|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|
|||
The Ping Torture of Tantalus" - A Greek tragedy exposing ARP and DNS
"The Ping Torture of Tantalus" - A Greek tragedy exposing the treacherous roles of ARP and Oracle of Names in the suffering of Tantalus
The three leading actors :
The actors are prepared and ready ......
Act I - Erasure of the Table of ARP and Placing the Tap In one xterm on host 'zeno', delete the ARP (Address Resolution Protocol) table and run tcpdump to spy on on the TCP/IP traffic. The reason for this deletion will become clear at the end of this 'tragedy' . Code:
# arp -dna 192.168.222.10 (192.168.222.10) deleted # tcpdump -s 512 -eni fxp0 tcpdump: listening on fxp0 Code:
-d : delete -n : show the numerical IP addresses, don't use DNS to resolve to symbolic names -a : all entries Code:
-s 512 : decode not only the header but also 512 bytes of data -e : show the MAC, or linklevel, addresses -n : show the numerical IP addresses, don't use DNS to resolve to symbolic names -i fxp0 : specify the interface 'fxp0' On host 'zeno' run 'ping -c2 tantalus.utp.xnet' Code:
] ping -c2 tantalus PING tantalus.utp.xnet (192.168.222.210): 56 data bytes 64 bytes from 192.168.222.210: icmp_seq=0 ttl=255 time=0.387 ms 64 bytes from 192.168.222.210: icmp_seq=1 ttl=255 time=0.261 ms --- tantalus.utp.xnet ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.261/0.324/0.387/0.063 ms The complete wiretap/dump Code:
root@zeno[/root] tcpdump -s 512 -eni fxp0 tcpdump: listening on fxp0 17:37:16.978337 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.10 tell 192.168.222.44 17:37:16.978501 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0806 60: arp reply 192.168.222.10 is-at 0:8:c7:72:40:d5 17:37:16.978517 0:8:c7:ca:ba:ad 0:8:c7:72:40:d5 0800 77: 192.168.222.44.4331 > 192.168.222.10.53: 44527+ A? tantalus.utp.xnet. (35) 17:37:16.979954 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0800 93: 192.168.222.10.53 > 192.168.222.44.4331: 44527 1/0/0 A 192.168.222.210 (51) 17:37:16.980405 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.210 tell 192.168.222.44 17:37:16.980514 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0806 60: arp reply 192.168.222.210 is-at 0:8:c7:72:45:55 17:37:16.980528 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98: 192.168.222.44 > 192.168.222.210: icmp: echo request 17:37:16.980722 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98: 192.168.222.210 > 192.168.222.44: icmp: echo reply 17:37:17.988741 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98: 192.168.222.44 > 192.168.222.210: icmp: echo request 17:37:17.988922 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98: 192.168.222.210 > 192.168.222.44: icmp: echo reply ^C 10 packets received by filter 0 packets dropped by kernel Code:
17:37:16.978337 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.10 tell 192.168.222.44 The reply: Code:
17:37:16.978501 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0806 60: arp reply 192.168.222.10 is-at 0:8:c7:72:40:d5 With this information 'zeno' at 192.168.222.44 (0:8:c7:ca:ba:ad) is able to ask the Oracle or nameserver 192.168.222.10 (0:8:c7:72:40:d5) for the DNS A record of 'tantalus.utp.xnet' Code:
17:37:16.978517 0:8:c7:ca:ba:ad 0:8:c7:72:40:d5 0800 77: 192.168.222.44.4331 > 192.168.222.10.53: 44527+ A? tantalus.utp.xnet. (35) Code:
17:37:16.979954 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0800 93: 192.168.222.10.53 > 192.168.222.44.4331: 44527 1/0/0 A 192.168.222.210 (51) Code:
17:37:16.980405 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.210 tell 192.168.222.44 17:37:16.980514 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0806 60: arp reply 192.168.222.210 is-at 0:8:c7:72:45:55 Code:
17:37:16.980528 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98: 192.168.222.44 > 192.168.222.210: icmp: echo request 17:37:16.980722 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98: 192.168.222.210 > 192.168.222.44: icmp: echo reply 17:37:17.988741 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98: 192.168.222.44 > 192.168.222.210: icmp: echo request 17:37:17.988922 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98: 192.168.222.210 > 192.168.222.44: icmp: echo reply Code:
^C 10 packets received by filter 0 packets dropped by kernel Code:
# arp -an ? (192.168.222.10) at 00:08:c7:72:40:d5 on fxp0 ? (192.168.222.210) at 00:08:c7:72:45:55 on fxp0 Code:
# arp -a parmenides.utp.xnet (192.168.222.10) at 00:08:c7:72:40:d5 on fxp0 tantalus.utp.xnet (192.168.222.210) at 00:08:c7:72:45:55 on fxp0 have seen the ARP traffic. Only if a host cannot find an IP<->MAC address mapping in the ARP table, an ARP request has to be done. A tcpdump of another ping from zeno to tantalus, with a filled arp table, shows no arp traffic Code:
19:10:29.695485 0:8:c7:ca:ba:ad 0:8:c7:72:40:d5 0800 77: 192.168.222.44.17885 > 192.168.222.10.53: 49880+ A? tantalus.utp.xnet. (35) 19:10:29.697044 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0800 93: 192.168.222.10.53 > 192.168.222.44.17885: 49880 1/0/0 A 192.168.222.210 (51) 19:10:29.697480 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98: 192.168.222.44 > 192.168.222.210: icmp: echo request 19:10:29.697688 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98: 192.168.222.210 > 192.168.222.44: icmp: echo reply 19:10:30.702854 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98: 192.168.222.44 > 192.168.222.210: icmp: echo request 19:10:30.703030 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98: 192.168.222.210 > 192.168.222.44: icmp: echo reply Each BSD OS is equipped with all the tools to diagnose a TCP/IP problem. A program like 'ifconfig' allows you to check the configuration of your NIC. And 'tcpdump' shows exactly the exchange of packets. We have seen what in a well configured network should happen during a "ping -c2 hostname'.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
arp, dns, tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" | jb_daefo | Guides | 0 | 5th October 2009 09:31 PM |
FreeBSD ping issue | wooki | FreeBSD General | 1 | 2nd October 2009 04:10 PM |
Can't ping "$ localhost" | pieterverberne | OpenBSD General | 4 | 20th August 2009 08:26 PM |
"Thanks" and "Edit Tags". | diw | Feedback and Suggestions | 2 | 29th March 2009 12:06 AM |
Cannot get new installed card to ping other machine | Johnny2Bad | FreeBSD Installation and Upgrading | 2 | 10th June 2008 08:54 PM |