summaryrefslogtreecommitdiff
path: root/README
blob: 7a9432fd95d635c0cecb4abf73437e45b873b6c4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
$Id: README 529 2002-01-20 19:19:45Z marvin $

 ARP Ping

    By Thomas Habets <thomas@habets.pp.se>


Introduction
------------
Arping is a util to find out it a specific IP address on the LAN is 'taken'
and what MAC address owns it. Sure, you *could* just use 'ping' to find out if
it's taken and even if the computer blocks ping (and everything else) you still
get an entry in your arp cache. But what if you aren't on a routable net? Or
the host blocks ping (all ICMP even)? Then you're screwed. Or you use arping.

Why it's not stupid
-------------------
Say you have a block of N real ARIN-assigned IP-addresses. You want to debug
the net and you don't know which IP addresses are taken. You can't ping anyone
before you take the IP, and you can't pick an IP before you know which are
already taken. Catch 22. But with arping you can 'ping' the IP and if you get
no responce, the IP is availible.

Example uses
------------
If some box is dumping non-IP (like IPX) garbage and you don't know which box
it is, you can ping by MAC to get the IP and fix the problem.

If you are on someone else's net and want to 'borrow' a real IP address instead
of using one of those 10.x.x.x-addresses the dhcp hands out you probably want
to know which ones are taken, or people will get mad (a friend of mine got a
call on his cellphone about 15 secs after he accidentally 'stole' an IP, oops).

Compiling
---------
Type 'make linux' to compile under linux and 'make openbsd' to compile under
openbsd. Follow this pattern for compilation under solaris and freebsd.
If you have some other OS, try all before mailing me.

'make install' will copy arping to /usr/local/bin, and put the manpage where
it belongs.
 
How it does it
--------------
Bah, just read the source. Or the help text.

FAQ
---
Q: After compiling arping without any problem, i test it first with
   localhost... but it doesn't respond. Isn't that strange?

A: Not really, as you can see by typing 'ifconfig' the lo (local) interface
   does not have a MAC address. It's not a physical device! MAC addresses are
   there to differentiate computers on a shared medium (the aether, or ether)
   and since packets to localhost does not go over any wire there is no need
   to identify which box is talking to which. There is only one.
---
Q: Arping finds some hosts, but not others. why?   btw, I have several NICs.

A: You have to choose interface with the -i switch if the default is wrong for
   you.
---
Q: I tried to ping my own MAC addr, but it doesn't work.

A: A sane OS will think it's suspicios if you send packets to yourself over
   the wire and will ignore them.

   And why would you want to lookup the IP or MAC of yourself? ifconfig
   can tell you that.
---
Q: I can't ping any/some MAC address on my LAN.

A: Arping when pinging a MAC relies on the host to answer a broadcast ping
   (icmp echo request) properly (IIRC: not the windows way). If you want a
   host to pop up on MAC ping, you have to config it to respond to broadcast
   pings.
   (for linux, make sure /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts is 0)
A: -T <ip/host> allows you to restrict the arping to a limited subnet, which
   may or may not work for you. For example if the box 00:01:02:03:04:05 is on
   192.168.0.0/24 then the broadcast probably is 192.168.0.255, so try:
   # arping -T 192.168.0.255 00:01:02:03:04:05
---
Q: It doesn't compile, I get some error message about libnet and/or libpcap

A: Arping depends on libnet and libpcap, get libnet at:
   http://www.packetfactory.net/libnet and libpcap from your distribution.
   (alt. you can search for libpcap on freshmeat.net)
---
Q: I get this when I compile: "/bin/sh: libnet-config: command not found"

A: You didn't really read the last question, did you? Go back up 6 lines.
---
Q: I get bus error on my bigendian box

A: Damn, I thought I fixed those. Tell me how you got it and I'll try to fix
   it.
---
Q: I get "libnet_get_ipaddr(): no error" when I run arping with ip (src or dst)
   255.255.255.255.

A: Use the -b/-B switches. Libnet sucks (haha only serious) and returns -1 for
   error == int32 encoded 255.255.255.255.
---
Q: I used to be able to use -S 255.255.255.255, now it fails. What's going on?
Q: Why can't I arping 255.255.255.255?

A: Argh! Why would you want to? Anyway, this one is due to libnets resolving,
   and my unwillingness to reimplement it (in a portable manner, ugh).

   -S 255.255.255.255 can be replaced with -b, and pinging broadcast (why you
   would eludes me) -B.

   To be extra perverted, try:
   # ./arping -b -B
   (yes, I added -b and -B just so that version 1.0 should be complete)
---
Q: 1.01 is out, didn't you just say 1.0 was supposed to be the last one?

A: Shut up.
---
Q: The roundtrip times are off, sometimes by milliseconds!

A: I know.
   Short answer:
     'ping' does the same thing. (ping from iputils-ss010824 anyway)

   Long answer:
     I can't (portably anyway) do anything other than queue a packet
     to the network. That means I don't know exactly when it arrived. Also,
     I can't tell when a packet arrives on the wire, only when arping gets
     it from the kernel. Just make sure neither the network (whole segment
     if you are hubbed, just your NIC if you are switched) nor your box is
     loaded when you care about timing.
---
Q: Is it OK to make arping suid root?

A: Be my guest, but if care about security *at all* you will have to restrict
   execution of arping to trusted users. I could remove "dangerous" features
   from the code when it's running suid, but I honestly don't want to. This is
   a network debugging tool, which generates low-level network packets that
   ordinary users have absolutely no business generating.

   For example, I don't protect against an ALRM signal flood, which will result
   in a packet flood.

   If you are honestly debugging the network then I don't see why you aren't
   root already.

   If you think I'm wrong, tell me why.
---
Q: Arping used to work (0.97 and down) for pinging MACs, but not with 0.98 and
   up. What did you screw up?

A: Ah, I see. A broadcast was changed to unicast, I don't know why I set it to
   be broadcast in the first place, and even wrote a comment justifying it.
   It still worked for me when I tested it now (with unicast) but if it
   doesn't for you, search the source for KEYWORD and you'll find
   instructions on how to change it back.
   ... Or you can run arping -s ff:ff:ff:ff:ff:ff <host>.
   If this fixes it please LET ME KNOW.
---
Q: Hey! Wasn't this Marvins program? (marvin@rootbusters.net, that is)
   You thief!

A: We are the same person.
---
Q: Say hi to Psychad for me.

A: Will do.
---

Misc
----
There, I added the stupid roundtrip time feature. Now I dare you to think of
any other applicable features. (IPv4 only, for now)

License
-------
It's GPL, see the LICENSE file.

----------------------------------------------------------------------------
Send questions/suggestions/patches/rants/money/sparcs to thomas@habets.pp.se