Ping not working? try ARP

I’ll confess to having a lot to learn about IP ethernet networking. I feel pretty comfortable with basic TCP/IP (v4), the concept of UDP vs. TCP ports, ICMP pings, etc… but ARP is something that I haven’t dabbled much with. It is, of course, a layer that TCP depends on. When a machine sends a packet to another machine, it sends an arp packet out to “discover” the hardware (MAC) address of the machine on the other end, so ARP underlies everything. These days ICMP is many times blocked by firewall rules. The default with XP’s software firewall is to block ICMP pings for instance.

This is a good thing, but within a LAN it can make life a bit trickier for someone scanning to see what machines are up. So, when the ping command fails… has an article on arping which is a tool to send an arp ping (makes sense…) These arp requests are non-routable so you can’t do an arp through a router to another network, but an arping will answer with the reply and MAC address of the host being pinged. That’s your ticket to identify if a firewalled host is up on your network.

Given that arp is required for tcp ip address/mac discovery, it can’t be blocked which makes it an excellent ICMP workaround.

So, another neat use of arp is to see what machines your computer has communicated with on the LAN, running arp gives the current IP to MAC address routing table, running this from a router/firewall would likely identify each machine on a network. The command ip neighbours should give a similar result (on one machine that was “ip neigh” instead….) All of the above commands will need to be run with root priviliges.

   Send article as PDF   

Similar Posts