Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

It is currently Wed Dec 06, 2023 10:25 am

Message body:
Enter your message here, it may contain no more than 60000 characters. 

:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
Font colour
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.

Topic review - How to generate GRATUITOUS ARP REQUEST on FreeBSD using nemesis packet crafting tool
Author Message
Post subject: How to generate GRATUITOUS ARP REQUEST on FreeBSD using nemesis packet crafting tool  |  Post Posted: Thu Feb 23, 2012 4:49 am
Before going deeper into gratuitous arp, I will introduce "nemesis".

NEMESIS is a command line packet crafting tool able to generate l2 frames / ip packets giving one the possibility to manipulate the arp/ip/tcp/icmp headers.

One and the only disadvantage I see is that it cannot close tcp handshakes (as far as I can see), but it is not the purpose of this article.

Gratuitous arp is a simple mechanism used for different reasons, but the most important one is High Availability Active-Passive(backup) clusters (firewalls or Unix) when failover needs to be performed.

Both cluster nodes share a virtual IP (VIP). When one node goes down for whatever reason, the backup node needs to become active and take assignment of the VIP. But the peering devices still have in their arp table an entry for the VIP and the mac address of the failed node.

Enter gratuitous arp request: It is sent by the failover node and it notifies peered (l3) devices that the VIP sits on the mac address of the node in question.

Besides nemesis, there is another utility, "arping" that allows gratuitous arp (requests and replies), but beware: There is arping from "iputils" package available only for Linux (wasn't able to compile it on FreeBSD) that allows you to use the mac of the interface where you are sending the gratuitous arp. It does not allow you to specify the mac address.

Arping from FreeBSD ports does not know gratuitous arp (when I last played with it).

Before I begin the test, here is the entry in the target host's arp table:
# arp -an | grep
? ( at 00:11:2f:8d:05:fa on em0 [ethernet]

Now, I will use nemesis to change the target host's arp entry to '00:11:2f:8d:05:fb' instead of '00:11:2f:8d:05:fa':
nemesis arp -S -D -s -H 00:11:2f:8d:05:fb

Checking if the arp table was updated:
# arp -an | grep
? ( at 00:11:2f:8d:05:fb on em0 [ethernet]

And the tcpdump of the gratuitous arp request:
# tcpdump -nteli em0 arp
00:11:2f:8d:05:fb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has (ff:ff:ff:ff:ff:ff) tell

The source mac address of the gratuitous arp request is '00:11:2f:8d:05:fb' and the destination is the broadcast. It is generaly only one packet necessary to update a host's arp table.

If this doesn't work, check for l2 filters on your switch or static arp entries.
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]