What arp -s is good for


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Old 10-22-2012
What arp -s is good for

A customer appears to have drastically misunderstood our instructions for connecting to our WAN. He set his PC IP address to the same as one of the bridges. Smilie Smilie This caused much confusion on the network, to put it mildly. He called to complain about the poor performance of the network he ruined, then made himself unavailable for phone calls so it couldn't be fixed.

Even blocking his MAC address didn't help. The bridging problem happens in midair, nowhere the server can control. If I could at least get into the bridge, I could reconfigure it to a different IP and allow traffic again...

So, on the server, I tried this:

Code:
arp -d 192.168.6.101 ; arp -s 192.168.6.101 00:60:b3:07:0e:8e

This succeeded in forcing the server to talk to the bridge, not to him. I was then able to get into the bridge's web interface and change its IP from there. From there it was easy.
These 4 Users Gave Thanks to Corona688 For This Post:
bakunin (10-24-2012) fpmurphy (10-26-2012) jim mcnamara (10-24-2012) radoulov (10-24-2012)
# 2  
Old 10-23-2012
Best put him on his own firewall! Smilie

You can do neat things with arp. You can set a host to be arp server and have it direct packets to a host that actually knows how to get to the IP, sort of like a local routing table addition for the collision domain.
# 3  
Old 10-23-2012
Often you can ping the broadcast address and the duplicate IP addresses will show up in the reply.
These 2 Users Gave Thanks to Neo For This Post:
Corona688 (10-23-2012) jim mcnamara (10-24-2012)
# 4  
Old 10-24-2012
Modifying the arp cache was a clever trick. I wouldn't have thought of that.

(Now, of course, should this problem arise, i will gladly pull it out of my memory with a grin and a bored "well, that was obvious, wasn't it" to my colleagues ...) ;-)

bakunin
# 5  
Old 10-24-2012
For monitoring and notification of arp events, arpwatch can be useful.

Quote:
Originally Posted by bakunin
Modifying the arp cache was a clever trick. I wouldn't have thought of that.

(Now, of course, should this problem arise, i will gladly pull it out of my memory with a grin and a bored "well, that was obvious, wasn't it" to my colleagues ...) ;-)
If you're interested in reading more about this scenario, "arp poisoning" and "arp spoofing" would be the most relevant search terms.

Regards,
Alister
# 6  
Old 10-24-2012
Quote:
Originally Posted by Neo
Often you can ping the broadcast address and the duplicate IP addresses will show up in the reply.
There's absolutely nothing on my network that answers a ping broadcast -- perhaps because of the wireless bridge -- and increasingly many things these days never bother answering ping at all. Smilie Engineers seem to be forgetting why ICMP exists. I don't like it, but if the equipment isn't my own, I have to live with it.

Equipment can't block or ignore ARP and still function on a local network though, so I've got the arping tool installed standard everywhere. That's how I tracked down the dup. arping2 -d -i lan 192.168.6.101 Note that without the -d, it won't show dups.

Last edited by Corona688; 10-24-2012 at 12:38 PM..
# 7  
Old 10-24-2012
Well, a ping to broadcast (allowing a large number of responses) might at least generate some additional arp cache entries, which you can peruse.
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
[RedHat] ARP issue Wanou85 Red Hat 0 04-12-2013 07:11 AM
necessary ARP request? daWonderer IP Networking 2 03-04-2012 06:11 AM
Protection against arp spoofing chrisperry IP Networking 2 01-02-2012 08:05 PM
arp questions cokedude UNIX for Advanced & Expert Users 4 09-06-2011 08:56 PM
Monitoring the arp table xyzt UNIX for Advanced & Expert Users 1 02-09-2010 05:47 AM
Stuck ARP entries Corona688 IP Networking 1 11-17-2009 02:11 PM
Arp Problem surfer24 Red Hat 2 09-02-2009 01:02 AM
arp output (flags) BOFH IP Networking 1 11-16-2008 06:03 PM
Modifying ARP frames lagigliaivan IP Networking 2 11-06-2008 12:24 PM
HW Address and arp xramm HP-UX 4 07-26-2008 12:45 PM
ARP Req Pkt ashokmeti IP Networking 1 01-30-2008 09:00 AM
ARP Cache earlysame55 Solaris 7 06-30-2007 11:35 PM
Proxy ARP Difficulties TheMaskedMan IP Networking 7 11-02-2005 10:14 AM
multiple arp replies Rakesh Ranjan IP Networking 2 08-30-2005 01:28 PM
ARP address resoluton ManishSaxena Cybersecurity 1 05-06-2002 08:56 AM