Re: Duplicate IP false alerts from arping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

unni krishnan a écrit :
> 
> I am trying to find a duplicate IP in the network using arping.
> 
>  -------------------------
>  [root@vps1 ~]# ping -c 3 192.168.1.212
>  PING 192.168.1.212 (192.168.1.212) 56(84) bytes of data.
>  64 bytes from 192.168.1.212: icmp_seq=1 ttl=64 time=1.33 ms
>  64 bytes from 192.168.1.212: icmp_seq=2 ttl=64 time=0.280 ms
>  64 bytes from 192.168.1.212: icmp_seq=3 ttl=64 time=0.306 ms
> 
>  --- 192.168.1.212 ping statistics ---
>  3 packets transmitted, 3 received, 0% packet loss, time 1999ms
>  rtt min/avg/max/mdev = 0.280/0.641/1.339/0.494 ms
>  [root@vps1 ~]# arping -D -I eth0 -c 5 192.168.1.212 ; echo $?
>  ARPING 192.168.1.212 from 0.0.0.0 eth0
>  0
>  -------------------------
> 
>  As per arping that IP is duplicate.

I disagree. According to man arping :

    -D  Duplicate  address  detection  mode  (DAD).  See RFC2131, 4.4.1.
        Returns 0, if DAD succeeded i.e. no replies are received
                                         ^^^^^^^^^^^^^^^^^^^^^^^
-D (DAD) is meant for DHCP to find out if the proposed IP address is not
already assigned to another host. Its purpose is not to find out if
multiple hosts have the same IP address. Besides, a return value of 0
means that no ARP replies were received (IOW -D inverts the return value
logic), which is weird since the target IP address replies to ICMP ping
unless that address is assigned to the local host.

Here :

# arping -DI eth0 -c 1 192.168.0.246 ; echo result=$?
ARPING 192.168.0.246 from 0.0.0.0 eth0
Unicast reply from 192.168.0.246 [xx:xx:xx:xx:xx:xx]  0.964ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
result=1

# arping -DI eth0 -c 1 192.168.0.24 ; echo result=$?
ARPING 192.168.0.24 from 0.0.0.0 eth0
Sent 1 probes (1 broadcast(s))
Received 0 response(s)
result=0

> But if I go ahead and ifdown the
>  IP in the known location I cant ping that IP ( That means that IP is
>  not duplicated ? ). This is the result after shutting down the IP.
> 
>  --------------------------
>  [root@vps1 ~]# ping -c 3 192.168.1.212
>  PING 192.168.1.212 (192.168.1.212) 56(84) bytes of data.
>  From 192.168.1.63 icmp_seq=1 Destination Host Unreachable
>  From 192.168.1.63 icmp_seq=2 Destination Host Unreachable
>  From 192.168.1.63 icmp_seq=3 Destination Host Unreachable

Ok, that means no ARP reply.

>  [root@vps1 ~]# arping -D -I eth0 -c 5 192.168.1.212 ; echo $?
>  ARPING 192.168.1.212 from 0.0.0.0 eth0
>  Sent 5 probes (5 broadcast(s))
>  Received 0 response(s)
>  0

Same as above.

>  My question is, in this case IP 192.168.1.212 is not duplicated. But
>  still arping gives duplicate status. Why it is like that ?

A situation of real duplicate ARP replies may occur when the address is
assigned to a host which has multiple interfaces connected to the same
network, so it receives and replies to ARP queries on each interface.
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux