arptcpdump
I'm trying to set up tcpdump to filter only gratuitous ARP's. I know that I need to search for packets with a host set to ff:ff:ff:ff:ff:ff. And I found the arp.opcode parameter, but I can't seem to get it to work. For example, this:
tcpdump -i wm0 arp and arp.opcode == 2
returns a syntax error.
Can anyone shed some light on this?
Thanks,
Jason M.
I guess what I'm asking for is, does a solution exist where a single host can cause an unknown NIC MAC Address to respond so as to populate the switch MAC Table? Or another solution that could get this data?
Let's step back for a moment and think about how switches work.
If a switch doesn't know the destination mac-address in a frame, the switch floods the frame with the unknown destination mac out all ports in that vlan; thus you do not need the switch to know the mac-address of the hosts while the host is powered down.
However, you do need to know the mac-address of all PCs in question; that mac-address is embedded in the WOL frame. Quite honestly, knowing the list of macs is pretty simple... just poll your edge router for arp entries for the Vlan(s) in question every five minutes, and store the results somewhere.
Now when you're ready to wake computers up, build a unique list of macs from your archived ARP tables and send a WOL frame to each unique mac; and if you send a WOL frame to a printer that's already up, who cares?
FYI, I built a python WOL packet crafter if it's at all helpful... you'll need linux or another *nix to use it though. Run in cygwin or a VM if you like...
If you really hate the idea of scraping and archiving your ARP table, another option is HP Port-Security with Static mac-learning... that makes the switch remember the mac it learned on a port and then it saves the mac in the running / startup configurations.
The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot
IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside
So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.
Best Answer
In the usual tcpdump for Unix systems, only some fields are known by their name.
Try specifying the opcode field by offset and size, and comparing with 2 ("reply")
For broadcasts with opcode "reply", which should be just the gratuitous ARPs: