Unix/Linux Go Back    


War Stories Tell your work related tech stories and share experiences here. Share your successes and failures and other "war stories" in this forum.

What arp -s is good for

War Stories


Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 10-22-2012   -   Original Discussion by Corona688
Corona688's Unix or Linux Image
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 25 May 2018, 3:04 PM EDT
Location: Saskatchewan
Posts: 22,680
Thanks: 1,179
Thanked 4,324 Times in 3,987 Posts
What arp -s is good for

A customer appears to have drastically misunderstood our instructions for connecting to our WAN. He set his PC IP address to the same as one of the bridges. Linux Linux This caused much confusion on the network, to put it mildly. He called to complain about the poor performance of the network he ruined, then made himself unavailable for phone calls so it couldn't be fixed.

Even blocking his MAC address didn't help. The bridging problem happens in midair, nowhere the server can control. If I could at least get into the bridge, I could reconfigure it to a different IP and allow traffic again...

So, on the server, I tried this:



Code:
arp -d 192.168.6.101 ; arp -s 192.168.6.101 00:60:b3:07:0e:8e

This succeeded in forcing the server to talk to the bridge, not to him. I was then able to get into the bridge's web interface and change its IP from there. From there it was easy.
The Following 4 Users Say Thank You to Corona688 For This Useful Post:
bakunin (10-24-2012), fpmurphy (10-26-2012), jim mcnamara (10-24-2012), radoulov (10-24-2012)
Sponsored Links
    #2  
Old Unix and Linux 10-23-2012   -   Original Discussion by Corona688
DGPickett's Unix or Linux Image
DGPickett DGPickett is offline Forum Advisor  
Registered User
 
Join Date: Oct 2010
Last Activity: 1 February 2016, 3:35 PM EST
Location: Southern NJ, USA (Nord)
Posts: 4,673
Thanks: 8
Thanked 588 Times in 561 Posts
Best put him on his own firewall! Linux

You can do neat things with arp. You can set a host to be arp server and have it direct packets to a host that actually knows how to get to the IP, sort of like a local routing table addition for the collision domain.
Sponsored Links
    #3  
Old Unix and Linux 10-23-2012   -   Original Discussion by Corona688
Neo's Unix or Linux Image
Neo Neo is offline Forum Staff  
Administrator
 
Join Date: Sep 2000
Last Activity: 26 May 2018, 7:01 PM EDT
Location: Asia pacific region
Posts: 14,382
Thanks: 994
Thanked 1,370 Times in 653 Posts
Often you can ping the broadcast address and the duplicate IP addresses will show up in the reply.
The Following 2 Users Say Thank You to Neo For This Useful Post:
Corona688 (10-23-2012), jim mcnamara (10-24-2012)
    #4  
Old Unix and Linux 10-24-2012   -   Original Discussion by Corona688
bakunin's Unix or Linux Image
bakunin bakunin is offline Forum Staff  
Bughunter Extraordinaire
 
Join Date: May 2005
Last Activity: 26 May 2018, 1:43 PM EDT
Location: In the leftmost byte of /dev/kmem
Posts: 5,767
Thanks: 112
Thanked 1,687 Times in 1,239 Posts
Modifying the arp cache was a clever trick. I wouldn't have thought of that.

(Now, of course, should this problem arise, i will gladly pull it out of my memory with a grin and a bored "well, that was obvious, wasn't it" to my colleagues ...) ;-)

bakunin
Sponsored Links
    #5  
Old Unix and Linux 10-24-2012   -   Original Discussion by Corona688
alister's Unix or Linux Image
alister alister is offline
Registered User
 
Join Date: Dec 2009
Last Activity: 11 June 2014, 8:40 PM EDT
Posts: 3,231
Thanks: 179
Thanked 978 Times in 791 Posts
For monitoring and notification of arp events, arpwatch can be useful.

Quote:
Originally Posted by bakunin View Post
Modifying the arp cache was a clever trick. I wouldn't have thought of that.

(Now, of course, should this problem arise, i will gladly pull it out of my memory with a grin and a bored "well, that was obvious, wasn't it" to my colleagues ...) ;-)
If you're interested in reading more about this scenario, "arp poisoning" and "arp spoofing" would be the most relevant search terms.

Regards,
Alister
Sponsored Links
    #6  
Old Unix and Linux 10-24-2012   -   Original Discussion by Corona688
Corona688's Unix or Linux Image
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 25 May 2018, 3:04 PM EDT
Location: Saskatchewan
Posts: 22,680
Thanks: 1,179
Thanked 4,324 Times in 3,987 Posts
Quote:
Originally Posted by Neo View Post
Often you can ping the broadcast address and the duplicate IP addresses will show up in the reply.
There's absolutely nothing on my network that answers a ping broadcast -- perhaps because of the wireless bridge -- and increasingly many things these days never bother answering ping at all. Linux Engineers seem to be forgetting why ICMP exists. I don't like it, but if the equipment isn't my own, I have to live with it.

Equipment can't block or ignore ARP and still function on a local network though, so I've got the arping tool installed standard everywhere. That's how I tracked down the dup. arping2 -d -i lan 192.168.6.101 Note that without the -d, it won't show dups.

Last edited by Corona688; 10-24-2012 at 11:38 AM..
Sponsored Links
    #7  
Old Unix and Linux 10-24-2012   -   Original Discussion by Corona688
DGPickett's Unix or Linux Image
DGPickett DGPickett is offline Forum Advisor  
Registered User
 
Join Date: Oct 2010
Last Activity: 1 February 2016, 3:35 PM EST
Location: Southern NJ, USA (Nord)
Posts: 4,673
Thanks: 8
Thanked 588 Times in 561 Posts
Well, a ping to broadcast (allowing a large number of responses) might at least generate some additional arp cache entries, which you can peruse.
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
If there is anyone who is very good at AIX 5.1.. dilshik AIX 7 12-26-2003 11:40 PM



All times are GMT -4. The time now is 09:18 PM.