How to test what is alive in the VLAN? arping, arp-scan

Problem: How to test VLAN/subnet without IP address from it. I need to to know if GW (gateway) is present/answering and what else is alive in this subnet.

If you can’t use IP address, you can’t use common test tool PING. You have to use layer-2 (ethernet) based solution – ARP protocol.

First of all, you can try to use arping (common tool in Linux), but it have some limitations – you can’t freely set source IP address (field in ARP protocol header). In our example/problem we are trying to find out, if gateway (should have IP in my examples) is working/exists.

If you try to use arping without any parameters, your IP address (from primary NIC) is used and most/all devices don’t respond to your ARP request where source IP isn’t from their subnet (it has security reasons).

Then you can try to use arp probe – ARP request with address in source-IP-field (parametr -D in arping). Servers will be responding to this request but network devices (routers, firewall) won’t (some of them)! And other source IP addresses will cause a error in arping.

arping (fail)

After some searching on the Internet, I found great tool – arp-scan. This tool can scan all subnet, and you can use any source IP address (you can set every field in ARP). On next picture you can see result of arp-scan with address – servers are responding, but GW don’t.

arpscan (probe)

So if you can use any IP address, try to insert to the source-IP field subnet address and broadast address of test subnet. Network devices are responding to this kind of ARP requests.

arpscan (network address)

arpscan (broadcast address)

As you can see on previous picture, I was using another tool ipcalc to compute these special addresses. This tool is very useful for these situations, when you have to compute eg. broadcast of the subnet in script etc.

ipcalc (with bin. and colors)

ipcalc (without colors)

Napsat komentář