Ãâó :
http://www.mynitor.com/2010/02/13/14-useful-arp-monitoring-tools/
By understanding ARP and knowing how to use the arp utility, one can troubleshoot network related issues faster. In this article, we¡¯ve put together 14 tools specifically used to to deal with ARP related monitoring and troubleshooting.
1) Arping
- an ARP level ping utility. It¡¯s good for finding out if an IP is taken before you have routing to that subnet. It can also ping MAC addresses directly.
2) arp-scan
- sends ARP (Address Resolution Protocol) queries to the specified targets, and displays any responses that are received. It allows any part of the outgoing ARP packets to be changed, allowing the behavior of targets to non-standard ARP packets to be examined. The IP address and hardware address of received packets are displayed, together with the vendor details. These details are obtained from the IEEE OUI and IAB listings, plus a few manual entries. It includes arp-fingerprint, which allows a system to be fingerprinted based on how it responds to non-standard ARP packets.
3) arpalert
- uses ARP address monitoring to help prevent unauthorized connections on the local network. If an illegal connection is detected, a program or script is launched, which could be used to send an alert message, for example.
4) parprouted
- a daemon for transparent IP (Layer 3) proxy ARP bridging. This is useful for creation of transparent firewalls and bridging networks with different MAC protocols. Also, unlike standard bridging, proxy ARP bridging allows to bridge Ethernet networks behind wireless nodes without using WDS or layer 2 bridging.
5) ARPSpoofDetector
-performs active and passive detection of ARP spoofing and IP (IPv4) address collision. The program can send healing packets with regular ARP information.
6) Local IP Takeover
- provides network link redundancy within a single server that has multiple network interface cards (NICs) with each NIC connected to separate network switches. If the primary NIC fails (i.e. it cannot ping its default gateway), the ¡°service¡± IP (the IP that the outside world connects to) will automatically float to the secondary NIC and a specially crafted ARP (utilizing send_arp) will be broadcast on the local network, thereby instructing all other hosts to update their local ARP cache. The result is minimal service downtime. Plus, no manual intervention is required in the event that a network card, cable, or switch breaks.
7) ARP Tools
- Collection of libnet and libpcap based ARP utilities. It currently contains ARP Discover (arpdiscover), an Ethernet scanner based on ARP protocol; ARP Flood (arpflood), an ARP request flooder; and ARP Poison (arppoison), for poisoning switches¡¯ MAC address tables.
8 ) Gnome ARP
- an ARP monitoring program written on Gnome with the GTK toolkit and Ruby. It takes ARP tables and some system variables via SNMP and ARP protocols and determines whether any machines have changed their IP address. It is useful for detecting new machines on the network and detecting which machine have changed addresses. It is intended especially for network admins.
9) Arphound
- a tool that listens to all traffic on an ethernet network interface. It reports IP/MAC address pairs as well as events such as IP conflicts, IP changes, IP addresses with no RDNS, various ARP spoofing, and packets not using the expected gateway. Reporting is done to stdout, to a specified file, or to syslog in a format that can be easily parsed by scripts.
10) wakearp
- a small utility to induce ARP resolution for any listening IP address in the local /24 subnet.
11) MasarLabs NoArp
- a Linux kernel module that filters and drops unwanted ARP requests. It is useful when you need to add an alias to the loopback interface to use a load balancer.
12) Antidote
- a detector for ARP poisoning on a switched network.
13) arprelease
- a small libnet-based tool to flush ARP cache entries from devices like Cisco routers to move an IP from one Linux box to another.
14) ARPoison
- a network analysis tool that sends ARP packets to/from specified hardware and protocol addresses.
