arping/README
ARP Ping
By Thomas Habets <thomas@habets.se>
http://www.habets.pp.se/synscan/ http://github.com/ThomasHabets/arping git clone https://github.com/ThomasHabets/arping.git
Arping is a util to find out if a specific IP address on the LAN is 'taken' and what MAC address owns it. Sure, you could just use 'ping' to find out if it's taken and even if the computer blocks ping (and everything else) you still get an entry in your ARP cache. But what if you aren't on a routable net? Or the host blocks ping (all ICMP even)? Then you're screwed. Or you use arping.
Say you have a block of N real IANA-assigned IP-addresses. You want to debug the net and you don't know which IP addresses are taken. You can't ping anyone before you take the IP, and you can't pick an IP before you know which are already taken. Catch 22. But with arping you can 'ping' the IP and if you get no response, the IP is available.
If some box is dumping non-IP (like IPX) garbage and you don't know which box it is, you can ping by MAC to get the IP and fix the problem.
If you are on someone else's net and want to 'borrow' a real IP address instead of using one of those 10.x.x.x-addresses the DHCP hands out you probably want to know which ones are taken, or people will get mad (a friend of mine got a call on his cellphone about 15 seconds after he accidentally 'stole' an IP, oops).
See INSTALL file.
I try to test arping on these platforms before any release:
Systems that it should still work on, but I don't personally regularly test:
Please run make check
and sudo ./tests/run
before creating a PR.
Check out http://www.habets.pp.se/synscan/mailinglists.php for information on how to subscribe to help- and announce-lists.
See 'Technical' at the bottom of this file.
Q: Where is Arping 1.x? I use libnet 1.0.x so I need that!
A: Arping 1 has finally been removed from the Arping 2.x tarball in 2.09. Arping 1.x currently only lives in the Arping packages 2.08 and lower. If features are to be added or bugs fixed it will show up again as a separate package forked from Arping 2.08.
Q: Where's the Windows version? A compiled .exe would be nice.
Q: After compiling arping without any problem, i test it first with localhost... but it doesn't respond. Isn't that strange?
Q: Arping can't ping anything!
Q: Arping finds some hosts, but not others. why? BTW, I have several NICs.
Q: I tried to ping my own MAC address, but it doesn't work.
A: A sane OS will think it's suspicious if you send packets to yourself over the wire and will ignore them.
Q: I can't ping any/some MAC address on my LAN.
A: Arping when pinging a MAC relies on the host to answer a broadcast ping (icmp echo request) properly (IIRC: not the windows way). If you want a host to pop up on MAC ping, you have to config it to respond to broadcast pings. (for linux, make sure /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts is 0) A: -T <IP/host> allows you to restrict the arping to a limited subnet, which may or may not work for you. For example if the box 00:01:02:03:04:05 is on 192.168.0.0/24 then the broadcast probably is 192.168.0.255, so try:
Q: ./configure says I need libnet and/or libpcap
A: Arping depends on libnet 1.1 or newer, and libpcap. Get libnet from https://github.com/libnet/libnet and libpcap from http://www.tcpdump.org. Or more likely they were both included in your Linux distribution.
Q: I get bus error on my non-x86 box
Q: I get "libnet_get_ipaddr(): no error" when I run arping with IP (src or dst) 255.255.255.255.
Q: I used to be able to use -S 255.255.255.255, now it fails. What's going on? Q: Why can't I arping 255.255.255.255?
A: Argh! Why would you want to? Anyway, this one is due to libnets resolving, and my unwillingness to reimplement it (in a portable manner, ugh).
-S 255.255.255.255 can be replaced with -b, and pinging broadcast (why you would do that eludes me) -B.
To be extra perverted, try:
Q: 1.01 is out, didn't you just say 1.0 was supposed to be the last one?
Q: The roundtrip times are off, sometimes by milliseconds!
A: I know. Short answer: 'ping' does the same thing. (ping from iputils-ss010824 anyway)
Long answer: I can't (portably anyway) do anything other than queue a packet to the network. That means I don't know exactly when it arrived. Also, I can't tell when a packet arrives on the wire, only when arping gets it from the kernel. Just make sure neither the network (whole segment if you are hubbed, just your NIC if you are switched) nor your box is loaded when you care about timing, and/or run arping with higher priority.
# nice -n -15 arping foobar
But if you find way to get more exact timing portably (or just for one
OS really), let me know.
Q: Is it OK to make arping suid root?
A: Be my guest, but if care about security at all you will have to restrict execution of arping to trusted users. I could remove "dangerous" features from the code when it's running suid, but I honestly don't want to. This is a network debugging tool, which generates low-level network packets that ordinary users have absolutely no business generating.
If you are honestly debugging the network then I don't see why you aren't root already.
That being said, on Linux you can add the CAP_NET_RAW capability to arping limiting the damage if arping were to be compromised: sudo setcap cap_net_raw+ep /usr/local/sbin/arping This requires a libnet 1.1.5 or higher, which does not explicitly check for uid 0.
Q: What's this -A switch all about, I don't understand it.
A: Normally arping packets are sent out to some kind of broadcast (MAC or IPv4 broadcast) and hosts reply with source address == their address.
If -A is given, only packets coming in with a source address equal to the destination address in the query is accepted.
It's GPLv2, see the LICENSE file.
Yes, I've finally bothered to write how it works. tcpdumps were taken with "tcpdump -vven 'arp or icmp'".
The source box is 192.168.0.2/0:10:5a:3e:c5:b4 and the target box is 192.168.0.1/0:60:93:34:91:99.
For pinging IP addresses: When a host wants to send an IP packet to another host, it sends out an ARP packet asking what MAC the destination IP address has, a so-called 'who-has' packet. This is then answered by another ARP packet, the 'is-at' packet.
18:16:07.179699 0:10:5a:3e:c5:b4 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.0.1 tell 192.168.0.2
This is the packet generated by arping. An Ethernet frame from my 3com card to the broadcast address carrying an arp packet asking what MAC 192.168.0.1 has (who-has).
18:16:07.180221 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0806 60: arp reply 192.168.0.1 is-at 0:60:93:34:91:99
The answer, that 192.168.0.1 has MAC 0:60:93:34:91:99 (is-at).
For pinging MAC addresses: A broadcast ping (255.255.255.255, or any address supplied with -T, see below) is sent out on the Ethernet, but in an Ethernet frame addressed to the target MAC only.
18:20:09.627321 0:10:5a:3e:c5:b4 0:60:93:34:91:99 0800 42: 192.168.0.2 > 255.255.255.255: icmp: echo request (ttl 48, id 17767, len 28)
This is the packet generated by arping. Ethernet frame from my 3com NIC to the destination MAC, carrying a broadcast ping.
18:20:09.628432 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0800 60: 192.168.0.1 > 192.168.0.2: icmp: echo reply (ttl 255, id 7593, len 28)
Note that this script will take 1 second per IP since that is how long arping waits, so scanning a C-class net will take 256 seconds. If you have a bigger net, then write a program that will run several arpings at the same time to go through more in less time, or check out arping-scan-net.sh, which is a more capable script for scanning, but you need to edit it since the address range it searches is hard-coded. I may add this to arping some day, but don't hold your breath.
Send questions/suggestions/patches/rants/money/envy to thomas@habets.se