On 6/16/2010 at 3:57 PM, Chris Woodfield <rekoil@semihuman.com> wrote: OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
Unicast ARP requests are considered normal. See Section 2.3.2.1 of RFC1122, "ARP Cache Validation." Specifically, IMPLEMENTATION: Four mechanisms have been used, sometimes in combination, to flush out-of-date cache entries. [snip] (2) Unicast Poll -- Actively poll the remote host by periodically sending a point-to-point ARP Request to it, and delete the entry if no ARP Reply is received from N successive polls. Again, the timeout should be on the order of a minute, and typically N is 2.