How to generate GRATUITOUS ARP REQUEST on FreeBSD using nemesis packet crafting tool

Before going deeper into gratuitous arp, I will introduce "nemesis".

NEMESIS is a command line packet crafting tool able to generate l2 frames / ip packets giving one the possibility to manipulate the arp/ip/tcp/icmp headers.

One and the only disadvantage I see is that it cannot close tcp handshakes (as far as I can see), but it is not the purpose of this article.

Gratuitous arp is a simple mechanism used for different reasons, but the most important one is High Availability Active-Passive(backup) clusters (firewalls or Unix) when failover needs to be performed.

Both cluster nodes share a virtual IP (VIP). When one node goes down for whatever reason, the backup node needs to become active and take assignment of the VIP. But the peering devices still have in their arp table an entry for the VIP and the mac address of the failed node.

Enter gratuitous arp request: It is sent by the failover node and it notifies peered (l3) devices that the VIP sits on the mac address of the node in question.

Besides nemesis, there is another utility, "arping" that allows gratuitous arp (requests and replies), but beware: There is arping from "iputils" package available only for Linux (wasn't able to compile it on FreeBSD) that allows you to use the mac of the interface where you are sending the gratuitous arp. It does not allow you to specify the mac address.

Arping from FreeBSD ports does not know gratuitous arp (when I last played with it).

Before I begin the test, here is the entry in the target host's arp table:

Code:

# arp -an | grep 192.168.0.1
? (192.168.0.1) at 00:11:2f:8d:05:fa on em0 [ethernet]

Now, I will use nemesis to change the target host's arp entry to '00:11:2f:8d:05:fb' instead of '00:11:2f:8d:05:fa':

Code:

nemesis arp -S 192.168.0.1 -D 192.168.0.1 -s -H 00:11:2f:8d:05:fb

Checking if the arp table was updated:

Code:

# arp -an | grep 192.168.0.1
? (192.168.0.1) at 00:11:2f:8d:05:fb on em0 [ethernet]

And the tcpdump of the gratuitous arp request:

Code:

# tcpdump -nteli em0 arp
00:11:2f:8d:05:fb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.0.1 (ff:ff:ff:ff:ff:ff) tell 192.168.0.1

The source mac address of the gratuitous arp request is '00:11:2f:8d:05:fb' and the destination is the broadcast. It is generaly only one packet necessary to update a host's arp table.

If this doesn't work, check for l2 filters on your switch or static arp entries.