diff options
author | Thomas Habets <thomas@habets.pp.se> | 2002-02-12 18:17:47 +0000 |
---|---|---|
committer | Thomas Habets <thomas@habets.pp.se> | 2002-02-12 18:17:47 +0000 |
commit | f8a6dea1299abf311d9b81434329aec262c53772 (patch) | |
tree | 86538fc37dfac1f49f31eb9e37c481d21bd7bf37 | |
parent | 7e52cfc61f4980826aa2ba58888a7f0c5cfdb00b (diff) | |
download | arping-f8a6dea1299abf311d9b81434329aec262c53772.tar.gz |
doc updates and arping-scan-net.sh
-rw-r--r-- | README | 71 | ||||
-rwxr-xr-x | arping-scan-net.sh | 49 | ||||
-rw-r--r-- | arping.8 | 4 | ||||
-rw-r--r-- | arping.c | 4 |
4 files changed, 122 insertions, 6 deletions
@@ -1,4 +1,4 @@ -$Id: README 533 2002-01-20 23:14:08Z marvin $ +$Id: README 546 2002-02-12 18:17:47Z marvin $ ARP Ping @@ -42,7 +42,7 @@ it belongs. How it does it -------------- -Bah, just read the source. Or the help text. +See 'Technical' at the bottom of this file. FAQ --- @@ -184,5 +184,72 @@ License ------- It's GPL, see the LICENSE file. +Technical +--------- +Yes, I've finally bothered to write how it works. +tcpdumps were taken with "tcpdump -vven 'arp or icmp'". + +The source box is 192.168.0.2/0:10:5a:3e:c5:b4 and the target box is +192.168.0.1/0:60:93:34:91:99. + +For pinging IP addresses: + When a host wants to send an IP packet to another host, it sends out an ARP + packet asking what MAC the destination IP addr has, a so-called 'who-has' + packet. This is then answered by another ARP packet, the 'is-at' packet. + + 18:16:07.179699 0:10:5a:3e:c5:b4 ff:ff:ff:ff:ff:ff 0806 42: + arp who-has 192.168.0.1 tell 192.168.0.2 + + This is the packet generated by arping. + An ethernet frame from my 3com card to the broadcast address carrying an arp + packet asking what MAC 192.168.0.1 has (who-has). + + 18:16:07.180221 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0806 60: + arp reply 192.168.0.1 is-at 0:60:93:34:91:99 + + The answer, that 192.168.0.1 has MAC 0:60:93:34:91:99 (is-at). + +For pinging MAC addresses: + A broadcast ping (255.255.255.255, or any address supplied with -T, see below) + is sent out on the ethernet, but in an ethernet frame addressed to the target + MAC only. + + 18:20:09.627321 0:10:5a:3e:c5:b4 0:60:93:34:91:99 0800 42: + 192.168.0.2 > 255.255.255.255: icmp: echo request + (ttl 48, id 17767, len 28) + + This is the packet generated by arping. + Ethernet frame from my 3com nic to the destination MAC, carrying a broadcast + ping. + + 18:20:09.628432 0:60:93:34:91:99 0:10:5a:3e:c5:b4 0800 60: + 192.168.0.1 > 192.168.0.2: icmp: echo reply + (ttl 255, id 7593, len 28) + + The answer, including the source address of the target host. Note that this + is not how every OS responds to a broadcast ping (if at all). Some answer with + a source address equal to the broadcast address, and others dont' answer at + all. + This is why pinging a raw MAC doesn't always work, and you may need to play + with -T to get it to answer correctly (or at all). You can always brute-force + if you can't even find a broadcast that the box will answer correctly to. + ------- + for d in $(seq 0 255); do + sudo arping -q -c 1 -T $a.$b.$c.$d 0:60:93:34:91:99 + if [ $? == 0 ]; then + echo "Got answer with address: 192.168.0.$d" + fi + done + -------- + Note that this script will take 1 second per IP since that is how long arping + waits, so scanning a C-class net will take 256 seconds. If you have a bigger + net, then write a program that will run several arpings at the same time to + go through more in less time. + arping-scan-net.sh is a more capable script for scanning, but you need to + edit it since the address range it searches is hard-coded. + If you like this feature, mail me and I may put it into the main arping. + But no need wasting my time if no-one wants it. + (I'll probably add it anyway some day, but not soon) + ---------------------------------------------------------------------------- Send questions/suggestions/patches/rants/money/sparcs to thomas@habets.pp.se diff --git a/arping-scan-net.sh b/arping-scan-net.sh new file mode 100755 index 0000000..e22abe3 --- /dev/null +++ b/arping-scan-net.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# $Id: arping-scan-net.sh 546 2002-02-12 18:17:47Z marvin $ +# +# Copyright (C) 2002 Thomas Habets <thomas@habets.pp.se> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +trap "exit 0" INT + +TARGET_MAC="0:60:93:34:91:99" + +if [ "$1" != "" ]; then + TARGET_MAC="$1" +fi + +# +# first number after 'seq' is range start, second is range end +# +# default is [192-192].[168-168].[0-0].[0-255] +# +# +# If you think this is useful, tell me and I'll incorperate it into arping +# +for a in $(seq 192 192); do + for b in $(seq 168 168); do + for c in $(seq 0 0); do + for d in $(seq 0 255); do + arping -q -c 1 -T $a.$b.$c.$d $TARGET_MAC + if [ $? == 0 ]; then + echo "Got answer with address: $a.$b.$c.$d" + fi + done + done + done +done +exit 1 @@ -1,10 +1,10 @@ -.TH "arping" "8" "21th Jan, 2002" "arping" "" +.TH "arping" "8" "12th Feb, 2002" "arping" "" .PP .SH "NAME" arping \- sends arp and/or ip pings to a given host .PP .SH "SYNOPSIS" -\fBarping\fP [-hqavrRd0bp] [-S \fIhost/ip\fP] [-S \fIhost/ip\fP] [-s \fIMAC\fP] [-t \fIMAC\fP] [-c \fIcount\fP] [-i \fIinterface\fP] <\fIhost\fP | -B> +\fBarping\fP [-hqavrRd0bp] [-S \fIhost/ip\fP] [-T \fIhost/ip\fP] [-s \fIMAC\fP] [-t \fIMAC\fP] [-c \fIcount\fP] [-i \fIinterface\fP] <\fIhost\fP | -B> .PP .SH "DESCRIPTION" The \fIarping\fP utility sends \fBARP\fP and/or \fBICMP\fP requests to the specified \fIhost\fP and displays the replies\&. The \fIhost\fP may be specified by its \fBhostname\fP, its \fBIP\fP address, or its \fBMAC\fP address\&. @@ -12,7 +12,7 @@ * * Also finds out IP of specified MAC * - * $Id: arping.c 533 2002-01-20 23:14:08Z marvin $ + * $Id: arping.c 546 2002-02-12 18:17:47Z marvin $ */ /* * Copyright (C) 2000-2002 Thomas Habets <thomas@habets.pp.se> @@ -78,7 +78,7 @@ #define DEBUG(a) #endif -const float version = 1.03; +const float version = 1.04; struct ether_addr *mymac; static u_char eth_xmas[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; |