In Linux, an ARP entry's age gets reset/refreshed if a packet comes by. However, it seems that FreeBSD simply sets a timer, and unconditionally evicts the ARP entry even if packets with that MAC-address/IP came by. Is there a way to get Linux's behaviour of updating the age if traffic is seen? I am experiencing large bursts of ARP broadcast traffic every 20 minutes on my LAN because of this. I know that one can change the age in FreeBSD's cache, but that just changes the intervals between bursts. I want to stop the bursts in the first place.

Is the mode 6 traffic will receive load balance relatively according to the slaves interfaces? OS: ubuntu 18.04.6 LTS; bonding driver: v3.7.1; kernel: 4.15.0-213-generic In mode 6, I had setted the parameter bond_arp_interval 100, arp_validate 3 and bond_arp_ip_target ip1,ip2 and restart interface, then only get *ip1* from file */sys/class/net/bond6/bonding/arp_ip_target*, but get *0* from both file */sys/class/net/bond6/bonding/arp_interval* and */sys/class/net/bond6/bonding/arp_validate*, and pushed the traffic to the dest host by iperf3, all traffic from different src hosts with different arp records(same dest ip with different mac addresses which belong to the dest host mode 6 bonding slaves) always received by the same slave interface in dest host. Maybe the ARP record does not update properly in the subnet, so it can't receive traffic load balancing. And I tested bond_arp_interval 100, arp_validate 3 and bond_arp_ip_target ip1 in mode 1, it works, reference to this redhat solution . Maybe arp probes not suitable for mode 6? Why mode 6 say it could achieve that receive traffic balancing? How the bonding driver initiates an ARP reply to the peer for updating the ARP record? I can't find any other parameter to work for it. Linux Ethernet Bonding Driver HOWTO : > Receive load balancing is handled by Address Resolution Protocol (ARP) negotiation and table mapping to the relevant group interface. > Hence, peers learn the hardware address of the bond and the balancing of receive traffic collapses to the current slave. This is handled by sending updates (ARP Replies) to all the peers with their individually assigned hardware address such that the traffic is redistributed. Questions: 1, how bonding achieve that the mode 6 **receive traffic load balancing** to the slaves? 2, why it doesn't work with **arp monitor** in mode 6? 3, could it work in **Distributed VXLAN Gateway ** with dynamically learns ARP entries and ARP broadcast suppression? 4, when two Distributed VXLAN Gateway(Q3) leaves learned the **same host IP ARP entry but with different mac addresses** from local network(switch port), what would they do?

I have Linux device running 4.14.7 kernel. My device-A is directly connected to third-party device(Device-B) over 1Gig port. A UDHCPD server runs on dev-A which always assigns single IP address as per DHCP config. Dev-A is in 172.16.x.x with mask 255.255.0.0. Dev-B is assigned with 172.16.100.1 with 255.255.255.0 from UDHCPD running on Dev-A. Occasionally I see that "arp" table is showing "incomplete" for Dev-B and communication fails. At this time I can see that Dev-B has valid lease from UDHCPD server.

$arp
?                (172.16.100.1) at                                            on      br0

A ping will restore the connection to Dev-B. How do I overcome this issue without issuing a "ping"? Thanks in advance.

I need to block any incoming connection from a MAC address different from a specific one (which is static and well known). This MAC address should generate only non-IP connection: this is the reason why I don't know if ARPtables could be the best solution. Any suggestion?

I have a VM on a host with bridged networking (hence, with its own MAC address). Both host and VM run CentOS. Their network is managed by simple /etc/sysconfig/network-scripts/ifcfg-enpXsY files. IPv4 works just fine. I have assigned an IPv6 address to the VM (the host also has one) which is routed correctly in the data centre. Most connections use IPv4, however (no DNS AAAA entry for the machine yet, still testing IPv6). When I boot up the VM it has full IPv6 connectivity. However, **after a while IPv6 connectivity stops working** (IPv6 magic?). I have narrowed to problem down to neighbour (ARP/NDISC cache) data: Not working, cannot ping or connect by IPv6 in or out: # ip -6 neighbour fe80::1 dev enp1s2 lladdr 0c:86:72:2e:04:28 router STALE Fix/workaround to refresh the cache: # ip -6 neighbour flush dev enp1s2 # ip -6 neighbour (empty, as expected) Then ping6 the host from within the VM to fill the cache: # ping6 2912:1375:23:9a6c::2 PING 2912:1375:23:9a6c::2(2912:1375:23:9a6c::2) 56 data bytes 64 bytes from 2912:1375:23:9a6c::2: icmp_seq=1 ttl=64 time=2.35 ms 64 bytes from 2912:1375:23:9a6c::2: icmp_seq=2 ttl=64 time=0.468 ms ^C # ip -6 neighbour fe80::1 dev enp1s2 lladdr 0c:86:72:2e:04:28 router REACHABLE 2912:1375:23:9a6c::2 dev enp1s2 lladdr 08:21:4b:b7:f8:31 DELAY IPv6 neighbour/ARP table restored to validity and connectivity is working in and out! **So my questions are:** 1. Why does the cache become stale? 2. What can I do to avoid it? Of course I could run those commands in a cron job (how often?) but I suppose that cannot really be needed for IPv6 to work in general? PS: I used a script for tests: **The IPv6 stack breaks down about every 20 minutes**. Can that be explained by RFCs?

I have a shell script on my linux computer that has these arptables command;

$ cat arptables.sh

mac_address="AA:BB:CC:DD:EE:FF"

arptables -P INPUT DROP
arptables -P OUTPUT DROP

arptables -A INPUT --opcode Request -d 0.0.0.0 -j DROP
arptables -A INPUT --opcode Reply -d 0.0.0.0 -j DROP
arptables -A INPUT --opcode Request -j DROP

arptables -A INPUT -s 192.168.3.1 --source-mac "$mac_address" -j ACCEPT
arptables -A OUTPUT -d 192.168.3.1 -j ACCEPT

Then I added this script at system startup of my PC and it works fine with my previous wifi router. Now, I recently bought a new wifi router and changed the mac_address part of the code to match my new router and it fails to connect to the internet. All my other devices can connect to the internet, since this script isn't running on those devices. Then I removed the opcode portions from the script above and everything worked fine for the new wifi router. However, on the previous router, this entire script works just fine. Would anyone explain what is this opcode part. I read on an article couple years back that opcode could prevent spoofing mac addresses so they suggested this code. So I added the opcode portion to my script.

i have a single server which two VM(ubuntu) configured as ubuntu-edge(with frr module for routing - wan side) and ubuntu-fw(for lan side), between these machines there is a virtual internal interface. all the traffic form lan toward fw, and from ubuntu-fw with default route forward to ubuntu-edge. when someone try to reach from behind wan side of the ubuntu-edge to lan side(for example icmp or ssh) cant connect, the tcpdump output is here:

ubuntu@ubuntu-fw:~$ sudo tcpdump -n -i lan host 18.x.x.201
    tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
    listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    13:22:43.742256 IP 172.25.4.96 > 18.x.x.201: ICMP echo request, id 60418, seq 4404, length 40
    13:22:43.743299 ARP, Request who-has 172.25.4.96 tell 18.x.x.201, length 46
    13:22:48.861752 ARP, Request who-has 18.x.x.201 tell 18.x.x.1, length 28
    13:22:48.863665 ARP, Reply 18.x.x.201 is-at 74:86:0b:19:fe:c1, length 46
    13:25:42.226903 IP 172.25.4.96 > 18.x.x.201: ICMP echo request, id 60418, seq 4458, length 40
    13:25:42.231842 ARP, Request who-has 172.25.4.96 tell 18.x.x.201, length 46
    13:25:47.236840 IP 172.25.4.96 > 18.x.x.201: ICMP echo request, id 60418, seq 4459, length 40
    13:25:47.237899 ARP, Request who-has 172.25.4.96 tell 18.x.x.201, length 46
    13:25:47.549749 ARP, Request who-has 18.x.x.201 tell 18.x.x.1, length 28

and here is the local route table: ubuntu@ubuntu-fw:~$ ip route show default via 172.24.8.9 dev internal proto static 18.x.x.0/24 dev lan proto kernel scope link src 18.x.x.1 172.24.8.8/30 dev internal proto kernel scope link src 172.24.8.10 the ubuntu-edge, has the route of 172.25.4.96 via bgp dynamic route. what is the problem not forward packet ? by the way packet forwarding is enabled on the both machines. Thanks

I have a web managed switch on my network. It is connected to a router, along with the host PC i am on. I cannot ping it through the router. Router is Fedora server. the router's applicable interfaces are: enp3s0 wan interface enp4s0 with static IP 192.168.2.2/24 enp6s0 with static IP 10.2.4.1/24 routing table on the router has applicable entries: Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.2.2 0.0.0.0 UG 100 0 0 enp4s0 0.0.0.0 10.2.4.1 0.0.0.0 UG 103 0 0 enp6s0 10.2.4.0 0.0.0.0 255.255.255.0 U 103 0 0 enp6s0 192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp4s0 the hosts are directly attached to these interfaces with these ips: IP MAC attached if switch 192.168.2.1 (static) 60:be:b4:13:28:e1 enp4s0 pc 10.2.4.5 (dhcp) 1c:2a:a3:1e:74:df enp6s0 when i ping from the host pc, i get timeouts. so i ran tcpdump from the router on enp4s0 sudo tcpdump -i enp4s0 -n 16:18:06.345052 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 430, length 64 16:18:07.334961 ARP, Request who-has 192.168.2.2 tell 192.168.2.2, length 28 16:18:07.369062 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 431, length 64 16:18:08.361151 ARP, Request who-has 192.168.2.2 tell 192.168.2.2, length 28 16:18:08.393080 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 432, length 64 16:18:09.385150 ARP, Request who-has 192.168.2.2 tell 192.168.2.2, length 28 16:18:09.417072 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 433, length 64 [ ... ] 16:18:17.609124 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 441, length 64 16:18:18.601152 ARP, Request who-has 192.168.2.1 tell 192.168.2.2, length 28 16:18:18.601366 ARP, Reply 192.168.2.1 is-at 1c:2a:a3:1e:74:df, length 46 16:18:18.633088 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 442, length 64 discernible facts: * the packets travel the router's nftables forward chain from enp6s0 to enp4s0 * the switch then asks who has 192.168.2.2, the gateway. it gets no response. * the router later asks who has 192.168.2.1. the switch responds with its mac. * the router's arp table records it. * the switch still does not know who has 192.168.2.2 routers applicable arp entries Address HWtype HWaddress Flags Mask Iface 192.168.2.1 ether 1c:2a:a3:1e:74:df C enp4s0 10.2.4.5 ether 04:7c:16:4d:0a:84 C enp6s0 the switch is not responding to pings, and furthermore, to my web requests to manage it. when i send a web request from the browser, i immediately get a bunch more "Request who-has 192.168.2.2", which reveals that the http request reached the switch and knows to reply to that IP, but it still doesn't know who has that IP. it keeps asking. here is the host pc applicable arp table entries, showing the router responded to the PC's arp request, so why not then to the switch? Address HWtype HWaddress Flags Mask Iface 10.2.4.1 ether 60:be:b4:13:28:e3 C enp12s0 This is the only 192.168. network. all other interfaces start with 10. what would cause the router not to reply to the switch's arp request so i can eventually ping and manage it.

I'm using the following nmap command nmap -sP 192.168.1.0/24 | awk '{print $1}'`| awk '/Nmap scan report for/{print " "$5,$6;}/MAC Address:/{print $3;}' which outputs box1.lan (192.168.1.119) 00:0E:C7:82:48:10 box2.lan (192.168.1.189) 00:E0:4F:68:01:14 how do i get it to output as 00:0E:C7:82:48:10 box1.lan 192.168.1.119 00:E0:4F:68:01:14 box2.lan 192.168.1.189

I'm using a fresh minimal Ubuntu server 24.04.1 LTS install. I run these commands as root to set up networking and do some experiments:

apt install -y netcat-traditional tcpdump inetutils-ping

ip netns add ns1
ip netns add ns2

ip link add my_veth1 type veth peer name my_veth2

ip link set my_veth1 up netns ns1
ip link set my_veth2 up netns ns2

ip -n ns1 address add 1.2.3.4 dev my_veth1
ip -n ns1 route add 2.3.4.0/24 dev my_veth1

ip -n ns2 address add 2.3.4.5 dev my_veth2

Then I run these commands in different terminals:

# Terminal 1
ip netns exec ns1 tcpdump -l -i my_veth1

# Terminal 2
ip netns exec ns2 tcpdump -l -i my_veth2

# Terminal 3
ip netns exec ns1 ping 2.3.4.5

I get the same output in terminals 1 and 2:

02:40:27.511438 ARP, Request who-has 2.3.4.5 tell 1.2.3.4, length 28
02:40:27.511438 ARP, Request who-has 2.3.4.5 tell 1.2.3.4, length 28
02:40:27.511438 ARP, Request who-has 2.3.4.5 tell 1.2.3.4, length 28
...

veth2 has the IP address 2.3.4.5 and is receiving the ARP request. Why doesn't it send an answer? It only answers when I configure a routing table entry:

ip -n ns2 route add 1.2.3.0/24 dev my_veth2

But it shouldn't be necessary since the MAC address of the network interface that veth2 should respond to is already encoded in the request it is responding to.

I have install a WLAN with an access point which connects the clients to the internet. At first all seemed to work correctly until I noticed that the clients can not communicate with each other. Here are the details: One machines is connected to the internet via eth0, and acts as an access point via wlan1. It is running hostapd and dnsmasq and it's using NAT to connect the other clients to the internet.

Client A             Client B
192.168.1.143        192.168.1.235
      \                /
       \              /
        \            /
         Access Point, AP
         wlan1: 192.168.1.1
         eth0:  192.168.0.xxx

So far, the clients can connect successfully to the internet. They can connect (eg. via ssh) to the access point. And the access point can ssh to the clients. Now the problem is that client A cannot connect to client B and vice versa. Using tcpdump on the access point I see that client A is sending ARP requests for client B. But client B never receives these requests and thus cannot reply. Therefore the arp table entry for client B is incomplete (and vice versa). For testing purpose I set the arp table entries manually for both clients with arp -s . And now everything is working successfully. The clients can connect to each other and they can connect to the intenet. But actually I don't want to set arp table entries manually for all client machines. Now, my question is: Where's the problem here? How are arp tables supposed to be updated automatically? Where should I look into? Is it a problem on the access point (routing table, hostapd, dnsmasq, ...)? Or is it a problem on the client machines? ps: There are no arptables rules installed on any machine:

$ arptables -L
Chain INPUT (policy ACCEPT)

Chain OUTPUT (policy ACCEPT)

**Edit:** Finally I found the problem: After rechecking the configuration I eventually tested it with another USB Wifi adapter. And I was really surprised to see that everything was working then. ARP requests were being received and answered by the clients. Ping and ssh between arbitrary clients was working, too. Just to be certain, I changed back to the first USB Wifi adapter. And again ARP requests were not received (and answered) by the clients. Thus I can confirm that it was not an issue with configuration of hostapd or with kernel arp tables. The problem was the driver for the Wifi adapter. Here are the details: 1) **ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter** - Not working correctly. - ARP requests are received by the access point, but they are not received by the clients. 2) **ID 0bda:b812 Realtek Semiconductor Corp.** - Working satisfactorily. - ARP requests and ARP replies between arbitrary clients are working correctly.

I have Many server booted up to Debian 12 connected to a common switch. All I know is their BMC Macs and bmc passwords for each unit(all of them not from same manufacturer). Is there a standard way to find out all Eth Interfaces IP address of the corresponding BMC Mac (Unit)? Is the any Ipmitool command to get IP Addresses of all the NICs? Hint: 1. I Only have IP address of one of those units and I can ssh into it(This is my DHCP server). 2. On the machine mentioned above, I can run arp-scan and get all the ip addresses of those other machines which are connected to the same switch but how do I tell which ip belongs to what corresponding BMC Mac address.

The following is my stripped down ARP ruleset, only broadcast rules are shown, other rules (not shown here) are not relevant. Please see code comments that are questions (?)

#!/usr/sbin/nft -f

add chain arp arp_table input {
	# filter = 0
	# Packets delivered to the local system
	type filter hook input priority filter; policy drop;
}

add chain arp arp_table output {
	# filter = 0
	# Packets send by the local system
	type filter hook output priority filter; policy drop;
}

# ARP Broadcast address
define broadcast_ether = { ff:ff:ff:ff:ff:ff }

# IPv4 network address
define network_addr_4 = { 192.168.1.0/24 }

# NIC ether address
define physical_ether = { bb:c9:51:d4:4a:b6 }

# Why input to broadcast address never hits?
# This rule should handle broadcast input
add rule arp arp_table input arp daddr ether $broadcast_ether log prefix "ACCEPT input broadcast: " accept

# Why input to 00:00:00:00:00:00 hits instead?
# This rule handles input toward 00:00:00:00:00:00 from LAN
add rule arp arp_table input arp saddr ip $network_addr_4 arp daddr ether 00:00:00:00:00:00 accept

# Why output to broadcast never hits?
# This rule should handle output toward ff:ff:ff:ff:ff:ff to LAN
add rule arp arp_table output arp daddr ether $broadcast_ether log prefix "ACCEPT output broadcast: " accept

# Why output to 00:00:00:00:00:00 hits instead?
# This rule handles output toward 00:00:00:00:00:00 to LAN
add rule arp arp_table output arp saddr ether $physical_ether arp daddr ether 00:00:00:00:00:00 accept

There are several questions here, the main one being that ARP broadcast traffic ff:ff:ff:ff:ff:ff is nonexistent, that's why I added log statement to hopefully catch such traffic but it never appears, for both input and output traffic. What happens instead is I see a lot of intput/output directed toward 00:00:00:00:00:00 address, which suggests that 00:00:00:00:00:00 is broadcast address somehow. So the main question is why don't I see ARP traffic directed toward broadcast address and why is 00:00:00:00:00:00 address used instead? 2nd question is, what is 00:00:00:00:00:00 address? why it is needed and what does it mean? If I block traffic to/from 00:00:00:00:00:00 (ex. by removing those rules) then networking will stop to function due to a such ARP packets being dropped.

I’m trying to configure ip (static, so without dhcp), there are some problems that I can't resolve by my self, because I do not understand it in a whole. Sorry if it is already answered, but as I said, I can't find any topic explaining it in a whole. I'm using wpa_supplicant to connect, on a system with openRC as service manager. Here are what I did yet : DNS resolution : /etc/resolve.conf

172.20.10.1

Host name : /etc/hosts

.168.1.150 myname.name.net

Interfaces : /etc/network/interfaces

lo
iface lo inet loopback

auto eth0

auto wlan0
iface wlan0 inet static
    address 192.168.1.150
    netmask 255.255.255.0
    gateway 192.168.1.1
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

-ip a(ddress) : gives me an ip for the interface wlan0, but no netmask, not gateway. -arp :

? (192.168.1.1) at  on wlan0

-ip r(oute)

192.168.1.1 dev wlan0 metric 1 onlink
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.150

With this, I can't connect to a routeur, but looks like I can only send packets,

stackoverflow.com

returns error. My questions are : 1. Why arp is incomplete, and how to fixe it ? 2. Why

a

doesn't print netsmak and gateway for device wlan0 ? 3. What's the use of netmask and gateway ? Thanks to anyone who takes time to answer to an apprentice.

I'm trying to implement a way to prevent network scans from my notebook. One of the things I want is to allow arp request to specific hosts, like my gateway. I added some rules using arptables and they seem to work (at first) arptables -A OUTPUT -d 192.168.1.30 -j DROP arptables -A INPUT -s 192.168.1.30 -j DROP This is actually blocking arp requests to this host. If I run: tcpdump -n port not 22 and host 192.168.1.38 (target host) and run: arp -d 192.168.1.30; ping -c 1 192.168.1.30; arp -n (notebook) tcpdump shows no incoming packets on the target and arp -n on the notebook show (incomplete) But if I run nmap -sS 192.168.1.30 on my notebook I get on the target host: 22:21:12.548519 ARP, Request who-has 192.168.1.30 tell 192.168.1.38, length 46 22:21:12.548655 ARP, Reply 192.168.1.30 is-at xx:xx:xx:xx:xx:xx, length 28 22:21:12.728499 ARP, Request who-has 192.168.1.30 tell 192.168.1.38, length 46 22:21:12.728538 ARP, Reply 192.168.1.30 is-at xx:xx:xx:xx:xx:xx, length 28 but an arp -n on the notebook still shows incomplete, but the nmap detects the host. I also tried using **nftables** and **ebtables** with no success. How can I prevent nmap to send arp request and finding the host?

I tried to use ncat command to 2 diff unknown IPs from a CENTOS 7 (linux) terminal.

[abc@localhost ~]$ ncat -zv 10.11.78.5 22
Ncat: Version 7.50 ( https://nmap.org/ncat  )
Ncat: No route to host.
[abc@localhost ~]$ ncat -zv 10.11.215.243 22
Ncat: Version 7.50 ( https://nmap.org/ncat  )
Ncat: Connection timed out.

In case case 1 , we I use tcpdump to see

10.11.77.147.22 > 10.11.236.41.55722: Flags [P.], cksum 0x4ef1 (incorrect -> 0xcc2c), seq 2565:2601, ack 1124, win 318, options [nop,nop,TS val 523166642 ecr 4195774342], length 36
13:57:39.271990 [SOURCE_MAC] > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.11.78.5 tell 10.11.77.147, length 28
13:57:39.272428 [SOURCE_MAC] > [DEST_MAC], ethertype IPv4 (0x0800), length 150: (tos 0x12,ECT(0), ttl 64, id 2262, offset 0, flags [DF], proto TCP (6), length 136)
    10.11.77.147.22 > 10.11.236.41.55722: Flags [P.], cksum 0x4f21 (incorrect -> 0x12b6), seq 2601:2685, ack 1124, win 318, options [nop,nop,TS val 523166656 ecr 4195774342], length 84
13:57:39.641351 [SRC_MAC] > [DEST_MAC], ethertype IPv4 (0x0800), length 66: (tos 0x48, ttl 58, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.11.236.41.55722 > 10.11.77.147.22: Flags [.], cksum 0x580f (correct), ack 2601, win 2047, options [nop,nop,TS val 4195774724 ecr 523166642], length 0
13:57:39.641351 [SRC_MAC] > [DEST_MAC], ethertype IPv4 (0x0800), length 66: (tos 0x48, ttl 58, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.11.236.41.55722 > 10.11.77.147.22: Flags [.], cksum 0x57ae (correct), ack 2685, win 2046, options [nop,nop,TS val 4195774724 ecr 523166656], length 0
13:57:40.272221 [SOURCE_MAC] > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.11.78.5 tell 10.11.77.147, length 28

In case case 2 , we I use tcpdump then I see:

15:27:20.847566 SRC_MAC > DEST_MAC, ethertype IPv4 (0x0800), length 102: (tos 0x4a,ECT(0), ttl 58, id 0, offset 0, flags [DF], proto TCP (6), length 88)
    10.11.236.41.56347 > 10.11.77.147.22: Flags [P.], cksum 0x3679 (correct), seq 3046:3082, ack 2950, win 2048, options [nop,nop,TS val 3721004625 ecr 528532842], length 36
15:27:20.860097 DEST_MAC > SRC_MAC, ethertype IPv4 (0x0800), length 102: (tos 0x12,ECT(0), ttl 64, id 35536, offset 0, flags [DF], proto TCP (6), length 88)
    10.11.77.147.22 > 10.11.236.41.56347: Flags [P.], cksum 0x0cb5 (correct), seq 2950:2986, ack 3082, win 318, options [nop,nop,TS val 528548224 ecr 3721004625], length 36
15:27:20.860124 DEST_MAC > SRC_MAC, ethertype IPv4 (0x0800), length 150: (tos 0x12,ECT(0), ttl 64, id 35537, offset 0, flags [DF], proto TCP (6), length 136)
    10.11.77.147.22 > 10.11.236.41.56347: Flags [P.], cksum 0xfd88 (correct), seq 2986:3070, ack 3082, win 318, options [nop,nop,TS val 528548231 ecr 3721004625], length 84
15:27:20.865395 DEST_MAC > SRC_MAC, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 15451, offset 0, flags [DF], proto TCP (6), length 60)
    10.11.77.147.58106 > 10.11.215.243.22: Flags [S], cksum 0xcab1 (correct), seq 2395880917, win 29200, options [mss 1460,sackOK,TS val 528548238 ecr 0,nop,wscale 7], length 0
15:27:21.178240 SRC_MAC > DEST_MAC, ethertype IPv4 (0x0800), length 66: (tos 0x48, ttl 58, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.11.236.41.56347 > 10.11.77.147.22: Flags [.], cksum 0x990d (correct), ack 2986, win 2047, options [nop,nop,TS val 3721004956 ecr 528548224], length 0
15:27:21.178240 SRC_MAC > DEST_MAC, ethertype IPv4 (0x0800), length 66: (tos 0x48, ttl 58, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.11.236.41.56347 > 10.11.77.147.22: Flags [.], cksum 0x98b3 (correct), ack 3070, win 2046, options [nop,nop,TS val 3721004956 ecr 528548231], length 0
15:27:21.867037 DEST_MAC > SRC_MAC, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 15452, offset 0, flags [DF], proto TCP (6), length 60)
    10.11.77.147.58106 > 10.11.215.243.22: Flags [S], cksum 0xc6c7 (correct), seq 2395880917, win 29200, options [mss 1460,sackOK,TS val 528549240 ecr 0,nop,wscale 7], length 0
15:27:23.870566 DEST_MAC > SRC_MAC, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 15453, offset 0, flags [DF], proto TCP (6), length 60)
    10.11.77.147.58106 > 10.11.215.243.22: Flags [S], cksum 0x3aa9 (incorrect -> 0xbef3), seq 2395880917, win 29200, options [mss 1460,sackOK,TS val 528551244 ecr 0,nop,wscale 7], length 0
15:27:23.996114 SRC_MAC > DEST_MAC, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 58, id 50466, offset 0, flags [none], proto ICMP (1), length 88)
    10.11.26.4 > 10.11.77.147: ICMP host 10.11.215.243 unreachable, length 68
	(tos 0x0, ttl 57, id 15451, offset 0, flags [DF], proto TCP (6), length 60)
    10.11.77.147.58106 > 10.11.215.243.22: Flags [S], cksum 0xcaf6 (correct), seq 2395880917, win 29200, options [mss 1391,sackOK,TS val 528548238 ecr 0,nop,wscale 7], length 0
15:27:23.996114 SRC_MAC > DEST_MAC, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 58, id 50467, offset 0, flags [none], proto ICMP (1), length 88)
    10.11.26.4 > 10.11.77.147: ICMP host 10.11.215.243 unreachable, length 68
	(tos 0x0, ttl 57, id 15452, offset 0, flags [DF], proto TCP (6), length 60)
    10.11.77.147.58106 > 10.11.215.243.22: Flags [S], cksum 0xc70c (correct), seq 2395880917, win 29200, options [mss 1391,sackOK,TS val 528549240 ecr 0,nop,wscale 7], length 0
15:27:26.999948 SRC_MAC > DEST_MAC, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 58, id 50468, offset 0, flags [none], proto ICMP (1), length 88)
    10.11.26.4 > 10.11.77.147: ICMP host 10.11.215.243 unreachable, length 68

It starts from 10.xx so Private IPs. Also I've santised mac addresses for obv reasons. 1. Both IPs seem unreachable, but we have diff in output? 2. In one case we get ICMP packet while that is absent in other? 3. "Connection timed out" v/s "No route to host" 4. What more to search for the real cause? local host : 10.11.77.147

Ok, so at my house I have three computers, and I frequently enjoy using ssh and scp to run commands that allow me to do wonderful things. Primarily transferring downloaded files, and running media remotely (music, video etc.). Usually I use the arp -a command to determine which other computers are on my network, but this only shows the local IP's. I often forget the **users** that exist on my other machines, and I would like to be able to: **have a command that shows me the users of a remote computer either by network or IP address**

#!/usr/bin/bash
echo "Give me your private IP and its mask";read given
if [[ "$given" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/{0,1}[0-9]{1,3} ]]; then
    echo "version 4"
    doas nmap -sn "$given"
    arp
else
    echo "version 6"
    prefix=${given::6}
    mask=$(echo "$given"|sed -E 's|.*(/[0-9]{1,3})|\1|')
    echo "$mask"
    echo "$prefix"
    doas nmap -6 -sn "$given" #halts, I have to press Ctrl-C
    doas nmap -6 --script=neighbors "$given" #does not work
    doas nmap -6 --script=neighbors "$prefix$mask" #does not work
    doas ip -6 neighbour #empty line, no results
fi

Give me your private IP and its mask
fe80::xxxx:xxxx:xxxx:xxxx/64
version 6
/64
fe80::
doas (j@j-AERO-17-KC) password: 
Starting Nmap 7.80 ( https://nmap.org  ) at 2023-11-26 12:55 CET
Interrupt
doas (j@j-AERO-17-KC) password: 
Starting Nmap 7.80 ( https://nmap.org  ) at 2023-11-26 12:59 CET
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:818: 'neighbors' did not match a category, filename, or directory
stack traceback:

	/usr/bin/../share/nmap/nse_main.lua:818: in local 'get_chosen_scripts'
	/usr/bin/../share/nmap/nse_main.lua:1310: in main chunk


QUITTING!
doas (j@j-AERO-17-KC) password: 
Starting Nmap 7.80 ( https://nmap.org  ) at 2023-11-26 12:59 CET
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:818: 'neighbors' did not match a category, filename, or directory
stack traceback:

	/usr/bin/../share/nmap/nse_main.lua:818: in local 'get_chosen_scripts'
	/usr/bin/../share/nmap/nse_main.lua:1310: in main chunk


QUITTING!

I replaced with x some of the digits of my address - for the sake of preserving my privacy. **1.** Why does my script halt on doas nmap -6 -sn "$given" when an IPv6 address is given **2.** doas nmap -6 --script=neighbors "$prefix$mask" was suggested by ChatGPT to me - why doesn't it work? **3.** Why doesn't doas ip -6 neighbour work?

I am using KVM Qemu in Kali linux host, and trying to practice ARP spoofing. In the Kali linux (which is connected to wired ethernet network), I have set up the following configuration (from tutorials I followed) in **/etc/network/interfaces** to configure my KVM VMs to use bridged mode of networking. # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.10.12 broadcast 192.168.10.255 netmask 255.255.255.0 gateway 192.168.10.1 bridge_ports eth0 bridge_stp off bridge_waitport 0 bridge fd 0 To provide further information, following is the result of running ip a in my host machine: └─$ ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 link/ether 10:7b:44:35:45:29 brd ff:ff:ff:ff:ff:ff 3: wlan0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 56:1b:f4:e4:1e:67 brd ff:ff:ff:ff:ff:ff permaddr 34:f6:4b:ff:c2:01 4: br0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 10:7b:44:35:45:29 brd ff:ff:ff:ff:ff:ff inet 192.168.10.12/24 brd 192.168.10.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::127b:44ff:fe35:4529/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 5: virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:07:00:25 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 6: vnet0: mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:d6:07:c1 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fed6:7c1/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 7: vnet1: mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:f4:dd:55 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fef4:dd55/64 scope link proto kernel_ll valid_lft forever preferred_lft forever Now, when creating my KVM VM, I set it up to use **bridged** networking mode, as can be seen in the following screenshot. Then inside the VM, I gave it the static IP of 192.168.10.301 by doing the following configuration in /etc/network/interfaces file: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback #The primary network interface allow-hotplug enp1s0 iface enp1s0 inet static address 192.168.10.30 netmask 255.255.255.0 gateway 192.168.10.1 Both the host and the VM *can ping each other*. However, when I try to run **arpspoof** by executing **sudo arpspoof -i eth0 -t 192.168.10.30 192.168.10.1** on the host machine, I get **arpspoof: couldn't arp for host 192.168.10.30**. **The question is why and what do I do to fix it?** ____________________________ ***WHAT I TRIED:*** Ofcourse I tried to search it before posting here, and I found a ton of results, including those on this forum, but they were for VMWare or Virtual Box, and the OP would either try it accross different subnets or would not be bridged mode of networking etc. I took care of all those things.

In my local wifi, I can find out the IP and MAC of another computer which also runs Lubuntu, and whose hostname is known to me. $ sudo arp-scan olive [sudo] password for t: Interface: wlx801f02b5c389, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.198 aa:bb:cc:dd:ee:ff Liteon Technology Corporation 1 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 1 hosts scanned in 1.449 seconds (0.69 hosts/sec). 1 responded There are other computers in the same local wifi network, which most likely run Windows and whose hostnames I don't know. Can I find out their hostnames from my computer? arp-scan -l doesn't show that information. Thanks.