tcpdump arp

環境準備機器1 udev的mac及ip地址

root@udev:/home/tb# ifconfig
enp0s3    Link encap:Ethernet  HWaddr 08:00:27:63:49:66  
          inet addr:10.70.30.73  Bcast:10.70.31.255  Mask:255.255.254.0
          inet6 addr: fe80::a00:27ff:fe63:4966/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1992020 errors:0 dropped:0 overruns:0 frame:0
          TX packets:569243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:235878919 (235.8 MB)  TX bytes:149889975 (149.8 MB)

環境準備機器2 php56當前的mac及ip地址及 arp緩存

tb@php56:~$ ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:c6:68:73:96  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

enp0s3    Link encap:Ethernet  HWaddr 08:00:27:ce:14:39  
          inet addr:10.70.30.60  Bcast:10.70.31.255  Mask:255.255.254.0
          inet6 addr: fe80::a00:27ff:fece:1439/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1636533 errors:0 dropped:0 overruns:0 frame:0
          TX packets:149265 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:219865638 (219.8 MB)  TX bytes:123084741 (123.0 MB)


root@php56:/home/tb# arp -a
? (10.70.30.79) at 08:62:66:4d:f1:09 [ether] on enp0s3
? (10.70.30.32) at 64:00:6a:20:ae:c6 [ether] on enp0s3
? (10.70.30.47) at 8c:ec:4b:5f:e9:49 [ether] on enp0s3
? (10.70.30.73) at 08:00:27:63:49:66 [ether] on enp0s3
? (10.70.30.1) at 84:b2:61:8f:98:00 [ether] on enp0s3
? (10.70.30.72) at 8c:ec:4b:a1:49:3f [ether] on enp0s3
? (10.70.30.40) at 74:ea:c8:e3:17:ab [ether] on enp0s3
? (10.70.31.191) at <incomplete> on enp0s3
root@php56:/home/tb#

刪除php56上的10.70.30.73的arp緩存

root@php56:/home/tb# arp -d 10.70.30.73

抓php56(10.70.30.66 )上 telnet 到10.70.30.73的包
root@php56:/home/tb# tcpdump -i enp0s3 -ent '(dst 10.70.30.73 and src 10.70.30.60) or (dst 10.70.30.60 and src 10.70.30.73)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

## -e選項表明開啓以太網幀頭部信息顯示

新開一個窗口在php56上 telnet，失敗沒關係，由於在鏈路層，arp在tcp鏈接創建前就已經完成，不關心成功與否

root@php56:/home/tb# telnet 10.70.30.73
Trying 10.70.30.73...
telnet: Unable to connect to remote host: Connection refused

抓包結果

root@php56:/home/tb# tcpdump -i enp0s3 -ent '(dst 10.70.30.73 and src 10.70.30.60) or (dst 10.70.30.60 and src 10.70.30.73)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
08:00:27:ce:14:39 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.70.30.73 tell 10.70.30.60, length 28
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype ARP (0x0806), length 60: Reply 10.70.30.73 is-at 08:00:27:63:49:66, length 46
08:00:27:ce:14:39 > 08:00:27:63:49:66, ethertype IPv4 (0x0800), length 74: 10.70.30.60.42366 > 10.70.30.73.23: Flags [S], seq 803077829, win 29200, options [mss 1460,sackOK,TS val 173958745 ecr 0,nop,wscale 7], length 0
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype IPv4 (0x0800), length 60: 10.70.30.73.23 > 10.70.30.60.42366: Flags [R.], seq 0, ack 803077830, win 0, length 0
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype ARP (0x0806), length 60: Request who-has 10.70.30.60 tell 10.70.30.73, length 46
08:00:27:ce:14:39 > 08:00:27:63:49:66, ethertype ARP (0x0806), length 42: Reply 10.70.30.60 is-at 08:00:27:ce:14:39, length 28
08:00:27:ce:14:39 > 08:00:27:63:49:66, ethertype IPv4 (0x0800), length 74: 10.70.30.60.42368 > 10.70.30.73.23: Flags [S], seq 3070062063, win 29200, options [mss 1460,sackOK,TS val 173961995 ecr 0,nop,wscale 7], length 0
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype IPv4 (0x0800), length 60: 10.70.30.73.23 > 10.70.30.60.42368: Flags [R.], seq 0, ack 3070062064, win 0, length 0
08:00:27:ce:14:39 > 08:00:27:63:49:66, ethertype IPv4 (0x0800), length 74: 10.70.30.60.52718 > 10.70.30.73.7: Flags [S], seq 4237197441, win 29200, options [mss 1460,sackOK,TS val 173965580 ecr 0,nop,wscale 7], length 0
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype IPv4 (0x0800), length 60: 10.70.30.73.7 > 10.70.30.60.52718: Flags [R.], seq 0, ack 4237197442, win 0, length 0
08:00:27:ce:14:39 > 08:00:27:63:49:66, ethertype IPv4 (0x0800), length 74: 10.70.30.60.52720 > 10.70.30.73.7: Flags [S], seq 3993979182, win 29200, options [mss 1460,sackOK,TS val 173969570 ecr 0,nop,wscale 7], length 0
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype IPv4 (0x0800), length 60: 10.70.30.73.7 > 10.70.30.60.52720: Flags [R.], seq 0, ack 3993979183, win 0, length 0
08:00:27:63:49:66 > 08:00:27:ce:14:39, ethertype ARP (0x0806), length 60: Request who-has 10.70.30.60 tell 10.70.30.73, length 46
08:00:27:ce:14:39 > 08:00:27:63:49:66, ethertype ARP (0x0806), length 42: Reply 10.70.30.60 is-at 08:00:27:ce:14:39, length 28

包內容簡短解釋

ff:ff:ff:ff:ff:ff 表明lan內廣播地址，全部機器都會收到並處理這樣的幀。Ox086表明是以太網幀arp類型（注意分用思想）。length 42字節，實際爲46，因爲tcpdump不關心以太網幀尾部的crc校驗字段。最後的length 28|46 字節表明數據長度。request reply爲arp請求 應答 固定標識，最後路由器並不響應arp請求。

參考自下圖

~~~~