diff options
| author | Thomas Habets <thomas@habets.pp.se> | 2002-02-12 18:17:47 +0000 |
|---|---|---|
| committer | Thomas Habets <thomas@habets.pp.se> | 2002-02-12 18:17:47 +0000 |
| commit | f8a6dea1299abf311d9b81434329aec262c53772 (patch) | |
| tree | 86538fc37dfac1f49f31eb9e37c481d21bd7bf37 /README | |
| parent | 7e52cfc61f4980826aa2ba58888a7f0c5cfdb00b (diff) | |
| download | arping-f8a6dea1299abf311d9b81434329aec262c53772.tar.gz | |
doc updates and arping-scan-net.sh
Diffstat (limited to 'README')
| -rw-r--r-- | README | 71 |
1 files changed, 69 insertions, 2 deletions
@@ -1,4 +1,4 @@ -$Id: README 533 2002-01-20 23:14:08Z marvin $ +$Id: README 546 2002-02-12 18:17:47Z marvin $ ARP Ping @@ -42,7 +42,7 @@ it belongs. How it does it -------------- -Bah, just read the source. Or the help text. +See 'Technical' at the bottom of this file. FAQ --- @@ -184,5 +184,72 @@ License ------- It's GPL, see the LICENSE file. +Technical +--------- +Yes, I've finally bothered to write how it works. +tcpdumps were taken with "tcpdump -vven 'arp or icmp'". + +The source box is 192.168.0.2/0:10:5a:3e:c5:b4 and the target box is +192.168.0.1/0:60:93:34:91:99. + +For pinging IP addresses: + When a host wants to send an IP packet to another host, it sends out an ARP + packet asking what MAC the destination IP addr has, a so-called 'who-has' + packet. This is then answered by another ARP packet, the 'is-at' packet. + + 18:16:07.179699 0:10:5a:3e:c5:b4 ff:ff:ff:ff:ff:ff 0806 42: + arp who-has 192.168.0.1 tell 192.168.0.2 + + This is the packet generated by arping. + An ethernet frame from my 3com card to the broadcast address carrying an arp + packet asking what MAC 192.168.0.1 has (who-has). + + 18:16:07.180221 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0806 60: + arp reply 192.168.0.1 is-at 0:60:93:34:91:99 + + The answer, that 192.168.0.1 has MAC 0:60:93:34:91:99 (is-at). + +For pinging MAC addresses: + A broadcast ping (255.255.255.255, or any address supplied with -T, see below) + is sent out on the ethernet, but in an ethernet frame addressed to the target + MAC only. + + 18:20:09.627321 0:10:5a:3e:c5:b4 0:60:93:34:91:99 0800 42: + 192.168.0.2 > 255.255.255.255: icmp: echo request + (ttl 48, id 17767, len 28) + + This is the packet generated by arping. + Ethernet frame from my 3com nic to the destination MAC, carrying a broadcast + ping. + + 18:20:09.628432 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0800 60: + 192.168.0.1 > 192.168.0.2: icmp: echo reply + (ttl 255, id 7593, len 28) + + The answer, including the source address of the target host. Note that this + is not how every OS responds to a broadcast ping (if at all). Some answer with + a source address equal to the broadcast address, and others dont' answer at + all. + This is why pinging a raw MAC doesn't always work, and you may need to play + with -T to get it to answer correctly (or at all). You can always brute-force + if you can't even find a broadcast that the box will answer correctly to. + ------- + for d in $(seq 0 255); do + sudo arping -q -c 1 -T $a.$b.$c.$d 0:60:93:34:91:99 + if [ $? == 0 ]; then + echo "Got answer with address: 192.168.0.$d" + fi + done + -------- + Note that this script will take 1 second per IP since that is how long arping + waits, so scanning a C-class net will take 256 seconds. If you have a bigger + net, then write a program that will run several arpings at the same time to + go through more in less time. + arping-scan-net.sh is a more capable script for scanning, but you need to + edit it since the address range it searches is hard-coded. + If you like this feature, mail me and I may put it into the main arping. + But no need wasting my time if no-one wants it. + (I'll probably add it anyway some day, but not soon) + ---------------------------------------------------------------------------- Send questions/suggestions/patches/rants/money/sparcs to thomas@habets.pp.se |