10.10.217.1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:57:29.663125 e4:3e:c6:45:4f:e8 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 217, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.10.217.1 is-at e4:3e:c6:45:4f:e8, length 46
01:57:32.674465 e4:3e:c6:45:4f:e8 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 217, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.10.217.1 is-at e4:3e:c6:45:4f:e8, length 46
01:57:34.736623 e4:3e:c6:45:4f:e8 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 217, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.10.217.1 is-at e4:3e:c6:45:4f:e8, length 46
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
Thanks for detailed debug info.
It's odd that the reply is to broadcast, but that should not be it. The output with -vvvvv
for a successful reception should be:
arping: received response for IP ping
arping: ... packet is ARP reply
arping: ... from IPv4 address
arping: ... to Ethernet address
arping: ... sent by acceptable host
arping: ... destination is the source we used
arping: ... for the right IPv4 address!
Either the packet is not getting through the BPF filter, like you said, or it's not identified as an ARP reply, which is odd.
Could you try recompiling with the pcap_compile
lines commented out? (there are two, one for pinging IPs (like you are), and the other for pinging hardware addresses)
I have change the filter rules to
if (vlan_tag >= 0) {
snprintf(bpf_filter, sizeof(bpf_filter),
- "vlan %u and arp", vlan_tag);
+ "arp");
https://github.com/ThomasHabets/arping/blob/5efae73f90d79da6723b1f364b4bdee8b121bbe9/src/arping.c#L2283 recompile and I can get the correct result
[root@test-vm:/root/sanXian/arping-origin]
# ./src/arping -i eth1 -V 217 -0 10.10.217.1 -p -vvvv -c 3
arping: trying libnet_init(LIBNET_LINK, eth1)
arping: clock_getres() = 0s 1ns
arping: trying libnet_init(LIBNET_LINK, eth1)
arping: libnet_getfd(): 3
arping: trying libnet_init(LIBNET_LINK, eth1)
Timestamp types:
Name Description
host Host
adapter Adapter
adapter_unsynced Adapter, not synced with system time
arping: Successfully chrooted to /var/empty/sshd
arping: Successfully dropped uid/gid to 99/99.
arping: pcap_get_selectable_fd(): 4
This box: Interface: eth1 IP: 255.255.255.255 MAC address: c8:1f:66:ed:74:bd
ARPING 10.10.217.1
arping: sending packet at time 1769541.774481800
arping: receiving packets...
arping: listen for replies for 0.999999734 sec
arping: received response for IP ping
arping: ... get a packet, pkt_srcmac is e4:3e:c6:45:4f:e8
arping: ... packet is ARP reply
arping: ... from IPv4 address
arping: ... to Ethernet address
arping: ... sent by acceptable host
arping: ... destination is the source we used
arping: ... for the right IPv4 address!
64 bytes from e4:3e:c6:45:4f:e8 (10.10.217.1): index=0 time=114.667 msec
arping: listen for replies for 0.885256695 sec
arping: sending packet at time 1769542.775495917
arping: receiving packets...
arping: listen for replies for 0.999998973 sec
arping: received response for IP ping
arping: ... get a packet, pkt_srcmac is e4:3e:c6:45:4f:e8
arping: ... packet is ARP reply
arping: ... from IPv4 address
arping: ... to Ethernet address
arping: ... sent by acceptable host
arping: ... destination is the source we used
arping: ... for the right IPv4 address!
64 bytes from e4:3e:c6:45:4f:e8 (10.10.217.1): index=1 time=44.578 msec
arping: listen for replies for 0.955334550 sec
arping: sending packet at time 1769543.776066933
arping: receiving packets...
arping: listen for replies for 0.999999007 sec
arping: received response for IP ping
arping: ... get a packet, pkt_srcmac is e4:3e:c6:45:4f:e8
arping: ... packet is ARP reply
arping: ... from IPv4 address
arping: ... to Ethernet address
arping: ... sent by acceptable host
arping: ... destination is the source we used
arping: ... for the right IPv4 address!
64 bytes from e4:3e:c6:45:4f:e8 (10.10.217.1): index=2 time=79.394 msec
arping: listen for replies for 0.920540912 sec
--- 10.10.217.1 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 44.578/79.546/114.667/28.614 ms
[root@test-vm:/root/sanXian/arping-origin]
# git diff
diff --git a/src/arping.c b/src/arping.c
index 97baca7..ea4ac57 100644
--- a/src/arping.c
+++ b/src/arping.c
@@ -1349,8 +1349,16 @@ pingip_recv(const char *unused, struct pcap_pkthdr *h, const char * const packet
}
}
+ if (verbose > 3) {
+ char pkt_mac_buf[128];
+ printf("arping: ... get a packet, pkt_srcmac is %s\n", format_mac(pkt_srcmac, pkt_mac_buf, sizeof(pkt_mac_buf)));
+ }
+
// ARP reply.
if (htons(harp->ar_op) != ARPOP_REPLY) {
+ if (verbose > 3) {
+ printf("arping: ... not a arp reply packet\n");
+ }
return;
}
if (verbose > 3) {
@@ -2280,7 +2288,7 @@ arping_main(int argc, char **argv)
/* FIXME: better filter with addresses? */
if (vlan_tag >= 0) {
snprintf(bpf_filter, sizeof(bpf_filter),
- "vlan %u and arp", vlan_tag);
+ "arp");
} else {
snprintf(bpf_filter, sizeof(bpf_filter), "arp");
}
[root@test-vm:/root/sanXian/arping-origin]
#
Btw, I looked at the package data found that the the priority value of 802.1q layer is 6 (means Internetwork Control
in Wireshark), not clear if there is a relationship
I would hope that's not a problem. That would mean that bpf doesn't bitwise and
out the non-VLAN-ID parts of the 16 bits that contain both priority and vlan id.
If you tcpdump with filter vlan 217 and arp
on that interface, do you see the traffic? tcpdump should work the same as arping in this regard.
Looks like a bug in libpcap, indeed.
Presumably your libpcap is older than the fix they have there?
That said, arping should work around that, so I'm keeping this bug open for that.
I've added a workaround now, as well as some extra checking. I'll done some more testing, but if you could test it in your environment I would appreciate it.
arping is displaying Timeout on CentOS-7.6.1810, but I can see the arp reply packages (gratuitous) in tcpdump.
Running tcpdump gives the following results
Also here are the current kernel parameters, which may help