23

Some clients in the subnet has cached the IP with old MAC address, I want them to update the new value by doing a ARP broadcast, is it possible in Linux?

Howard
  • 2,005
  • 11
  • 47
  • 70

4 Answers4

30

Yes, it's called "Unsolicited ARP" or "Gratuitous ARP". Check the manpage for arping for more details, but the syntax looks something like this:

arping -U 192.168.1.101

If you're spoofing an address, you may need to run this first:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind

Finally, because of its spoofing ability, sending Unsolicited ARP packets is sometimes considered a "hostile" activity, and may be ignored, or might lead to being blocked by some third-party firewalls.

tylerl
  • 14,885
  • 7
  • 49
  • 71
  • 10
    Under debian, the command for me was `arping -S ip.to.update -i ethX destination.host`. Example: `arping -S 10.0.0.2 -i eth0 10.0.0.1` – radicand Apr 01 '13 at 16:39
  • 3
    I found it necessary to do an arping to a router as described above in Linux when the IP is an alias on the device (i.e. either a secondary NIC is using the IP or if it's an alias on an existing NIS which was setup using a `ifconfig ethx:x` type of alias). If it's the primary, it never seems to be necessary. –  Apr 10 '13 at 14:05
10

What you are looking for is called "Gratuitous ARP" and can be done using "arping". If your IP address is 10.0.0.1 on eth0, you would use this command:

arping -A -i eth0 10.0.0.1

You can verify the ARP is being sent using "tcpdump" while the "arping" is running, in this case I am watching "wlan0":

laptop:~$ sudo tcpdump -lni wlan0 arp    
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:14:11.219936 ARP, Reply 172.16.42.161 is-at a4:77:03:d2:9b:c4, length 28
12:14:12.220119 ARP, Reply 172.16.42.161 is-at a4:77:03:d2:9b:c4, length 28
12:14:13.220288 ARP, Reply 172.16.42.161 is-at a4:77:03:d2:9b:c4, length 28
12:14:13.220397 ARP, Reply 172.16.42.161 is-at a4:77:03:d2:9b:c4, length 28
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
laptop:~$
frankhommers
  • 103
  • 4
Sean Reifschneider
  • 10,370
  • 3
  • 24
  • 28
2

What you need is a gratuitous ARP request. As told by Sebastian Wiesinger on NetworkEngineering the packet has the following characteristics:

  • Both source and destination IP in the packet are the IP of the host issuing the gratuitous ARP
  • The destination MAC address is the broadcast MAC address (ff:ff:ff:ff:ff:ff)
  • it's an ARP request, not a reply

Therefore to send a gratuitous arp request for my virtual (additional) ip 192.168.178.55 was:

arping -i ens192 -U -S 192.168.178.55 192.168.178.55

The "-U" creates an unsolicited arp request. The "-S <ip>" assures, that the ip address is set as source. The final "<ip>" contains the ip address we ask for (without expecting an answer).

Enno Gröper
  • 262
  • 1
  • 3
  • +1 this is the only form I have seen that works on cloud providers like Linode. Simply doing `arping -U 192.168.1.101` like the accepted answer shows, did NOT work for me. – Eric Mutta Dec 15 '21 at 19:41
-2

It is not necessary. As in: when you changed the IP, the computer should have done so automatically. If the clietns are hardcoded, a broadcast will not change the hadcoded override.

I do IT for about 20 years now, and in all this time I have NEVER (!) had this happen without faulty equipment.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • The problem is I accidentally assign a new machine with an used IP, so they conflict the IP. I can't access the old machine using SSH. Now I remotely shutdown the wrong (new) machine, but I still cannot access the old machine, I suspect the router has cached MAC address in its ARP table. – Howard Aug 29 '10 at 09:12
  • 1
    This is called ''gratuitous ARP'' - see http://en.wikipedia.org/wiki/Address_Resolution_Protocol#ARP_announcements – Kimvais Aug 29 '10 at 09:14
  • Should work after the arp cache expires. You can also try flushing the arp table on the machine you are trying to access the old machine from – Kimvais Aug 29 '10 at 09:16
  • @Kimvais, but I can't access other hosts in the subnet, so I want to know if any method to make the update happen earlier. – Howard Aug 29 '10 at 09:18
  • 4
    @TomTom - perhaps you just haven't been working in the right environment to see it. Sending unsolicited ARP packets is a common way to quickly re-route traffic to a new server in a failover situation. Many high-end switches and routers can take several *minutes* to recognize that an IP address has moved to a different physical port otherwise. Cisco switches are notorious for this. – tylerl Aug 29 '10 at 09:28
  • Yes, but then whatever failover scenario you use autoamtically sends ARP requests. if you failover by chaning the IP on the server - the server will send an ARP request to the switch. No need to do that manually again. – TomTom Aug 29 '10 at 13:31
  • 5
    @TomTom: Yes, if you are failing over via heartbeat/corosync, whatever. However, if you manually move services from one machine to another, particularly if you are on Cisco gear, manually sending a gratuitous ARP is extremely useful. I agree that it isn't something you do frequently, but as someone who has also been doing IT for 20 years, I have found myself in a number of situations where I needed to do it. – Sean Reifschneider Mar 02 '13 at 19:00
  • We need to use when a failover happens. – frankhommers Mar 25 '21 at 20:28