----- Original Message -----
From: "Holden Hao" <[EMAIL PROTECTED]>
To: "Philippine Linux Users Group Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, October 01, 2003 10:53 PM
Subject: Re: [plug] eth0 on promiscuous mode
> > arp request is using a broadcast message which will send to all ports of
a
> > hub or a switch... now everybody is connected to it received that arp
> > request broadcast message... the one who owns that ip address will reply
to
> > it using the arp reply message which is computer B... arp reply is a
unicast
> > message...
>
> Very interesting. Which program does arp? route? kernel?
the arp cache is stored in the system routing table as dynamically-created
host routes... for linux it is called *neighbour cache or table entry*...
remember the email of *neighbour table overflow* problem last time? .. it is
part on the route which handled by the kernel...
> What is its
> purpose?
when an ethernet frame is sent from one host on a lan to another, it is the
48-bit ethernet address that determines for which interface the frame is
destined... the device driver software never looks at the destination ip
address in the ip datagram...
the purpose is, arp provides a dynamic mapping from an ip address to the
corresponding hardware address...
> To make the communication between PCs on the same subnet
> faster?
yes in the sense of faster looking up the mapping of ip address (32-bit for
ipv4 and 128-bit for ipv6) to hardware address (48-bit for ethernet, 48-bit
also for token ring and others) without broadcasting an arp request message
again to flood your network.. that is what arp cache table works for...
arp table aging or timeout value for bsd-derived implementation is 20
minutes for completed entry and 3 minutes for an incomple entry
> Does arp send requests on a regular interval such that you can
> have the opportunity to poison other PCs arp cache?
when there is no entry in the arp cache table for a particular ip address
(either for the first time to request for mapping or the entry is already
timeout) and the application sends a data, the kernel at the route section
is triggered for an arp request... if there is no entry and no application
is using the wire, no arp request is made...
there are two techniques that i have known to poison the arp cache:
1. after receiving an arp request, then make a false reply...
2. gratuitous arp
gratuitous arp is when a host sends an arp request looking for its own
ip address...
gratuitous arp provides two features:
a) it lets a host determine if another host is already configured
with the same ip address...
b) if the host sending the gratuitous arp has just changed its
hardware address (eg. the host shutdown and replaced its network card) this
gratuitous arp causes any other host on the cable that has an entry in its
cache for the old hardware address to update its arp cache entry
accordingly...
for more information about arp protocol, see rfc 826...
again, this information is for educational purposes and it will be use it as
for good intention and not for the bad thing...
fooler.
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
