Sending ARP request to unicast MAC instead of broadcast MAC address?
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? Thanks, -C
On Wed, Jun 16, 2010 at 5:57 PM, Chris Woodfield <rekoil@semihuman.com> wrote:
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
In general, hosts respond to these in just the same way as they would respond to a broadcast arp request.
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
arping from the iputils package will switch to unicast requests after the first unicast ARP response is received, and send the rest of the pings using unicast arp, assuming you don't use the -b option -- -JH
Dear Chris,
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? Try or read kernel source.
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
http://www.perihel.at/sec/mz/ should be able todo this. Kind regards, Ingo Flaschberger
On 6/16/2010 at 3:57 PM, Chris Woodfield <rekoil@semihuman.com> wrote: OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
Unicast ARP requests are considered normal. See Section 2.3.2.1 of RFC1122, "ARP Cache Validation." Specifically, IMPLEMENTATION: Four mechanisms have been used, sometimes in combination, to flush out-of-date cache entries. [snip] (2) Unicast Poll -- Actively poll the remote host by periodically sending a point-to-point ARP Request to it, and delete the entry if no ARP Reply is received from N successive polls. Again, the timeout should be on the order of a minute, and typically N is 2.
Looks like all the replies I got were private, so thanks all - to summarize, I got everything from "Read The Fine Kernel Source" to "Read The Fine RFC" to "Read RFC 1122, Section 2.3.2.1, it's quite a Fine read". So for other folks out there like me who obviously can't read RFCs, the answer is "yes". :) -C On Jun 16, 2010, at 3:57 51PM, Chris Woodfield wrote:
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
Thanks,
-C
I believe they call this a Gratuitous ARP Request. It is used automatically when interfaces are brought up to detect IP conflicts. On 6/17/10 5:45 PM, Chris Woodfield wrote:
Looks like all the replies I got were private, so thanks all - to summarize, I got everything from "Read The Fine Kernel Source" to "Read The Fine RFC" to "Read RFC 1122, Section 2.3.2.1, it's quite a Fine read".
So for other folks out there like me who obviously can't read RFCs, the answer is "yes". :)
-C
On Jun 16, 2010, at 3:57 51PM, Chris Woodfield wrote:
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
Thanks,
-C
-- Steve King Senior Linux Engineer - Advance Internet, Inc. Cisco Certified Network Associate CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional
participants (5)
-
Chris Woodfield -
Crist Clark -
Ingo Flaschberger -
James Hess -
Steven King