【kali-linux-2020.1-vmware】ARPing命令详解
时间:04-15来源:作者:点击数:
1 arping命令是什么
- arping命令是一个发送ARP请求数据包或重复检测IP地址的命令。
- arping可以查看本LAN内IP对应的主机MAC地址,以及MAC的占用情况。
2 arping的版本:
- Thomas Habets 版:Debian-Linux使用的版本
- Linuxiputils suite版:Centos-Linux使用的版本
版本的不同,arping命令的参数也有差别。
在Debian-Linux上下载安装arping
方法1:使用二进制包安装
wget https://github.com/ThomasHabets/arping/archive/arping-2.20.tar.gz
tar -xvf arping-2.20.tar.gz
cd arping-arping-2.20/
???????????为什么没有./configure文件
方法2:直接用apt命令安装
sudo apt install iputils-arping
sudo apt install arping
在Centos-Linux上下载安装arping
在Centos中使用iputils软件包来安装arping。 iputils是Linux环境下一些实用的网络工具的集合。
sudo yum install iputils
3 实验环境
- 验证软件:VMware® Workstation 15 Pro
- node1是家用电脑,OS是Windows 10
- node2是服务器,OS是Centos 8
- master是KALI-Linux
+------- node1 --------+ +------ noder2 --------+
| | | |
| Windows 10 | | CentOS 8 |
| | | |
| 192.168.83.28 | | 192.168.83.9 |
+-------- eth0 --------+ +-------ens160 --------+
(00:0c:29:46:0a:f1) (00:0c:29:2c:fc:cf)
| |
| |
+-----------------------------------------------------+
| VMware Workstation 15 Pro |
| Gateway:192.168.83.2 |
+---------------------------+-------------------------+
|
|
(00:0c:29:21:fa:bd)
+---------------------------+
| 192.168.83.26 |
| KALI-Linux |
+---------------------------+
4 命令选项
4.1总览
英文版
root@kali:~# arping --help
ARPing 2.20, by Thomas Habets <thomas@habets.se>
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ]
[ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
[ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ]
[ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B>
Options:
-0 Use this option to ping with source IP address 0.0.0.0. Use this
when you haven't configured your interface yet. Note that this
may get the MAC-ping unanswered. This is an alias for -S
0.0.0.0.
-a Audiable ping.
-A Only count addresses matching requested address (This *WILL*
break most things you do. Only useful if you are arpinging many
hosts at once. See arping-scan-net.sh for an example).
-b Like -0 but source broadcast source address (255.255.255.255).
Note that this may get the arping unanswered since it's not nor-
mal behavior for a host.
-B Use instead of host if you want to address 255.255.255.255.
-c count
Only send count requests.
-C count
Only wait for this many replies, regardless of -c and -w.
-d Find duplicate replies. Exit with 1 if there are answers from
two different MAC addresses.
-D Display answers as exclamation points and missing packets as dots.
-e Like -a but beep when there is no reply.
-F Don't try to be smart about the interface name. (even if this
switch is not given, -i overrides smartness)
-g group
setgid() to this group instead of the nobody group.
-h Displays a help message and exits.
-i interface
Use the specified interface.
-m type
Type of timestamp to use for incoming packets. Use -vv when
pinging to list available ones.
-q Does not display messages, except error messages.
-Q pri 802.1p priority to set. Should be used with 802.1Q (-V).
Defaults to 0.
-r Raw output: only the MAC/IP address is displayed for each reply.
-R Raw output: Like -r but shows "the other one", can be combined
with -r.
-s MAC Set source MAC address. You may need to use -p with this.
-S IP Like -b and -0 but with set source address. Note that this may
get the arping unanswered if the target does not have routing to
the IP. If you don't own the IP you are using, you may need to
turn on promiscious mode on the interface (with -p). With this
switch you can find out what IP-address a host has without tak-
ing an IP-address yourself.
-t MAC Set target MAC address to use when pinging IP address.
-T IP Use -T as target address when pinging MACs that won't respond to
a broadcast ping but perhaps to a directed broadcast.
Example:
To check the address of MAC-A, use knowledge of MAC-B and IP-B.
$ arping -S <IP-B> -s <MAC-B> -p <MAC-A>
-p Turn on promiscious mode on interface, use this if you don't
"own" the MAC address you are using.
-P Send ARP replies instead of requests. Useful with -U.
-u Show index=received/sent instead of just index=received when
pinging MACs.
-U Send unsolicited ARP.
-v Verbose output. Use twice for more messages.
-V num 802.1Q tag to add. Defaults to no VLAN tag.
-w sec Specify a timeout before ping exits regardless of how many
packets have been sent or received.
-W sec Time to wait between pings.
Report bugs to: thomas@habets.se
Arping home page: <http://www.habets.pp.se/synscan/>
Development repo: http://github.com/ThomasHabets/arping
中文版
root@kali:~# arping --help
ARPing 2.20, by Thomas Habets <thomas@habets.se>
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ]
[ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
[ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ]
[ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B>
Options:
-0 指定源地址为0.0.0.0,一般是刚安装好系统,PC没有配置IP的时候使用该选项,可能收到MAC-ping的响应;这是-s 0.0.0.0选项的另一种使用方法。
-a 使用该选项时,当收到reply时,PC有喇叭的话,会有“滴滴”的声音。
-A 仅统计与请求地址匹配的地址 (这会破坏你做的大多数事情。只有当你同时对许多主机进行arpinging时 才有用。请参阅arping scan net sh的示例)
-b 与- 0类似,但是源广播源地址是255.255.255.255。(请注意,这可能无法回答【arping】,因为这不是主机的正常行为。)
-B 指定这个就相当于 arping 255.255.255.255。
-c count
发送指定的数量的ARP请求包后停止。如果指定了-w参数,则会等待相同数量的ARP 响应包,直到超时为止。
-C count
只需要等到大量的回复,无论使用-c 和-w的参数是多少。
-d 重复地址探测模式。用来检测LAN内有没有IP地址冲突,如果没有IP冲突则返回0;如果收到两个不同MAC地址响应报文,arping会退出,并返回1。
-D 检测是否丢包。当丢包的时候打印点,正常的时候打印-感叹号。
-e 和-a相反,当没有reply时,会有“滴滴”的声音。
-F Don't try to be smart about the interface name. (even if this switch is not given, -i overrides smartness)
不要试图在网卡名称上小题大做。(即使未提供此参数,-i也会覆盖Smarness)
-g group
setgid() to this group instead of the nobody group.
setgid()到该组而不是nobody组。
-h 显示帮助消息并退出。
-i interface
指定发送arp报文的接口。默认是系统的第一块网卡。
-m type
用于传入数据包的时间戳类型。ping时使用-vv列出可用的类型。
-q 除错误消息外,不显示任何消息。
-Q pri 设置802.1p优先级,应与802.1Q(-V)一起使用。默认为0。
-r 原始输出: 每个reply只显示MAC地址。
-R 原始输出: 与-r类似,但只显示IP地址,可以和-r组合使用。
-s MAC 指定源MAC地址。您可能需要与-p一起使用。
-S IP 类似于-b和-o但是指定源IP地址。请注意如果目标主机没有到源IP的route,则有可能收不到响应报文。如果您的PC没有指定源IP地址的权限,则需要打开网卡的混杂模式(使用-p)。使用此选项,您无需获取指定源IP地址的权限即可使用该IP地址【【【【这里翻译可能有问题】】】】】
If you don't own the IP you are using, you may need to
turn on promiscious mode on the interface (with -p). With this
switch you can find out what IP-address a host has without tak-
ing an IP-address yourself.
-t MAC 指定目标MAC地址。(设置要ping 目标IP地址的MAC地址。)
-T IP 当ping的时候不会响应广播ping,但可能响应定向广播的MAC时。使用-T指定目标地址。
例:
为了检查A的MAC地址,使用B的MAC和IP地址。
$ arping -S <IP-B> -s <MAC-B> -p <MAC-A>
-p 打开网卡的混杂模式,如果您没有正在使用的MAC地址的权限,请使用此模式。
-P 发送arp响应报文,与-U一起使用。
-u ping MAC时,显示index = received/sent,而不只是index = received。
-U 发送未经请求的ARP报文。
(无理由的(强制的)ARP模式去更新别的主机上的ARP CACHE列表中的本机的信息,不需要响应。)
-v 打印详细输出。使用两次获取更多信息。
-V num 添加802.1Q标签,默认为无LAN标签。
-w sec 指定两个ping之间的超时时间,单位为毫秒,默认为1秒
4.2 参数用法
- 查看node1的MAC,向指定IP发送arp请求报文<!--为什么不能检测自己的MAC地址?-->
root@kali:~# arping 192.168.83.9
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=337.244 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=1 time=407.114 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=2 time=501.603 usec
^C
--- 192.168.83.28 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.337/0.415/0.502/0.067 ms
- 参数-c,查看node1的MAC地址,并指定arp请求包的数量
root@kali:~# arping -c 5 192.168.83.28
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=265.863 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=1 time=237.013 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=2 time=260.477 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=3 time=280.114 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=4 time=163.672 usec
--- 192.168.83.28 statistics ---
5 packets transmitted, 5 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.164/0.241/0.280/0.041 ms
- 参数-i,查看node1的MAC地址,并指定网卡来发送请求包
root@kali:~# arping -i eth0 -c 1 192.168.83.28
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=307.184 usec
--- 192.168.83.28 statistics ---
1 packets transmitted, 1 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.307/0.307/0.307/0.000 ms
- 参数-d,查看node1的IP是否被不同的MAC占用
检测到被不同的MAC<!--(这里的-d参数的作用和官方参数说明中有不同,我们可以从返回的MAC地址中看到响应192.168.83.28的MAC地址有两个,最后打印看出:有3个报文发出,但是收到6个响应报文)-->
root@kali:~# arping -d 192.168.83.28
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=385.133 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.28): index=1 time=446.840 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=2 time=417.637 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.28): index=3 time=487.916 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=4 time=457.327 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.28): index=5 time=527.890 usec
--- 192.168.83.28 statistics ---
3 packets transmitted, 6 packets received, 0% unanswered (3 extra)
rtt min/avg/max/std-dev = 0.385/0.454/0.528/0.046 ms
node1的IP<!--没有被占用的情况下,发出三个请求报文,收到三个响应报文-->
root@kali:~# arping -d 192.168.83.28
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=308.701 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=1 time=605.084 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=2 time=430.440 usec
--- 192.168.83.28 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.309/0.448/0.605/0.122 ms
- 参数-T,确认MAC和IP是否对应,确认node2上指定的IP绑定在指定的MAC地址上
root@kali:~# arping -c 1 -T 192.168.83.9 00:0c:29:2c:fc:cf
ARPING 00:0c:29:2c:fc:cf
60 bytes from 192.168.83.9 (00:0c:29:2c:fc:cf): icmp_seq=0 time=411.627 usec
--- 00:0c:29:2c:fc:cf statistics ---
1 packets transmitted, 1 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.412/0.412/0.412/0.000 ms
- 参数-p,-S,-s,有时候,本地查不到某个主机,可以通过网关或者其他PC查以下三种模式均可实现。
master通过网关的IP和MAC地址,查询node2的MAC地址
root@kali:~# arping -c 3 -p -S 192.168.83.2 -s 00:50:56:f3:e6:48 192.168.83.9
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=283.399 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=372.354 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=400.790 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.283/0.352/0.401/0.050 ms
master通过网关的IP地址,来查询node1的MAC地址
root@kali:~# arping -c 3 -p -S 192.168.83.2 192.168.83.28
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=419.736 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=1 time=1.100 msec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=2 time=1.004 msec
--- 192.168.83.28 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.420/0.841/1.100/0.300 ms
master通过网关的MAC地址,来查询node2的MAC地址
root@kali:~# arping -c 3 -p -s 00:50:56:f3:e6:48 192.168.83.9
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=343.132 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=407.524 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=478.397 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.343/0.410/0.478/0.055 ms
- 当本地断网,或者没有IP地址时,使用-0(数字0)来查询LAN中主机IP的MAC<!--无法获取网关MAC-->
- 实验前提:Kali-Linux断网 ,已知node1和node2的IP地址。
- 问题:求node1和node2的MAC地址。
root@kali:~# ping www.google.com
ping: www.google.com: 域名解析暂时失败
root@kali:~# ping 8.8.8.8
ping: connect: 网络不可达
root@kali:~# arping -c 3 -0 192.168.83.2
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 192.168.83.2
Timeout
Timeout
Timeout
--- 192.168.83.2 statistics ---
3 packets transmitted, 0 packets received, 100% unanswered (0 extra)
root@kali:~# arping -c 3 -0 192.168.83.9
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=425.912 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=422.571 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=493.292 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.423/0.447/0.493/0.033 ms
root@kali:~# arping -c 3 -0 192.168.83.28
arping: lookup dev: No matching interface found using getifaddrs().
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
ARPING 192.168.83.28
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=0 time=373.017 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=1 time=468.643 usec
60 bytes from 00:0c:29:46:0a:f1 (192.168.83.28): index=2 time=501.261 usec
--- 192.168.83.28 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.373/0.448/0.501/0.054 ms
- 参数-D,当有响应的时候,回复!,没有响应(可能该IP地址不存在)回复.
root@kali:~# arping -c 3 -D 192.168.83.28
!!! 0% packet loss (0 extra)
root@kali:~# arping -c 3 -D 192.168.83.29
... 100% packet loss (0 extra)
- 参数-h,显示帮助消息。包括ARPing的版本,用法
root@kali:~# arping -h
ARPing 2.20, by Thomas Habets <thomas@habets.se>
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ]
[ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
[ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ]
[ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B>
For complete usage info, use --help or check the manpage.
- 参数-q,出错误信息外,不显示任何信息。在脚本中可以使用此参数
root@kali:~# arping -c 3 -q 192.168.83.9
root@kali:~#
- 参数-r,每个响应报文只打印MAC地址
root@kali:~# arping -c 3 -r 192.168.83.9
00:0c:29:2c:fc:cf
00:0c:29:2c:fc:cf
00:0c:29:2c:fc:cf
- 参数-R,每个响应报文只打印IP地址。-r和-R可以组合使用。
root@kali:~# arping -c 3 -R 192.168.83.9
192.168.83.9
192.168.83.9
192.168.83.9
root@kali:~# arping -c 3 -R -r 192.168.83.9
00:0c:29:2c:fc:cf 192.168.83.9
00:0c:29:2c:fc:cf 192.168.83.9
00:0c:29:2c:fc:cf 192.168.83.9
- 参数-u
root@kali:~# arping -c 3 192.168.83.9
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=319.456 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=470.305 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=401.861 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.319/0.397/0.470/0.062 ms
root@kali:~# arping -c 3 -u 192.168.83.9
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0/0 time=334.204 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1/1 time=328.951 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2/2 time=322.750 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.323/0.329/0.334/0.005 ms
- 参数-v,打印详细输出。
root@kali:~# arping -c 3 192.168.83.9
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=344.339 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=441.532 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=406.311 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.344/0.397/0.442/0.040 ms
root@kali:~# arping -c 3 -v 192.168.83.9
arping: Autodetected interface eth0
arping: chdir(/run/sshd): No such file or directory
This box: Interface: eth0 IP: 192.168.83.26 MAC address: 00:0c:29:21:fa:bd
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=408.139 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=389.324 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=367.311 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.367/0.388/0.408/0.017 ms
- 参数-w
root@kali:~# arping -c 3 192.168.83.9 -w 1
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=258.187 usec
--- 192.168.83.9 statistics ---
2 packets transmitted, 1 packets received, 50% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.258/0.258/0.258/0.000 ms
root@kali:~# arping -c 3 192.168.83.9 -w 10
ARPING 192.168.83.9
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=0 time=306.346 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=1 time=290.021 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.83.9): index=2 time=312.706 usec
--- 192.168.83.9 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.290/0.303/0.313/0.010 ms
5 ARP request/reply 报文抓取和分析
5.1实验环境
- 虚拟机采用桥接模式,使kali和宿主机在同一LAN内。
- 在kali上使用ARPing命令向宿主机发送ARP request报文。
- 在宿主机上打开wireshark,抓取ARP报文。
+----------------------+ +----------------------+
| | | |
| KALI-Linux | | Host physical machine|
| | | |
| 192.168.11.13 | | 192.168.11.3 |
+-------- eth0 --------+ +-------eth0 ----------+
| |
| |
| |
+---------------------------------------------------------+----------------------+
| |
| router |
| 192.168.11.254 |
| |
+----------------------+
5.2 ARP 报文分析
- ARP request 报文(ARP 请求报文)
在kali上向宿主机发送1个ARP request报文
root@kali:~# arping -c 1 192.168.11.3
ARPING 192.168.11.3
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=0 time=81.352 usec
--- 192.168.11.3 statistics ---
1 packets transmitted, 1 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.081/0.081/0.081/0.000 ms
宿主机上抓取的ARP报文
- 其中编号46是ARP request报文,即kali-linux向宿主机发送的ARP报文。
- 编号47是ARP reply报文,即宿主机回复给kali-linux的ARP报文。
- ARP request报文解析:
任何时候,当PC1需要找出LAN中的另一个PC2的MAC地址时,它就可以发送一个ARP请求报文,这个报文包好了发送方(PC1)的MAC地址和IP地址以及接收方(PC2)的IP地址。因为发送方(PC1)不知道接收方(PC2)的物理地址,所以这个查询分组会在网络层中进行广播。
- ARP reply报文解析:
LAN中的每一台PC都会接受并处理这个ARP请求报文,然后进行验证,查看接收方的IP地址是不是自己的地址,只有验证成功的主机才会返回一个ARP响应报文,这个响应报文包含接收方的IP地址和物理地址。这个报文利用收到的ARP请求报文中的请求方物理地址以单播的方式直接发送给ARP请求报文的请求方。
6 IP地址重复检测
- 虚拟机采用桥接模式,使kali和宿主机在同一LAN内。将Centos 8的IP手动改为和宿主机一样的IP。
- 在kali上使用ARPing命令向192.168.11.3发送ARP request报文。
- 在宿主机上打开wireshark,抓取ARP报文。
- 在kali上打开wireshark,抓取ARP报文
+----------------------+ +----------------------+ +----------------------+
| | | | | |
| KALI-Linux | | Host physical machine| | Centos 8 |
| | | | | |
| 192.168.11.13 | | 192.168.11.3 | | 192.168.11.3 |
+-------- eth0 --------+ +-------eth0 ----------+ +-------ens160 --------+
| | |
| | |
| | |
+------------------------------+----------------------+---------------------------
| |
| router |
| 192.168.11.254 |
| |
+----------------------+
6.1、kali探测IP:192.168.11.3在LAN中是否有重复出现
当kali持续向LAN中的192.168.11.3发送ARP request报文后,终端上回显出两个MAC地址
root@kali:~# arping -d -c 15 192.168.11.3
ARPING 192.168.11.3
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=0 time=8.347 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=1 time=203.351 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=2 time=7.886 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=3 time=428.213 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=4 time=5.729 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=5 time=215.430 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=6 time=173.842 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=7 time=422.812 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=8 time=6.234 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=9 time=310.950 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=10 time=96.923 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=11 time=160.731 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=12 time=5.516 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=13 time=219.487 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=14 time=5.692 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=15 time=260.721 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=16 time=6.118 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=17 time=204.691 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=18 time=6.276 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=19 time=277.305 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=20 time=7.290 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=21 time=285.352 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=22 time=5.759 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=23 time=254.430 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=24 time=8.942 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=25 time=320.285 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=26 time=6.739 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=27 time=233.847 usec
60 bytes from c8:d3:ff:e3:c1:e3 (192.168.11.3): index=28 time=25.854 usec
60 bytes from 00:0c:29:2c:fc:cf (192.168.11.3): index=29 time=149.777 usec
--- 192.168.11.3 statistics ---
15 packets transmitted, 30 packets received, 0% unanswered (15 extra)
rtt min/avg/max/std-dev = 0.006/0.144/0.428/0.135 ms
这时候查看kali上的wireshark抓的ARP报文发现,针对192.168.11.3收到两个reply报文。第二个reply报文出现地址重复的字样。
6.2、抓取GARP request报文
在宿主机的wireshark中可以抓到来自Centos 8的Gratuitous ARP request报文
(关于Gratuitous ARP详见7 Gratuitous ARP)
当Centos 8改完和宿主物理机一样的IP不久后,通过ARP协议,Centos 8发现宿主物理机的IP和它一样,所以Centos就向广播域中发送一个GARP请求报文,告诉宿主物理机它也是192.168.11.3。并提示IP地址重复
6.3、抓取ARP报文
当Centos 8的IP改回DHCP获取后,重启网络后,kali上的wireshark再次抓到ARP request和reply报文。两个报文均显示重复地址192.168.11.3
当Centos 8改回原IP的同时,宿主机的wireshark中,也抓取到地址重复的报文。通过报文可以看到Centos 8的MAC地址。
7 GARP(Gratuitous ARP):免费ARP
GARP是ARP报文的一种,有以下两种作用:
- 检测IP地址冲突。检测本PC设置的IP地址是否和LAN中其它PC重复
- 更新同一网段的网络设备上的ARP缓存。
GARP不仅有检测地址重复的作用,还有另一个作用。GARP还用于更新同一网段网络设备上的ARP缓存,以便立即与VRRP、HSRP等发生切换的设备进行通信。
方便获取更多学习、工作、生活信息请关注本站微信公众号
推荐内容
相关内容
栏目更新
栏目热门
湘公网安备 43102202000103号