开始
以太网层本时很少关注. 最近一次关注是理解LVS时. 最近在看<<Guide to IP Layer NetworkAdministration with Linux>>, 做做笔记, 随便动动手. 加深记忆.
被操作的机器上只有网关的物理地址:
$ arp -n
Address HWtype HWaddress Flags Mask Iface
10.20.129.1 ether 00:0F:E2:D3:BE:B8 C eth0
进行如下动作:
$ ping 10.20.129.32
把ping动作发出的包抓下来
$ sudo tcpdump -ent -i eth0 arp or icmp
....(截掉).....
00:23:ae:93:d9:26 > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 10.20.129.32 tell 10.20.129.19
00:1e:4f:ad:41:58 > 00:23:ae:93:d9:26, ethertype ARP (0x0806), length 60: arp reply 10.20.129.32 is-at 00:1e:4f:ad:41:58
00:23:ae:93:d9:26 > 00:1e:4f:ad:41:58, ethertype IPv4 (0x0800), length 98: 10.20.129.19 > 10.20.129.32: ICMP echo request, id 26119, seq 1, length 64
00:1e:4f:ad:41:58 > 00:23:ae:93:d9:26, ethertype IPv4 (0x0800), length 98: 10.20.129.32 > 10.20.129.19: ICMP echo reply, id 26119, seq 1, length 64
....(截掉).....
ICMP包在ethernet层之上, 需要使用ethernet发数据, 需要物理地址. 为了得到物理地址使用到ARP协议.
ARP过程与如下命令一致: $ sudo arping -I eth0 10.20.129.32这一条命令表示向网段内查询某IP对应的MAC地址.
查看ARP表:
$ arp -n
Address HWtype HWaddress Flags Mask Iface
10.20.129.1 ether 00:0F:E2:D3:BE:B8 C eth0
10.20.129.32 ether 00:1E:4F:AD:41:58 C eth0
增加了一个记录
arping命令 -A 参数: ARP announcement, 也称为gratuitous ARP
$ sudo arping -A -c 3 -I eth0 10.20.129.19tcpdump的抓包结果:
00:23:ae:93:d9:26 > Broadcast, ethertype ARP (0x0806), length 42: arp reply 10.20.129.19 is-at 00:23:ae:93:d9:26
00:23:ae:93:d9:26 > Broadcast, ethertype ARP (0x0806), length 42: arp reply 10.20.129.19 is-at 00:23:ae:93:d9:26
00:23:ae:93:d9:26 > Broadcast, ethertype ARP (0x0806), length 42: arp reply 10.20.129.19 is-at 00:23:ae:93:d9:26
从上面的信息看出, -A是向整个网段通知自己的IP. 默认情况下, linux 不会接受这样的包.
由arp_accept选项控制, 如下文档:
arp_accept - BOOLEAN
Define behavior for gratuitous ARP frames who's IP is not
already present in the ARP table:
0 - don't create new entries in the ARP table
1 - create new entries in the ARP table
如果看知道 gratuitous ARP 包的具体用法, 可以移步到: http://wiki.wireshark.org/Gratuitous_ARP
arping命令 -D 参数: Duplicate address detection mode (DAD)
这个参数相当有用: 用于排除网段中有IP冲突. 来个实例:root@jessinio-laptop:~# ifconfig wlan0 |head -n 2
wlan0 Link encap:Ethernet HWaddr 00:16:cf:68:5b:a7
inet addr:192.168.0.106 Bcast:192.168.0.255 Mask:255.255.255.0
root@jessinio-laptop:~# arping -D -I wlan0 192.168.0.106
ARPING 192.168.0.106 from 0.0.0.0 wlan0
Unicast reply from 192.168.0.106 [00:18:41:FE:26:5F] 90.390ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
可以看出, 192.168.0.106 被两台机器使用, 一台是本志的00:16:cf:68:5b:a7 , 另一台是00:18:41:FE:26:5F.
抓包信息:
00:16:cf:68:5b:a7 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.0.106 (ff:ff:ff:ff:ff:ff) tell 0.0.0.0, length 28
00:18:41:fe:26:5f > 00:16:cf:68:5b:a7, ethertype ARP (0x0806), length 42: Reply 192.168.0.106 is-at 00:18:41:fe:26:5f, length 28
结束
以一个问题为结束: 使用ICMP协议能否得知网段中有其它机器使用自己的IP呢? 比如, ping自己的IP.
答案是不可以的. 因为ICMP包基本没有发出来. 回流了. 例如:
产生的数据包不会流过ethernet卡, 从route表就可以知道:
$ ip route list table local
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.20.129.0 dev eth0 proto kernel scope link src 10.20.129.19
local 10.20.129.19 dev eth0 proto kernel scope host src 10.20.129.19
broadcast 10.20.129.127 dev eth0 proto kernel scope link src 10.20.129.19
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.