Skip to content

ARP: Why the Service is not Available?

Some spooky things happened, I was told the service I was in charge of is not working properly and no one can login to that service.

The problem is quickly sorted out:

I checked the ARP Table on all the servers, and interestingly found that they were different. For the same IP, the MAC addresses are different on different servers.

1. How ARP works?

2. How to use ARP command?

2.1 Prepare

Install the dependencies if they are not there:

Install Dependencies

`sudo apt-get install net-tools arping`

2.2 List ARP Table

List ARP Table

sudo arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
172.17.0.2               ether   02:42:ac:11:00:02   C                     docker0
172.17.0.3               ether   02:42:ac:11:00:03   C                     docker0
172.17.151.193           ether   00:15:5d:94:fc:5b   C                     eth0

2.3 Send an ARP Request

Let's do an ARP ping, which will request the MAC Address of IP: 172.17.151.193, and let's send two requests.

ARPing

This will send two arpings.

sudo arping 172.17.151.193 -c 2

ARPING 172.17.151.193
42 bytes from 00:15:5d:94:fc:5b (172.17.151.193): index=0 time=297.300 usec
42 bytes from 00:15:5d:94:fc:5b (172.17.151.193): index=1 time=532.100 usec

--- 172.17.151.193 statistics ---
2 packets transmitted, 2 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.297/0.415/0.532/0.117 ms

As you can see here, two responses returns with the same MAC Address.

However, in the trouble I discribed at the start of this post, some of my servers received two responses with one request (one of them was incorrect, and was sent by a device should not response), and the later one would overwrite the former one.

2.4 Set the ARP Table Manually

Let's set the MAC Address of the IP(172.17.151.193) from 00:15:5d:94:fc:5b to 00:15:5d:94:fc:5a. Do you think we can still ping throught that IP any more?

First we test if we can ping the IP normally

Normal Condition

ping 172.17.151.193 -c 2
PING 172.17.151.193 (172.17.151.193) 56(84) bytes of data.
64 bytes from 172.17.151.193: icmp_seq=1 ttl=128 time=1.78 ms
64 bytes from 172.17.151.193: icmp_seq=2 ttl=128 time=0.607 ms

--- 172.17.151.193 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.607/1.192/1.777/0.585 ms

As you can see, it is working perfectly.

Then we manually change the MAC Address of the IP to 00:15:5d:94:fc:5a

Manually Change The Mac Address

arp -s 172.17.151.193 00:15:5d:94:fc:5a

Abnormal Condition

ping 172.17.151.193 -c 2

Now, the IP is unavailable.

PING 172.17.151.193 (172.17.151.193) 56(84) bytes of data.

--- 172.17.151.193 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1051ms

2.5 ARP Scan

Let's do an ARP scan within a range of IPs:

First install nmap if you haven't.

nmap

sudo apt-get install nmap

Scan

nmap -sn -PR 172.17.151.*