How to manually send an ARP request

macos mac bash tcp arp

11,899

Solution 1

nmap is a general purpose tool for scanning networks, and can be used to do an arp scan only:

nmap -PR 10.0.1.0/24 -sn

The -sn disables port scanning so it only does arp requests, and -PR is the arp scan.

Solution 2

There's an open source tool called arping that lets you send custom ARP requests. You can get it from your favorite OS X open source package manager, such as Homebrew or MacPorts.

ARP requests are usually broadcast (because you don't know which MAC address to send them to, otherwise you wouldn't need to send one). However, they're not wildcarded; that is, you can't send a single request that asks all hosts on the network to send ARP responses to you. The protocol does not provide a way to specify a wildcard in place of the target IP address.

Solution 3

ARP packets are sent by the OS on demand -- essentially, when it needs to talk to another IP address on the same subnet and it doesn't already know that host's MAC address, it sends an ARP request. This means that rebuilding the table isn't really a well-defined process, since you don't actually know what other hosts are out there until the first time your computer tries to talk to them.

Refreshing the entries for the IP addresses that're currently in the table isn't too hard. Just make a list of the current entries, use sudo arp -da to delete all current entries, then use something like ping to force the OS to re-ARP each of the deleted entries:

ip_addresses=$(arp -an | grep -Ev '\(incomplete\)|ff:ff:ff:ff:ff:ff'| sed -n 's/? (\([0-9.]*\)) at .*$/\1/p')
sudo arp -da
for ip in $ip_addresses; do ping -c1 -t1 $ip & disown; done &>/dev/null

Note that the last command fires off all of the pings in the background, so they pretty much all run at once and the table should get rebuilt quite quickly.

If you want to delete & re-ARP just a single entry, do this instead:

sudo arp -d 10.0.0.1
ping -c1 -t1 10.0.0.1

11,899

phenetas

A vaincre sans péril on triomphe sans gloire.

Updated on September 18, 2022

Comments

phenetas over 1 year

I recently sniffed with Tcpdump a packet "ARP, Request who-has 192.168.2.3 tell 192.168.2.2, length 28".

I would like to reproduce this message, and to send an ARP request from my laptop to any IP I would decide. How can I do this ?

I would be interested as well in forcing refreshing the whole ARP table. I know that deleting the table will renew it but only laptop this operation is really slow and it can take up to 1/2/5 minutes to rebuild the complete ARP table. Is there a way to force rebuilding the table, by sending a broadcasted ARP request ?

I am using a Mac with the latest OS Yosemite 10.10.4

Thank you.