What arp -s is good for


 
Thread Tools Search this Thread
The Lounge War Stories What arp -s is good for
# 1  
Old 10-22-2012
What arp -s is good for

A customer appears to have drastically misunderstood our instructions for connecting to our WAN. He set his PC IP address to the same as one of the bridges. Smilie Smilie This caused much confusion on the network, to put it mildly. He called to complain about the poor performance of the network he ruined, then made himself unavailable for phone calls so it couldn't be fixed.

Even blocking his MAC address didn't help. The bridging problem happens in midair, nowhere the server can control. If I could at least get into the bridge, I could reconfigure it to a different IP and allow traffic again...

So, on the server, I tried this:

Code:
arp -d 192.168.6.101 ; arp -s 192.168.6.101 00:60:b3:07:0e:8e

This succeeded in forcing the server to talk to the bridge, not to him. I was then able to get into the bridge's web interface and change its IP from there. From there it was easy.
These 5 Users Gave Thanks to Corona688 For This Post:
# 2  
Old 10-23-2012
Best put him on his own firewall! Smilie

You can do neat things with arp. You can set a host to be arp server and have it direct packets to a host that actually knows how to get to the IP, sort of like a local routing table addition for the collision domain.
# 3  
Old 10-23-2012
Often you can ping the broadcast address and the duplicate IP addresses will show up in the reply.
These 2 Users Gave Thanks to Neo For This Post:
# 4  
Old 10-24-2012
Modifying the arp cache was a clever trick. I wouldn't have thought of that.

(Now, of course, should this problem arise, i will gladly pull it out of my memory with a grin and a bored "well, that was obvious, wasn't it" to my colleagues ...) ;-)

bakunin
This User Gave Thanks to bakunin For This Post:
# 5  
Old 10-24-2012
For monitoring and notification of arp events, arpwatch can be useful.

Quote:
Originally Posted by bakunin
Modifying the arp cache was a clever trick. I wouldn't have thought of that.

(Now, of course, should this problem arise, i will gladly pull it out of my memory with a grin and a bored "well, that was obvious, wasn't it" to my colleagues ...) ;-)
If you're interested in reading more about this scenario, "arp poisoning" and "arp spoofing" would be the most relevant search terms.

Regards,
Alister
# 6  
Old 10-24-2012
Quote:
Originally Posted by Neo
Often you can ping the broadcast address and the duplicate IP addresses will show up in the reply.
There's absolutely nothing on my network that answers a ping broadcast -- perhaps because of the wireless bridge -- and increasingly many things these days never bother answering ping at all. Smilie Engineers seem to be forgetting why ICMP exists. I don't like it, but if the equipment isn't my own, I have to live with it.

Equipment can't block or ignore ARP and still function on a local network though, so I've got the arping tool installed standard everywhere. That's how I tracked down the dup. arping2 -d -i lan 192.168.6.101 Note that without the -d, it won't show dups.

Last edited by Corona688; 10-24-2012 at 12:38 PM..
# 7  
Old 10-24-2012
Well, a ping to broadcast (allowing a large number of responses) might at least generate some additional arp cache entries, which you can peruse.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. IP Networking

necessary ARP request?

Hello, I have 2 clients with Unix installed. host1: eth0 (192.168.5.10) & eth1 (192.168.10.10) host2: eth0 (192.168.10.20) I've connected host1-eth1 to host2-eth0. host1-eth0 isn't connected. I started 'tcpdump' on wonder that host2 got ARP requests for 192.168.5.10. Any idea why host1... (2 Replies)
Discussion started by: daWonderer
2 Replies

2. IP Networking

Protection against arp spoofing

Hi, I'm trying to find a way to protect my network against arp spoofing. What it is: An attacker sends fake arp packets in the network, identifying himself as the router. All network traffic is then redirected to this attacker. How to protect myself: In my opinion, the best possible... (2 Replies)
Discussion started by: chrisperry
2 Replies

3. UNIX for Advanced & Expert Users

arp questions

Can someone please explain this output to me. Why doesn't ifconfig show the same info? ~ $ arp -a ? (10.71.0.1) at 00:1b:21:2b:eb:0c on eth0 (4 Replies)
Discussion started by: cokedude
4 Replies

4. IP Networking

Stuck ARP entries

About a week ago a customer hooked up a wireless router backwards to our network, causing it to serve incorrect DHCP addresses to some of them. Our networks are mostly statically assigned so this didn't cause as much damage as it might have, but now, over a week later, I still have incomplete... (1 Reply)
Discussion started by: Corona688
1 Replies

5. Red Hat

Arp Problem

Dear All i have a linux proxy server which has RHEL-5 64 bit, it has two interfaces, it has the following details eth0=10.200.14.42 eth3=10.201.14.42 default gateway=10.201.14.254 one static route=192.168.0.0/24 gw 10.200.14.254 i am facing a problem when i ping 10.201.14.42 from... (2 Replies)
Discussion started by: surfer24
2 Replies

6. IP Networking

arp output (flags)

I'm running an arp -an on a Solaris 10 box. We're using IPMP. One of the systems is not able to see a host on the same network. The only difference between the two systems (one is having a problem, the other isn't) at least so far is the output of arp: # arp -an | grep 224.55 e1000g5... (1 Reply)
Discussion started by: BOFH
1 Replies

7. HP-UX

HW Address and arp

I was checking nettl output for a unstable telnet to my server. this is part of output: ### ***********************************STREAMS/UX*******************************@#% Timestamp : Sun Jun 22 EETDST 2008 22:14:47.492899 Process ID : Subsystem ... (4 Replies)
Discussion started by: xramm
4 Replies

8. IP Networking

ARP Req Pkt

Does ARP Request packet Contains MAC Address of dest during broadcast? I found It So... When i captured ARP Req Pkts on ethereal... Rgds -Meti (1 Reply)
Discussion started by: ashokmeti
1 Replies

9. Solaris

ARP Cache

Dear all, We are testing two of our servers for mq series connectivity. The scenario is, when one machine is shutting down it's services there are some scripts that do a dns update, which removes the ip address and relates it to the ip address of the other node on our dns server, and the update... (7 Replies)
Discussion started by: earlysame55
7 Replies

10. Cybersecurity

ARP address resoluton

How does ARP take care of uniqueness of physical addresses? How does an ISP allocate a MAC address when I do not have an NIC( Network interface Card)? (1 Reply)
Discussion started by: ManishSaxena
1 Replies
Login or Register to Ask a Question