Friday, September 26, 2008

ARP Ping

Here is a topic ripped from our September 2008 newletter.

The most popular search term bringing people to our website is ARP Ping. What does ARP Ping do?

If you have the purchased or even the demo version of NetScanTools Pro, you can access the tool by selecting Tools/ARP Ping. Once there, you can see that it has three options or modes. The first two are for sending an ARP Ping and the third is for searching for duplicate IP addresses. Let’s concentrate on ARP Ping first and learn what ARP Ping does and does not do.

ARP request packets are fairly simple in construction. In Ethernet networks, ARP is used to obtain the MAC address of the target given the target IP address. Our ARP packets contain the required target IP address. The broadcast MAC address is placed in the target MAC field. The Interface IP and MAC address are used in the packet to identify to the target device the sender of the ARP packet. When the target device with the IP address identified in the ARP request packet sees the ARP request packet, it fills in the target interface MAC address and sends an ARP reply packet back to the sender. The target IP is a requirement because the receiver will not reply unless it sees its own IP address in the packet. In our implementation, the act of sending an ARP request and receiving a reply is known as an ARP Ping and the timing of the packets gives us the Response Time. The timing is similar to what you would see with a command line PING, ie. packet round-trip-time milliseconds.

What about the broadcast and unicast options? The broadcast option means all ARP request packets we send are to the broadcast MAC address. The unicast option means the first packet uses the broadcast MAC address and all subsequent packets use the discovered MAC address of the target.

Can you input a target MAC address with the IP address blank in order to find the target’s IP address? No, because the ARP protocol does not work that way. If you were to send such a packet, it will not be responded to by any device because the IP address in the packet does not match the IP address of any receiving device.

Can you use this tool to get the MAC address of a device NOT on the same subnet as the computer running NetScanTools Pro? No, because none of the devices on the subnet will not recognize the target IP address and they will not respond. EXCEPT if the router that accepts packets destined for locations outside the subnet is set up to do proxy ARP. If so, it will see that the target IP is not within the subnet and respond to you with the MAC address of the router interface on your side of the subnet.

For more information on how ARP works, see RFC 826.

How to use the ARP Ping tool to search for duplicate IP addresses. A variation on ARP is to use it to detect duplicate IP addresses by the method outlined in RFC 5227. To do this you first select Search for Duplicate IP Addresses, then you select the source IP address to place in the ARP request packet (0.0.0.0 is preferred in the RFC, but we also provide an option for placing the Interface IP in there instead), then you enter the target IP address and press Send ARP. The target IP address is the one you want to find duplicates for. All devices using that IP address will respond to your request along with their MAC address and they will be shown in the results grid.

That's a taste of some of the tips and explanations you will be seeing in this blog. It might bore you if you haven't got the faintest idea what I'm talking about...but enough people have wanted to know about ARP Ping for us to talk about it in more detail.

By the way, did you know I own four miniature herefords?

No comments: