ARP Analysis Program - Copyright 2000 - Mike Heffner - I N T R O D U C T I O N - This is a simple program that will listen for ARP requests and replys on a network LAN. It will record which hosts are communicating with each other, average times between updates, reasponse time for replys, as well as some other data. - I N S T A L L - Just run: make and you'll end up with an executable named 'arp'. Known supported OS's: FreeBSD 4.0 - U S E - The basic syntax for calling arp is the following: arp [-d dev] [-v] [-V] [-t] [-h] Where 'dev' is the network device you would like to listen on, -v selects verbose mode, -V will select Very verbose mode (which implies -v), -t will turn off timeout expiration for hosts in the hosts table, and finally -h will print a short list of options and their meaning. On small networks there probably won't be much ARP traffic, so you might have to wait a while before you can get much data. There are two methods of dumping data from the program once it's started. To display host information, send a SIGHUP to the program, to show the list of expected replys (often times empty) send a SIGABRT to the program. For example, with pid 123: $ kill -HUP 123 $ Kill -ABRT 123 - L O G S - Below I will explain some of what the logs mean. Some of these might only show when running in full verbose mode. ARP: ar_hrd:1 ar_pro:2048 ar_hln:6 ar_pln:4 REQUEST 00:40:05:60:9c:aa ( 10.0.0.2 ) -> 00:00:00:00:00:00 ( 10.0.0.5 ) MAC: 00:40:05:60:9c:aa -> ff:ff:ff:ff:ff:ff ARP: ar_hrd:1 ar_pro:2048 ar_hln:6 ar_pln:4 REPLY 00:00:c0:3d:96:4a ( 10.0.0.5 ) -> 00:40:05:60:9c:aa ( 10.0.0.2 ) (10.0.0.5) replied to (10.0.0.2) in 15679 usecs MAC: 00:00:c0:3d:96:4a -> 00:40:05:60:9c:aa This is a basic request/reply sequence. 10.0.0.2 requested 10.0.0.5 's address and 10.0.0.5 gave it to him. Notice that the time between request and reply is also printed in the reply section. ** (10.0.0.8) did not reply to (10.0.0.2) after 60 secs -- timed out...removing ** This is a request timing out after not replying within 60 secs. This is _not_ what -t overrides. ============================================================= = Dumping host data... = ============================================================= 00:40:05:60:9c:aa - (10.0.0.2) - Last activity: Fri Jan 21 00:10:38 2000 Host looked up these addresses: 00:00:c0:3d:96:4a - (10.0.0.5) Time of last update: Fri Jan 21 00:09:51 2000 00:00:00:00:00:00 - (10.0.0.8) Time of last update: Fri Jan 21 00:10:05 2000 Update time (minutes): Average: 0 / Long: 0 / Short: 0 / Number: 3 Operating System guess(of local host): Unknown 00:00:c0:4b:cf:70 - (10.0.0.1) Time of last update: Fri Jan 21 00:10:38 2000 00:00:c0:3d:96:4a - (10.0.0.5) - Last activity: Fri Jan 21 00:09:51 2000 Reply time (usecs) - Avg: 15679 / Long: 15679 / Short: 0 / Number: 1 00:00:00:00:00:00 - (10.0.0.8) 00:00:c0:4b:cf:70 - (10.0.0.1) - Last activity: Fri Jan 21 00:10:38 2000 Reply time (usecs) - Avg: 544 / Long: 544 / Short: 0 / Number: 1 ============================================================= This is the basic table of hosts which is printed when you send it a SIGHUP. It lists the hosts in the first indentation level. It also prints the Reply time, Average (mean), longest, shortest and the number of replys along with the host. You might also see a line referring to bogus replys, these are replys the host sent that didn't follow a request from someone. Under each host (at the second indentation) might be hosts which it has requested an address from (communicating with). For example 10.0.0.2 has requested an address from 10.0.0.5, .8, and .1. And the others haven't requested an address from anyone. Notice that under 10.0.0.2 it gives 'last update times' for each host, these are the last time it, 10.0.0.2, requested an address from those hosts. It will also show the avg, long, short, and number of updates sent from 10.0.0.2 ( eg. 10.0.0.2 sent 3 requests for 10.0.0.8 and they were very close together, avg 0 secs). Also included is an operating system 'guess'. From the Average update times, we can calculate roughly what OS it is using (it's the ARP expire times from the OS). Notice that the OS guess is given for the host _sending_ the requests. So the OS guess shown above is for 10.0.0.2, _not_ 10.0.0.8. Unfortunately, the OS guess can be easily thrown off by long delays or a flurry of requests, so it isn't the most accurate guess. Running arp for a longer time will produce a better, closer guess. (Right now I only know default ARP expire times for Windows and UNIX(FreeBSD)). ** No activity from (10.0.0.8) for 5 minutes -- removing ** ** No activity from (10.0.0.2) for 45 minutes -- removing ** These are two different timeout messages displayed. As seen above the hosts timedout in the hosts table. 10.0.0.8 had never been active so it timed out faster than a host that showed real activity. (10.0.0.8 was added to the host list only because someone sent a request for it while it was offline). To prevent removal from the host table, use the -t option. ============================================================= = Hosts waiting for replys: = ============================================================= (10.0.0.2) is waiting for (10.0.0.9) to reply from the request sent at Fri Jan 21 00:32:49 2000 (10.0.0.2) is waiting for (10.0.0.9) to reply from the request sent at Fri Jan 21 00:32:50 2000 ============================================================= Finally, this is the 'waiting for reply' list that is displayed by sending SIGABRT to the process. It shows that two requests were sent for 10.0.0.9's address, but 10.0.0.9 did not reply yet. This usually means the host is offline or is having trouble. These time out rather quickly, 60 seconds, and are removed from the list. There are a few logs I left in the dir for examples, etc. Well, that's about it. If you have questions, bugs, or features you think this program could use, send them to me. -Mike Heffner [ where USERNAME=spock ]