Address Resolution Protocol (ARP)

The Address Resolution Protocol (ARP) maps Layer 3 IP addresses to Layer 2 MAC addresses. Understanding when and how ARP is used is important to fully utilize the arp command. Whenever a node wishes to send traffic to a particular IP address, it will use its own IP address and netmask to determine if the destination is on a directly connected network. If the destination address is not directly connected, the routing table is consulted. Assuming a route for the destination network exists (a default route can include the destination network), the host then determines the gateway for the routing entry. After the gateway is determined, an arp who-has request with the gateway’s (router) address can be broadcast on the appropriate network interface, and the gateway will respond with its MAC address. The host will then direct traffic for the destination to the MAC address of the gateway.

Linux’s tool to access the ARP table is the command arp. arp, like the ifconfig command, is provided in the net-tools distribution available at http://www.tazenda.demon.co.uk/phil/net-tools/.

arp, like ifconfig, is very useful without any parameters: 

[root@lefty /root]# arp 
Address                 HWtype  HWaddress         Flags Mask Iface 
192.168.1.1             ether   00:20:78:CF:3D:66 C          eth0 
speedy                  ether   00:40:D0:08:6A:72 C          eth0

The output includes the Layer 3 (IP) address, the type of network interface (HWtype), the MAC address (HWaddress), and the interface where the MAC address was learned. The Mask was used with early versions of Linux but is now no longer used. The Flags entry C reports that the entry is completed—that is, that the IP address was learned. The arp’s output is not completely consistent: an incomplete entry is actually shown with an (incomplete) entry as opposed to any entry being made in the Flags column in the arp table: 

[root@lefty /root]# arp 
Address                 HWtype   HWaddress         Flags Mask Iface 
192.168.1.5                      (incomplete)                 eth0 
192.168.1.1             ether    00:20:78:CF:3D:66 C          eth0 
speedy                  ether    00:40:D0:08:6A:72 C          eth0

arp supports many parameters to assist in network troubleshooting.

-a Host

The -a host parameter filters the arp command output to the specific host involved. The host can be either the host name of the particular node or the node’s IP address. The following shows the MAC address assigned to 192.168.1.100: 

[root@lefty /root]# arp -a 192.168.1.100 
Address                 HWtype  HWaddress          Flags Mask Iface 
192.168.1.100           ether   00:20:58:CC:66:3D  C          eth0

The -a host combined with the -d option discussed in the following section run on several Linux nodes on the same network and can help to quickly identify two hosts configured with the same IP address—the IP addresses will be the same, but the MAC address will be different.

-H hwtype

The -H parameter specifies that only arp entries for the particular interface type should be printed. For example, to print all Ethernet entries, use 

[root@lefty /root]# arp -H ether 
Address                 HWtype  HWaddress          Flags Mask Iface 
192.168.1.1             ether   00:20:78:CF:3D:66  C          eth0 
speedy                  ether   00:40:D0:08:6A:72  C          eth0

Or to see any Token Ring entries: 

[root@lefty net]# arp -H tr 
arp: in 2 entries no match found.

The media (hardware) types supported by the arp command are shown in Table 9.6.

Table 9.6. Network Media Types Supported by Linux arp Command
Media Hardware Types Abbreviations
Adaptive Serial Line IP Adaptive
Amateur NET/ROM Netrom
Amateur ROSE rose
Amateur X.25 ax25
ARCnet arcnet
Ash ash
Cisco HDLC hdlc
Compressed Serial Line IP cslip
Compressed Serial Line IP cslip6
6 bit  
Econet ec
Ethernet ether
Fiber Distributed Data fddi
Interface  
Frame Relay Access Device frad
Frame Relay DLCI dlci
High-Performance Parallel Interface hippi
IP in IP Tunneling tunnel
Ipv6 in IPv4 Tunneling sit
IrLAP irda
LAPB lapb
Local Loopback loop
Point-to-Point Protocol ppp
Serial Line IP slip
Serial Line IP 6 bit slip6
Token Ring tr

-i Interface

arp also can display all the entries for a particular interface with the -i parameter. To view all the ARP entries learned on righty’s second interface card, the following arp command would be used: 

[root@righty /root]# arp -i eth1 
Address                 HWtype  HWaddress          Flags Mask Iface 
10.1.1.4                 ether   00:40:68:CF:33:22  C         eth1 
blue                     ether   00:40:D7:08:6A:52  C         eth1

-n

-n turns off name resolution for the arp command so that IP addresses are not resolved to host names. Notice the arp command without the -n: 

[root@lefty /root]# arp 
Address                HWtype  HWaddress          Flags Mask Iface 
192.168.1.1            ether   00:20:78:CF:3D:66  C          eth0 
speedy                 ether   00:40:D0:08:6A:72  C          eth0

The IP address for speedy is being resolved, and arp prints speedy as opposed to the IP address. Here is the same ARP table without name resolution: 

[root@lefty /root]# arp -n 
Address                 HWtype  HWaddress          Flags Mask Iface 
192.168.1.1             ether   00:20:78:CF:3D:66  C          eth0 

192.168.1.101           ether   00:40:D0:08:6A:72  C          eth0

-d Host

Sometimes it is necessary to delete the arp entry of a host to troubleshoot networking problems where address resolution is not working correctly, such as when two nodes are misconfigured with the same IP address or where a network interface card might seem to be misbehaving. The -d entry can be used to remove specific entries. The -d is followed by the host, which can be the IP address or the hostname of the node. To remove speedy’s MAC address from the arp cache, the following is typed: 

[root@lefty /root]#arp -d speedy

And to see that it has been removed: 

[root@lefty /root]# arp 
Address                 HWtype  HWaddress          Flags Mask Iface 
192.168.1.1             ether   00:20:78:CF:3D:66  C          eth0

Oftentimes when troubleshooting ARP-related problems, there is a need to clear the complete ARP cache. The following script, darpcache, uses the -d parameter to parse through the cache and remove all entries: 

#!/bin/bash 
# darpcache 
# This script deletes all arp entries from the arp cache 


for host in `arp -n | awk '{print $1}' | grep -v Address` 
        do 
               echo "Deleted entry for host: $host" 
               arp -d $host+ 
        done

It’s output looks similar to this: 

[root@lefty /root]# ./darpcache 
Deleted entry for host:  192.168.1.1 
Deleted entry for host:  192.168.1.101

A related protocol, RARP, works similarly to ARP; however, its purpose is to allow a host to determine its IP address by broadcasting its MAC address as an RARP request. A node then responds with the mapped IP address. The RARP protocol has all but been replaced with dynamic host control protocol (DHCP) for several reasons, including RARP’s tendency to be statically mapped on a particular node and DHCP’s ability to provide additional information beyond the IP address (including DNS configuration like name servers and domain suffixes). DHCP is also widely supported on non-UNIX systems.

RARP support must be configured in the Linux kernel, and the RARP table is managed using the rarp command.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset