• Stars
    star
    394
  • Rank 106,679 (Top 3 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 15 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ARP Ping
arping/README

 ARP Ping

    By Thomas Habets <[email protected]>

 http://www.habets.pp.se/synscan/
 http://github.com/ThomasHabets/arping
 git clone https://github.com/ThomasHabets/arping.git

Introduction
------------
Arping is a util to find out if a specific IP address on the LAN is 'taken'
and what MAC address owns it. Sure, you *could* just use 'ping' to find out if
it's taken and even if the computer blocks ping (and everything else) you still
get an entry in your ARP cache. But what if you aren't on a routable net? Or
the host blocks ping (all ICMP even)? Then you're screwed. Or you use arping.

Why it's not stupid
-------------------
Say you have a block of N real IANA-assigned IP-addresses. You want to debug
the net and you don't know which IP addresses are taken. You can't ping anyone
before you take the IP, and you can't pick an IP before you know which are
already taken. Catch 22. But with arping you can 'ping' the IP and if you get
no response, the IP is available.

Example uses
------------
If some box is dumping non-IP (like IPX) garbage and you don't know which box
it is, you can ping by MAC to get the IP and fix the problem.

If you are on someone else's net and want to 'borrow' a real IP address instead
of using one of those 10.x.x.x-addresses the DHCP hands out you probably want
to know which ones are taken, or people will get mad (a friend of mine got a
call on his cellphone about 15 seconds after he accidentally 'stole' an IP,
oops).

Compiling / installing
----------------------
See INSTALL file.

I try to test arping on these platforms before any release:
* Latest Debian stable x86 and amd64
* Linux (Debian or Ubuntu) on arm
* Latest OpenBSD x86 or amd64

Systems that it should still work on, but I don't personally regularly test:
* Debian Alpha
* FreeBSD
* IRIX 6.5 mips (last test 2009-09-27)
* MacOS X
* NetBSD
* OpenBSD sparc64 (last test: 2009-10-02)
* Solaris

Mailing list
------------
Check out http://www.habets.pp.se/synscan/mailinglists.php for information
on how to subscribe to help- and announce-lists.

How it does it
--------------
See 'Technical' at the bottom of this file.

FAQ
---
Q: Where is Arping 1.x? I use libnet 1.0.x so I need that!

A: Arping 1 has finally been removed from the Arping 2.x tarball in 2.09.
   Arping 1.x currently only lives in the Arping packages 2.08 and lower. If
   features are to be added or bugs fixed it will show up again as a separate
   package forked from Arping 2.08.

   For now just get arping-2.08.tar.gz and use that.
---
Q: Where's the Windows version? A compiled .exe would be nice.

A: I don't have a windows box, so the .exe I'm providing was NOT compiled
   by me. If something is strange about it tell me, but there won't be much
   I can do about it.
   That being said:
http://www.habets.pp.se/synscan/files/arping-for-windows-not-compiled-by-me.exe
---
Q: After compiling arping without any problem, i test it first with
   localhost... but it doesn't respond. Isn't that strange?

A: Not really, as you can see by typing 'ifconfig' the lo (local) interface
   does not have a MAC address. It's not a physical device! MAC addresses are
   there to differentiate computers on a shared medium (the aether, or ether)
   and since packets to localhost does not go over any wire there is no need
   to identify which box is talking to which. There is only one.
---
Q: Arping can't ping anything!

A: Check which interface is active with -v. If it's the wrong one, use -i
   to set it right.
---
Q: Arping finds some hosts, but not others. why?   BTW, I have several NICs.

A: You have to choose interface with the -i switch if the default is wrong for
   you.
---
Q: I tried to ping my own MAC address, but it doesn't work.

A: A sane OS will think it's suspicious if you send packets to yourself over
   the wire and will ignore them.

   And why would you want to lookup the IP or MAC of yourself? ifconfig
   can tell you that.
---
Q: I can't ping any/some MAC address on my LAN.

A: Arping when pinging a MAC relies on the host to answer a broadcast ping
   (icmp echo request) properly (IIRC: not the windows way). If you want a
   host to pop up on MAC ping, you have to config it to respond to broadcast
   pings.
   (for linux, make sure /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts is 0)
A: -T <IP/host> allows you to restrict the arping to a limited subnet, which
   may or may not work for you. For example if the box 00:01:02:03:04:05 is on
   192.168.0.0/24 then the broadcast probably is 192.168.0.255, so try:
   # arping -T 192.168.0.255 00:01:02:03:04:05
---
Q: ./configure says I need libnet and/or libpcap

A: Arping depends on libnet 1.1 or newer, and libpcap. Get libnet from
   https://github.com/libnet/libnet and libpcap from http://www.tcpdump.org.
   Or more likely they were both included in your Linux distribution.

   The original libnet site
   was http://packetfactory.openwall.net/projects/libnet/, but is not updated.
---
Q: I get bus error on my non-x86 box

A: Damn, I thought I fixed those. Tell me how you got it and I'll try to fix
   it. Attaching config.log always helps.
---
Q: I get "libnet_get_ipaddr(): no error" when I run arping with IP (src or dst)
   255.255.255.255.

A: Use the -b/-B switches. Libnet sucks (ha ha only serious) and returns -1 for
   error == int32 encoded 255.255.255.255.
---
Q: I used to be able to use -S 255.255.255.255, now it fails. What's going on?
Q: Why can't I arping 255.255.255.255?

A: Argh! Why would you want to? Anyway, this one is due to libnets resolving,
   and my unwillingness to reimplement it (in a portable manner, ugh).

   -S 255.255.255.255 can be replaced with -b, and pinging broadcast (why you
   would do that eludes me) -B.

   To be extra perverted, try:
   # ./arping -b -B
   (yes, I added -b and -B just so that version 1.0 should be complete)
---
Q: 1.01 is out, didn't you just say 1.0 was supposed to be the last one?

A: Shut up.
---
Q: The roundtrip times are off, sometimes by milliseconds!

A: I know.
   Short answer:
     'ping' does the same thing. (ping from iputils-ss010824 anyway)

   Long answer:
     I can't (portably anyway) do anything other than queue a packet
     to the network. That means I don't know exactly when it arrived. Also,
     I can't tell when a packet arrives on the wire, only when arping gets
     it from the kernel. Just make sure neither the network (whole segment
     if you are hubbed, just your NIC if you are switched) nor your box is
     loaded when you care about timing, and/or run arping with higher
     priority.

     # nice -n -15 arping foobar

     But if you find way to get more exact timing portably (or just for one
     OS really), let me know.
---
Q: Is it OK to make arping suid root?

A: Be my guest, but if care about security *at all* you will have to restrict
   execution of arping to trusted users. I could remove "dangerous" features
   from the code when it's running suid, but I honestly don't want to. This is
   a network debugging tool, which generates low-level network packets that
   ordinary users have absolutely no business generating.

   If you are honestly debugging the network then I don't see why you aren't
   root already.

   That being said, on Linux you can add the CAP_NET_RAW capability to arping
   limiting the damage if arping were to be compromised:
     sudo setcap cap_net_raw+ep  /usr/local/sbin/arping
   This requires a libnet 1.1.5 or higher, which does not explicitly check for
   uid 0.

   For older versions of Libnet:
     http://github.com/ThomasHabets/libnet/commit/aaa383b5c816107082508b7646929a9479b81645
---
Q: What's this -A switch all about, I don't understand it.

A: Normally arping packets are sent out to some kind of broadcast (MAC or IPv4
   broadcast) and hosts reply with source address == their address.

   If -A is given, only packets coming in with a *source* address equal
   to the *destination* address in the query is accepted.

   If you don't understand, don't worry. You won't need it. But for an
   example use, see the arping-scan-net.sh script.
---

License
-------
It's GPLv2, see the LICENSE file.

Technical
---------
Yes, I've finally bothered to write how it works.
tcpdumps were taken with "tcpdump -vven 'arp or icmp'".

The source box is 192.168.0.2/0:10:5a:3e:c5:b4 and the target box is
192.168.0.1/0:60:93:34:91:99.

For pinging IP addresses:
 When a host wants to send an IP packet to another host, it sends out an ARP
 packet asking what MAC the destination IP address has, a so-called 'who-has'
 packet. This is then answered by another ARP packet, the 'is-at' packet.

 18:16:07.179699 0:10:5a:3e:c5:b4 ff:ff:ff:ff:ff:ff 0806 42:
                 arp who-has 192.168.0.1 tell 192.168.0.2

 This is the packet generated by arping.
 An Ethernet frame from my 3com card to the broadcast address carrying an arp
 packet asking what MAC 192.168.0.1 has (who-has).

 18:16:07.180221 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0806 60:
                 arp reply 192.168.0.1 is-at 0:60:93:34:91:99

 The answer, that 192.168.0.1 has MAC 0:60:93:34:91:99 (is-at).

For pinging MAC addresses:
 A broadcast ping (255.255.255.255, or any address supplied with -T, see below)
 is sent out on the Ethernet, but in an Ethernet frame addressed to the target
 MAC only.

 18:20:09.627321 0:10:5a:3e:c5:b4 0:60:93:34:91:99 0800 42:
                 192.168.0.2 > 255.255.255.255: icmp: echo request
                 (ttl 48, id 17767, len 28)

 This is the packet generated by arping.
 Ethernet frame from my 3com NIC to the destination MAC, carrying a broadcast
 ping.

 18:20:09.628432 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0800 60:
                 192.168.0.1 > 192.168.0.2: icmp: echo reply
                 (ttl 255, id 7593, len 28)

 The answer, including the source address of the target host. Note that this
 is not how every OS responds to a broadcast ping (if at all). Some answer with
 a source address equal to the broadcast address, and others don't' answer at
 all.
 This is why pinging a raw MAC doesn't always work, and you may need to play
 with -T to get it to answer correctly (or at all). You can always brute-force
 if you can't even find a broadcast that the box will answer correctly to.
 -------
 for d in $(seq 0 255); do
     sudo arping -q -c 1 -T $a.$b.$c.$d 0:60:93:34:91:99
     if [ $? = 0 ]; then
       echo "Got answer with address: 192.168.0.$d"
     fi
 done
 --------
 Note that this script will take 1 second per IP since that is how long arping
 waits, so scanning a C-class net will take 256 seconds. If you have a bigger
 net, then write a program that will run several arpings at the same time to
 go through more in less time, or check out arping-scan-net.sh, which is a
 more capable script for scanning, but you need to edit it since the address
 range it searches is hard-coded.
 I may add this to arping some day, but don't hold your breath.

-----------------------------------------------------------------------
Send questions/suggestions/patches/rants/money/envy to [email protected]

More Repositories

1

simple-tpm-pk11

Simple PKCS11 provider for TPM chips
C++
249
star
2

cmdg

Command line Gmail client
Go
184
star
3

injcode

Inject code into a running process
C++
113
star
4

ssh-scripts

Some SSH-related scripts
Python
105
star
5

monotonic_clock

Portable C library for getting monotonic time
C
70
star
6

xor-analyze

Program for cryptanalyzing xor "encryption" with variable key length
C
42
star
7

ax25ms

This project is a set of AX.25 microservices, to be pluggable for any implementation.
C++
31
star
8

tlssh

TLS Shell
C++
25
star
9

eggpd

Erlang BGP daemon
Erlang
25
star
10

sshproxy

SSH Proxy / Load balancer
Go
22
star
11

bthelper

Bluetooth helper tools for setting up serial ports for e.g. SSH
C++
22
star
12

openssl-tpm-engine

TPM engine module for OpenSSL (this is not upstream)
Shell
20
star
13

radiostuff

My collection of gnuradio stuff
Python
20
star
14

rslurp

slurp down a whole HTTP directory, with parallel goodness
Go
19
star
15

sim

Multi Party Authorization version of sudo/doas
C++
16
star
16

gtping

GTP Ping
C
16
star
17

weberl

Like web.py, but for Erlang
Erlang
11
star
18

ind

Indent output from subprocess
C
11
star
19

clipsniff

Sniff the clipboard of a Unix X server.
C++
10
star
20

goircd

Minimalistic simple Internet Relay Chat (IRC) server
Go
10
star
21

pipebench

Measures the speed of stdin/stdout communication. I would actually recommend 'pv' over this program. I put it on github in order to collect everything in one place.
C
9
star
22

dejitun

De-jitter tunnel
C++
8
star
23

yhsmpam

YubiHSM PAM module backend
Python
8
star
24

hamtransfer

Tool for transferring files over amateur radio using modern techniques
Rust
7
star
25

goodpipe

Rust
7
star
26

qpov

Tool for converting Quake demo files to POV-Ray
Go
6
star
27

dotfiles

My dotfiles
C++
6
star
28

tlscheck

Quickly check TLS certificates of frontends and backends
Go
6
star
29

libopenpty

openpty() for platforms that don't have it
C
6
star
30

diamond_linking_example

Example of a diamond linking thingy with version problems. See http://blog.habets.pp.se/2012/05/Shared-libraries-diamond-problem
C
6
star
31

multitraceroute

Fast traceroute that does TCP, UDP and ICMP traceroute in parallel and shows the results in one big table.
Python
5
star
32

tcpstats

Collect stats on TCP connections on close()
Python
5
star
33

wifispace

GNURadio program for measuring how busy wifi channels are
C++
5
star
34

lightwave

Like google wave, but much dumber and written in erlang
Erlang
5
star
35

zipbrute

Old project for brute forcing zip file passwords I found in an old backup from 2001.
C
4
star
36

tarweb

Serve a static website from a tar file
C++
4
star
37

hamwebby

Web interface for remote rig control of ham radios
JavaScript
4
star
38

opwgen

Generate passwords like OPIE generates OTPs: readably
C
4
star
39

fluxbox

Fluxbox window manager
4
star
40

netmap

Make and organize network maps from data directly out of your routers
Go
4
star
41

gopload

Self-contained simple HTTP upload handler using websockets to show progress
Go
4
star
42

openvpn

OpenVPN, with SSL Engine (TPM) support
C
3
star
43

cert-sig-pin

Extract a certificate signature suitable for Chrome public key pinning.
Go
3
star
44

pam_externalpass

Spawn external program from PAM to do authentication
Shell
3
star
45

yurate

Curate Youtube videos so that you don't miss any subscribed content.
JavaScript
3
star
46

temp-to-cloud

Upload temperature measurements to Stackdriver
Go
3
star
47

go-uuid

Local mirror of deleted codesite project
Python
2
star
48

firewalls-at-the-source

Go
2
star
49

x11type

Simulate keypresses in X
Shell
2
star
50

travelling-amateur

Tool for finding rules for operating amateur radio while visiting another country.
JavaScript
2
star
51

autoscan

Web and LCD/button UI for scanning from a USB scanner directly into Google Drive
Go
2
star
52

udportknock

UDP portknock script
Shell
2
star
53

pgsql

Postgresql useful commands, to be run with psql [databasename] -f <filename>
2
star
54

brain

My brain
POV-Ray SDL
2
star
55

ychares

Yubikey challenge-response script
Python
2
star
56

netcat

netcat-openbsd with fixed TCP_MD5SIG for Linux
C
2
star
57

yoracle

Yubikey oracle
Python
2
star
58

3ggraph

Graph live information from a 3G dongle
Python
2
star
59

rustradio

Like GNURadio, but in Rust
Rust
2
star
60

irssi

irssi with TPM support
C
2
star
61

kybertest

CLI to encrypt files using quantum-resistant cryptography
C++
2
star
62

livecount

A widget for a web page (e.g. a blog post) that shows how many people (browsers) currently have the page open
Rust
2
star
63

airthingy

Tools for airthings API and bluetooth
Go
2
star
64

roodit

My reddit scripts
Python
2
star
65

drive-du

Cmdline and cloud tool for listing folder sizes in Google Drive
Go
2
star
66

mdsort

Maildir sorter
Python
1
star
67

closite

Redirect user to the closest site using javascript
JavaScript
1
star
68

smoog

My smugmug scripts
Python
1
star
69

openvpn-debian

OpenVPN, with SSL Engine (TPM) support
C
1
star
70

ndping

Like ARPing, but for IPv6
1
star
71

profy

Always-on VPN client scripts intended for Raspberry Pi or other small computers
Shell
1
star
72

libdropprivs

Example code (will be library) for dropping privileges
C
1
star
73

gr-habets38

My gnuradio components for gnuradio 3.8+
C++
1
star
74

doublecross-cpp

Experiments in making C++11 versions of things that exist in other languages. Such as the Maybe Monad from Haskell.
C++
1
star
75

tleservice

TLEService is a microservice for calculating satellite orbits.
Go
1
star
76

flight-radiation

Radiation data from a recent flight between LHR and SFO
Shell
1
star
77

sparslog

My implementation of an IKEA sparsnΓ€s SDR receiver
Rust
1
star
78

keffos

Silly OS I wrote as a teenager
C
1
star