ARP related operations under Linux

1. Basic Principles
Address Resolution Protocol, or ARP (Address Resolution Protocol), is a TCP/IP protocol that obtains physical addresses based on IP addresses. When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the network, and receives the return message to determine the physical address of the target; after receiving the return message, the IP address and physical address are stored in the local ARP The cache is kept for a certain period of time, and the ARP cache is directly queried for the next request to save resources. The address resolution protocol is based on the mutual trust of each host in the network. The hosts on the network can send ARP reply messages independently. When other hosts receive the reply message, they will not detect the authenticity of the message and record it. Enter the local ARP cache; thus the attacker can send a fake ARP reply message to a certain host, so that the information sent cannot reach the expected host or reach the wrong host, which constitutes an ARP spoofing. ARP commands can be used to query the correspondence between IP addresses and MAC addresses in the local ARP cache, and to add or delete static correspondences. Related protocols are RARP and proxy ARP. NDP is used to replace the Address Resolution Protocol in IPv6.
2.arp command The
arp command is used to manage ARP cache
arp -v verbose mode
$ arp -v
Address HWtype HWaddress Flags Mask Iface
xxxxx ether 00:12:da:46:34:00 C eth0
10.1.1.17 ether 00:16:3e :f2:38:33 C eth1
10.1.1.12 ether 00:16:3e:f2:37:6b C eth1
Entries: 3 Skipped: 0 Found: 3
arp -n show numeric address
$ arp -n
Address HWtype HWaddress Flags Mask Iface
xxxxxxxx ether 00:12:da: 46:34:00 C eth0
10.1.1.13 ether 00:16:3e:f2:37:7d C eth1
10.1.1.18 ether 00:16:3e:f2:38:35 C eth1
arp -a View the IP and MAC correspondence, by default all
$ arp -a
? (xxxxxxxxx) at 00:12:da:46:34:00 [ether] on eth0
? (10.1.1.13) at 00:16:3e:f2:37:7d [ether] on eth1
? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1
[gintama@gintama-taiwan-lb1 ~]$ arp -a 10.1.1.18
? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1
arp -d Delete the IP and MAC of the specified host Correspondence
$ sudo arp -d 10.1.1.18
arp -i Only display the IP and MAC correspondence of the specified network card
$ arp -i eth0
Address HWtype HWaddress Flags Mask Iface
xxxxxxxxxxxxx ether 00:12:da:46:34:00 C eth0
$ arp -i eth1
Address HWtype HWaddress Flags Mask Iface
10.1.1.13 ether 00:16:3e:f2:37:7d C eth1
10.1.1.18 ether 00:16:3e:f2:38:35 C
arp -s hostname hw_addr, - -set hostname manually set the correspondence between IP and MAC
$ sudo arp -s 10.1.1.18 00:16:3e:f2:38:35
3.arping command
 arping [-AbDfhqUV] [-c count] [-w deadline] [-s source] -I interface destination
sends ARP request to the target host
-A Use ARP REPLAY instead of ARP REQUEST message
$ sudo arping -A - I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 627.781ms
Unicast reply from 10.1.1.19 [00:16 :3E:F2:38:3B] 988.125ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 827.356ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B ] ] 837.510ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 303.940ms
-b Only send ARP broadcast packets at the MAC level. Under normal circumstances, arping starts by sending ARP broadcast packets. , when the ARP REPLY message is received, it will be converted to unicast
$ sudo arping -b -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.764ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.843 ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.744ms
-c Specifies the number of ARP REQUEST packets to send. If the -w parameter is specified again, arping will wait for ARP REPLY packets until Timeout expired
$ sudo arping -c 5 -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.771ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.744ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.741ms
Unicast reply from 10.1.1.19 [00 :16:3E:F2:38:3B] 0.806ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.731ms
Sent 5 probes (1 broadcast(s))
Received 5 response(s)
-w deadline
Specifies the timeout in seconds.
-D Duplicate address check mode
$ sudo arping -D 10.1.1.200
ARPING 10.1.1.200 from 0.0.0.0 eth0
Unicast reply from 10.1.1.200 [00:16:3E:F2:37:6B] 0.692ms
Sent 1 probes (1 broadcast (s))
Received 1 response(s)
-I specifies the network card that sends the ARP REQUEST
-s specifies the source address.
 If DAD mode is used, set it to 0.0.0.0
 If you use Unsolicited ARP mode, set it to the destination address.
 In other cases, according to the routing table Calculation
4. Block ARP flux
The ARP protocol is used to convert IP addresses into physical addresses. By default, a Linux host with multiple network cards will respond to the ARP received on any network card of the host bound to an IP address on any network card ask.
Suppose a Linux host has two network cards A and B, the IP address and MAC address are respectively
Host A 
IP 10.10.41.102
MAC 08:00:27:4B:63:93
Host B
IP 10.10.41.142
MAC 08:00:27 :47:78:55
现在使用arping命令分别向两个IP发送ARP REQUEST
$ sudo arping 10.10.41.142
ARPING 10.10.41.142 from 10.10.41.17 eth0
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93]  1.721ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93]  1.774ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93]  2.626ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93]  1.174ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93]  1.164ms
^CSent 5 probes (1 broadcast(s))
Received 5 response(s)
$ sudo arping 10.10.41.102
ARPING 10.10.41.102 from 10.10.41.17 eth0
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93]  1.988ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93]  1.266ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.478ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.243ms
^CSent 4 probes (1 broadcast( s))
Received 4 response(s)
You can see that the IP 10.10.41.142 returned is not the MAC address it should have