# ARP table

## RangerDude

First, is the ARP table stored in the ethernet adaptor or in the OS?

Second, how do I see the entries of all mac-adresses and corresponding IP's in the ARP table?

----------

## petardi

It's stored in the OS. You can see the table using the arp command.

----------

## RangerDude

That was simple. Thanks.   :Smile: 

I still have one question.

Why does the arp table show up so slow? It shows one entry per second, very slow. It should just display them all in a flash?

EDIT: Ok, apparently it's only the incomplete entry that show slowly. Must be because arp refreshes the table when running the command arp.

EDIT2: The slowness is due to arp looking up every entry in the arp list. arp -n show the list as it is, exactly what I want. I wonder why incomplete entries also are stored in the table??

----------

## fimblo

one example of when you can have an incomplete entry is if you have a switch which has a MAC-address.

Most cheap switches dont have a mac-address, since its not really necessary, strictly speaking. But more advanced switches do- they have at least 1 MAC-address. (this to avoid loops- google for STP on the net (spanning tree protocol)).

If their address ends up in your arp table there wont be a ip number assigned to it, so it will be "incomplete".

Im sure theres other examples of times when you have an incomplete entry...

EDIT: oh and btw, the arp command does not refresh the arp table when started, the arp table is built up over time as it listens to the shared medium (eg ethernet). and as you said, arp with no arguments takes time since it tries to find a domain name which corresponds to the ip number. If you're on a private network, there will be a slight delay as your resolver tries to find a domain name for a (say) 192.168.x.y  address.

----------

## RangerDude

 *fimblo wrote:*   

> If their address ends up in your arp table there wont be a ip number assigned to it, so it will be "incomplete".
> 
>  tries to find a domain name for a (say) 192.168.x.y  address.

 

Hey fimblo.

I have a specific example:

You ping a local ip that doesn't exist. That ip will the be stored in the arp table because the host has queried a broadcast arp request for that ip. Since nobody answers the query, that ip will be stored in the arp table with no mac-adr as incomplete. Now it's just, what possible use could it have to store a non-existing ip with no mac-adr in the arp table?

----------

## fimblo

My only answer to that would be that the arp table is the storing place of all transactions done to map ip<->mac addresses.

1) you use a level5 application (ping) with the argument 192.168.0.5. (assume this address falls in the network range and that noone has been allocated this address)

2) depending on the system you do it on, this creates a udp packet with src <your ip> dest 192.168.0.5 and dest port 7 on level4. Or it jumps straight to ICMP, with a echo request flag set.

3) On level 3, The UDP packet or the ICMP is placed in an IP packet, with src and dest set. 

4) on level 2, this ip packet will be placed in an ethernet frame. But whats the destination MAC address? Ok look in the arp table. nothing there? ok, send a arp request to the lan, wait for an answer. I also write in the table that I have sent an arp request, this is where the <incomplete> comes into the picture.

If you never get a reply, like you said, there will be an incomplete tuple in your table. Why is this necessary? well if we dont write that we have sent a ARP request, we'll  continue sending ARP requests ad infinitum. If there is an incomplete field in the arp table, we'll wait with sending another request (at least for a while).

hmm is that a satisfactory answer?

----------

## RangerDude

Ok, I would have thought that a pending arp request would have been taken care off in some temporary ram, not i the actual arp table. But that's the way it is, apparently.

The entries lives only about 2 min or so for all entries. Seems a bit short lifetime to me.

----------

## fimblo

The arp command looks into what you call the temporary ram - in man arp its called the kernel ARP cache.

2 minutes is quite some time considering how long it takes for a packet to be sent and received on a lan... I have 0.27 milliseconds pinging my neighbour on the lan... thats some four million requests we  manage to avoid by using the cache  :Smile: 

/fimblo

----------

## RangerDude

Yeah, you're right. I was just comparing to DNS lookups, but mac arp communication are done in a flash. So I guess 2 mins are reasonable.

Is there a way to set the 2 mins up to, like 24 hours? This is because I would like to make a survei of other LAN mac-adrs. For that, I need the records for more than 2 mins.   :Smile: 

----------

## fimblo

If you want a survey of all machines on your subnet you could send a broadcast ping and scan the arp table afterwards, like so:

```
ping -b 192.168.10.n

WARNING: pingin broadcast address

PING 192.168.10.n (192.168.10.n)  56(84) bytes of data.

64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.030 ms

64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=0.128 ms

64 bytes from 192.168.10.12: icmp_seq=1 ttl=64 time=0.210 ms

64 bytes from 192.168.10.7: icmp_seq=1 ttl=64 time=0.225 ms

...
```

then run arp.

you want to set n to the first or last address on your subnet. RFC states that it should be the last one, but some systems reply on the first as well. So if you network is:

```
ip address eth0: 192.168.10.15, belonging to a network of slash 25 (netmask 255.255.255.128)
```

 you would ping either 192.168.10.0 or 192.168.10.127. 

cheers

fimblo

----------

## RangerDude

Hey,

thanks for the tip, but I can't use it.

The only hosts responding to a broadcast ping are my own linux machines.

Network is 10.0.X.X

I use

```
ping 10.0.255.255 -b
```

I guess all windows machines have disabled broadcast ping echos for security measures.

I've tried to use nmap to ping all ips, but

1. ARP table will contrain millions of incomplete entries.

2. It's slow

3. It doesn't work. Nmap always get stuck.

 :Confused: 

----------

## fimblo

you sure its not a /8 network? in that case its ping -b 10.255.255.255 or ping -b 10.0.0.0

/M

----------

## RangerDude

Jep.

ping -b 10.0.0.0

gives the same.

Only my own machine and my server, in another building, responds.   :Confused: 

All other use windows, and do not reply.

----------

## fimblo

doh! of course. I suppose you have some sort firewall there. if you're willing to comprimise security a teeny weeny bit you could let the windows boxes reply to ICMP echo requests...

if you want to scan the lan for functioning NICs you could iterate through the ip range using arping.... but in a /8 it would take some time... with 16777214 possible destinations... well. 

one program I use from time to time is arping, which can ping using solely arp requests. 

another program I use all the time is nmap. if you allow your windows hosts to reply to ICMP, you could do a 

```
 nmap -sP  10.0.0.* 
```

 But of course doing this on a /8 could take some time...

Of course if you know that all your hosts are in a special range, you could adapt your nmap argument to fit your network...

hope this helps!

fimblo

----------

## RangerDude

It's a campus. All computers have ip 10.0.building.appartment.

nmap -sP 10.0.*.* halts at

```
...

Strange read error from 10.0.11.199: Transport endpoint is not connected

Strange read error from 10.0.11.200: Transport endpoint is not connected

Strange read error from 10.0.11.201: Transport endpoint is not connected

Strange read error from 10.0.11.202: Transport endpoint is not connected

....
```

----------

## think4urs11

Hi!

It is perfectly ok nowadays that a machine DOES NOT answer to an subnet-broadcast-ping.

This beahviour had given a lot of companys big problems due to a attack called 'smurf'.

(Spoofing source ip, pinging to broadcast address - destination has a lot of fun...)

The timeout can (as everything in linux of course   :Rolling Eyes:  ) be adjusted somewhere in the sources, in this case i think somewhere inside the kernel itself, or maybe the NIC drivers, not perfectly sure. But you shouldn't do that - there are reasons for the timings as they are...

OTOH - whats your intention behind it to have them all?

Annother possibilty (might be, depending on local security) to ask your default gateway via snmp for his arp table.

At least the gateway should have a more or less complete list of machines up and running during the last minutes.

And there is of course the way to sniff the traffic. Even when you are on a switched network you should see all arp broadcast traffic - for your VLAN/broadcast domain.

HTH

T.

----------

## RangerDude

First, what does OTOH mean?   :Embarassed: 

The reason I want all local mac-adrs, is because we have a crappy gateway here on the campus. My plan is to replace it with a new one serving as gateway and offering DHCP, wich the current gateway does not. For a smooth transaction to the new gateway, I want it to distribute IP's according to mac-adrs. If I know all current mac/IP combos, noone will fell the transition, exept from switching from manual ip to DCHP. Newcommers can then just give me their mac and not worry about anything else about the connection to the internet. That's why I need all the macs, else, I'll have to go ask all about 30-40 people personally for their mac to proceed. That stupid, when it's possible to see their mac over the network.

How do I use snmp with the present gateway? Well know that I have nor root or even user access to that machine.

All machines eventually sendes arp queries, if I could let my computer log the arp table without removing entries somehow, I would be happy.

----------

## SpinDizzy

Not really sure if this will help in your situtation, but have you looked at emerging arpwatch ?

Also, OTOH is short for On The Other Hand.

----------

## think4urs11

Hi!

The (probably) working way for SNMP would be this

snmpwalk -c public IP-address of gateway

So who at all knows about your efforts to exchange the crappy GW? If you are in charge to do this you should have access to the old one too of course (my opinion).

One way or the other you have to talk to all the people to change their settings from static to dhcp (except you want to configure just the static leases on the dhcp-server for their static address and leave their boxes as they are). By this the addresses won't be leased to other machines; to be exact they wont ever be leased until this specific NIC is conf'd to dhcp.

If you have tcpdump installed on your box you can sniff arp traffic with 

tcpdump -i your interface; e.g. eth0 arp

HTH

T.

----------

## RangerDude

Ok, thanks for the suggestions. I know tcpdump and ethereal also.

I emerged arpwatch, and it seems like it does what I want. I have to learn that program better, though.

For now, arpwatch made me a file with this

```

0:d0:9:XX:XX:XX  10.0.19.2       1066862333

0:3:47:XX:XX:XX  10.0.0.1        1066862310

0:40:c7:XX:XX:XX 10.0.13.1       1066862310

0:5:1c:XX:XX:XX   10.0.13.3       1066861494

0:1:3:XX:XX:XX  10.0.27.5       1066862297

0:50:fc:XX:XX:XX 10.0.27.12      1066862306

0:b:db:XX:XX:XX 10.0.23.12      1066861920

0:50:bf:XX:XX:XX        10.0.13.7       1066861934

0:2:44:XX:XX:XX 10.0.100.100    1066862035      george

0:50:fc:XX:XX:XX        10.0.23.8       1066862338

```

The X's are for privacy. I wonder what that last long number at each entry it all about.

But I got a list of macs and ips in an ascii file. That was my goal. Thanks for all the help.  :Smile: 

Now, I'll look into configuring a DHCP server that does what I want.

The thing about the old GW is that the campus bought it, and now it's just there and I have no access to it. For example I want to prevent kazaa from being used though the new GW. Kazaa is just eating up all upload, and then the connection gets borked really bad.

----------

## think4urs11

The third col. is just the unix timestamp

(seconds since 1.1.1970)

----------

## RangerDude

Thanks.

----------

