ARP: Why the Service is not Available?¶
Some spooky things happened, I was told the service I was in charge of is not working properly and no one can login to that service.
The problem is quickly sorted out:
I checked the
ARP Table on all the servers, and interestingly found that they were different. For the same IP, the MAC addresses are different on different servers.
1. How ARP works?¶
2. How to use ARP command?¶
Install the dependencies if they are not there:
`sudo apt-get install net-tools arping`
2.2 List ARP Table¶
List ARP Table
sudo arp -n
Address HWtype HWaddress Flags Mask Iface 172.17.0.2 ether 02:42:ac:11:00:02 C docker0 172.17.0.3 ether 02:42:ac:11:00:03 C docker0 172.17.151.193 ether 00:15:5d:94:fc:5b C eth0
2.3 Send an ARP Request¶
Let's do an ARP ping, which will request the
MAC Address of IP: 172.17.151.193, and let's send two requests.
This will send two arpings.
sudo arping 172.17.151.193 -c 2
ARPING 172.17.151.193 42 bytes from 00:15:5d:94:fc:5b (172.17.151.193): index=0 time=297.300 usec 42 bytes from 00:15:5d:94:fc:5b (172.17.151.193): index=1 time=532.100 usec --- 172.17.151.193 statistics --- 2 packets transmitted, 2 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 0.297/0.415/0.532/0.117 ms
As you can see here, two responses returns with the same
However, in the trouble I discribed at the start of this post, some of my servers received two responses with one request (one of them was incorrect, and was sent by a device should not response), and the later one would overwrite the former one.
2.4 Set the ARP Table Manually¶
Let's set the
MAC Address of the IP(
00:15:5d:94:fc:5a. Do you think we can still ping throught that IP any more?
First we test if we can ping the IP normally
ping 172.17.151.193 -c 2
PING 172.17.151.193 (172.17.151.193) 56(84) bytes of data. 64 bytes from 172.17.151.193: icmp_seq=1 ttl=128 time=1.78 ms 64 bytes from 172.17.151.193: icmp_seq=2 ttl=128 time=0.607 ms --- 172.17.151.193 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.607/1.192/1.777/0.585 ms
As you can see, it is working perfectly.
Then we manually change the
MAC Address of the IP to
Manually Change The Mac Address
arp -s 172.17.151.193 00:15:5d:94:fc:5a
ping 172.17.151.193 -c 2
Now, the IP is unavailable.
PING 172.17.151.193 (172.17.151.193) 56(84) bytes of data. --- 172.17.151.193 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1051ms
2.5 ARP Scan¶
Let's do an ARP scan within a range of IPs:
nmap if you haven't.
sudo apt-get install nmap
nmap -sn -PR 172.17.151.*