ARP: Why the Service is not Available?¶
Some spooky things happened, I was told the service I was in charge of is not working properly and no one can login to that service.
The problem is quickly sorted out:
I checked the ARP Table
on all the servers, and interestingly found that they were different. For the same IP, the MAC addresses are different on different servers.
1. How ARP works?¶
2. How to use ARP command?¶
2.1 Prepare¶
Install the dependencies if they are not there:
Install Dependencies
`sudo apt-get install net-tools arping`
2.2 List ARP Table¶
List ARP Table
sudo arp -n
Address HWtype HWaddress Flags Mask Iface
172.17.0.2 ether 02:42:ac:11:00:02 C docker0
172.17.0.3 ether 02:42:ac:11:00:03 C docker0
172.17.151.193 ether 00:15:5d:94:fc:5b C eth0
2.3 Send an ARP Request¶
Let's do an ARP ping, which will request the MAC Address
of IP: 172.17.151.193, and let's send two requests.
ARPing
This will send two arpings.
sudo arping 172.17.151.193 -c 2
ARPING 172.17.151.193
42 bytes from 00:15:5d:94:fc:5b (172.17.151.193): index=0 time=297.300 usec
42 bytes from 00:15:5d:94:fc:5b (172.17.151.193): index=1 time=532.100 usec
--- 172.17.151.193 statistics ---
2 packets transmitted, 2 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.297/0.415/0.532/0.117 ms
As you can see here, two responses returns with the same MAC Address
.
However, in the trouble I discribed at the start of this post, some of my servers received two responses with one request (one of them was incorrect, and was sent by a device should not response), and the later one would overwrite the former one.
2.4 Set the ARP Table Manually¶
Let's set the MAC Address
of the IP(172.17.151.193
) from 00:15:5d:94:fc:5b
to 00:15:5d:94:fc:5a
. Do you think we can still ping throught that IP any more?
First we test if we can ping the IP normally
Normal Condition
ping 172.17.151.193 -c 2
PING 172.17.151.193 (172.17.151.193) 56(84) bytes of data.
64 bytes from 172.17.151.193: icmp_seq=1 ttl=128 time=1.78 ms
64 bytes from 172.17.151.193: icmp_seq=2 ttl=128 time=0.607 ms
--- 172.17.151.193 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.607/1.192/1.777/0.585 ms
As you can see, it is working perfectly.
Then we manually change the MAC Address
of the IP to 00:15:5d:94:fc:5a
Manually Change The Mac Address
arp -s 172.17.151.193 00:15:5d:94:fc:5a
Abnormal Condition
ping 172.17.151.193 -c 2
Now, the IP is unavailable.
PING 172.17.151.193 (172.17.151.193) 56(84) bytes of data.
--- 172.17.151.193 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1051ms
2.5 ARP Scan¶
Let's do an ARP scan within a range of IPs:
First install nmap
if you haven't.
nmap
sudo apt-get install nmap
Scan
nmap -sn -PR 172.17.151.*