Sending ARP request to unicast MAC instead of broadcast MAC address?

Crist Clark Crist.Clark at globalstar.com
Thu Jun 17 12:57:46 CDT 2010


>>> On 6/16/2010 at  3:57 PM, Chris Woodfield <rekoil at semihuman.com> wrote:
> OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but 
> there's a reason for it, I swear...
> 
> Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted 
> ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC 
> address, is instead sent to the already-known unicast MAC address of the host? 
> 
> 
> Next, what would be your utility of choice for crafting such a packet? Or is 
> this something one would need to code up by hand in a lower-level language?

Unicast ARP requests are considered normal. See Section 2.3.2.1 of
RFC1122, "ARP Cache Validation." Specifically,

            IMPLEMENTATION:
                 Four mechanisms have been used, sometimes in
                 combination, to flush out-of-date cache entries.

                 [snip]

                 (2)  Unicast Poll -- Actively poll the remote host by
                      periodically sending a point-to-point ARP Request
                      to it, and delete the entry if no ARP Reply is
                      received from N successive polls.  Again, the
                      timeout should be on the order of a minute, and
                      typically N is 2.







More information about the NANOG mailing list