Tech Juice

Introduction

The arping tool for Linux is the Layer 2 equivalent of the ping command. It is used to send ARP (Address Resolution Protocol) request messages to a destination host in a Local Area Network (LAN) . This is useful to test whether a particular IP address is in use and online in the network. The arping tool operates at OSI Layer 2, so it can only be used in local networks: ARP messages cannot be routed across routers or gateways. Many Linux distributions, including Backtrack, include arping by default.

When arping is run without parameters it will not do anything – except display the command line options:

$ arping
ARPing 2.09, by Thomas Habets <thomas@habets.pp.se>
usage: arping [ -0aAbdDeFpqrRuv ] [ -w <us> ] [ -S <host/ip> ]
 [ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
 [ -i <interface> ] <host/ip/MAC | -B>
For complete usage info, use --help or check the manpage.

Arping with an IP Address Argument

Now let’s see arping in action by supplying it with an IP address to probe. This is the most common way to use arping. Say we want to send 5 ARP probes to 120.0.2.2,:

$ arping -c 5 120.0.2.2
ARPING 120.0.2.
56 bytes from 38:e7:d8:63:5e:a6 (120.0.2.2): index=0 time=62.502 msec
56 bytes from 38:e7:d8:63:5e:a6 (120.0.2.2): index=1 time=63.992 msec
56 bytes from 38:e7:d8:63:5e:a6 (120.0.2.2): index=2 time=37.623 msec
56 bytes from 38:e7:d8:63:5e:a6 (120.0.2.2): index=3 time=37.764 msec
56 bytes from 38:e7:d8:63:5e:a6 (120.0.2.2): index=4 time=10.774 msec
 
--- 120.0.2.2 statistics ---
5 packets transmitted, 5 packets received,   0% unanswered (0 extra)

From this command we learned

• The host at IP 120.0.2.2 is online
• The MAC address of the host is 38:e7:d8:63:5e:a6.

Arping with a MAC Address Argument

If the arping command is used with a MAC address parameter, different behavior occurs. Since is not possible to send ARP requests to a MAC address, arping will try to find the corresponding IP. Let’s try it with the MAC address we just found:

$ arping -c 5 38:e7:d8:63:5e:a6
ARPING 38:e7:d8:65:5e:a6
 
--- 38:e7:d8:65:5e:a6 statistics ---
5 packets transmitted, 0 packets received, 100% unanswered (0 extra)

This triggers the sending of ICMP Echo messages (ping requests), instead of ARP requests. Five ICMP Echo messages are transmitted to a broadcast IP, with the following fields:

• Layer 2 source: Sender’s MAC
• Layer 3 source: Sender’s IP
• Layer 2 destination: The argument MAC (38:e7:d8:63:5e:a6)
• Layer 3 destination: Broadcast IP (255.255.255.255)

So although the first three fields fields are perfectly normal, the Layer 3 destination is set to a broadcast IP, in order to reach all hosts on the network. A normal ICMP echo request is sent to the target IP of the intended recipient, not broadcast. Most hosts will not respond to an ICMP Echo request that is embedded in an IP packet with destination 255.255.255.255, so no response will be received (as in the example above).

RFC-1122 Section 3.2.2.6 Echo Request/Reply
“An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.
DISCUSSION:
This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms.”

In summary: the arping command in this way has very limited use, but you might get lucky. An alternative way to find out which IP address corresponds to a known MAC address is to send an ARP request to every host on the network.