Talk:Arp-scan Desired New Features

From NTA-Wiki

Token Ring Support

Token ring adapter is pcmcia on Debian sarge:

$ ifconfig tr0
tr0       Link encap:16/4 Mbps Token Ring (New)  HWaddr 00:A0:24:F9:D5:06
          inet addr:192.168.99.102  Bcast:192.168.99.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:2000  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:990 (990.0 b)  TX bytes:844 (844.0 b)
          Interrupt:3 Base address:0xa20 Memory:d4000-d7fff

There are three systems on the ring:

IP Address	MAC Address	System
192.168.99.100	00:00:F6:C8:B2:A1	Windows XP
192.168.99.101	00:00:83:2A:CB:A3	Windows XP
192.168.99.102	00:A0:24:F9:D5:06	Debian Sarge

tcpdump output showing a normal ARP request and response:

# tcpdump -n -i tr0 -s 0 -e -xx -v -v
tcpdump: listening on tr0, link-type IEEE802 (Token ring), capture size 65535 bytes
10:49:28.401482 10 40 00:a0:24:f9:d5:06 ff:ff:ff:ff:ff:ff 52: Single-route Forwa
rd (2052) LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, arp who-has 192.168
.99.101 tell 192.168.99.102 hardware #6
        0x0000:  1040 ffff ffff ffff 80a0 24f9 d506 c220  .@........$.....
        0x0010:  aaaa 0300 0000 0806 0006 0800 0604 0001  ................
        0x0020:  00a0 24f9 d506 c0a8 6366 0000 0000 0000  ..$.....cf......
        0x0030:  c0a8 6365                                ..ce
10:49:28.402105 18 40 00:a0:24:f9:d5:06 ff:ff:ff:ff:ff:ff 52: Single-route Forwa
rd (2052) LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, arp who-has 192.168
.99.101 tell 192.168.99.102 hardware #6
        0x0000:  1840 ffff ffff ffff 80a0 24f9 d506 c220  .@........$.....
        0x0010:  aaaa 0300 0000 0806 0006 0800 0604 0001  ................
        0x0020:  00a0 24f9 d506 c0a8 6366 0000 0000 0000  ..$.....cf......
        0x0030:  c0a8 6365                                ..ce
10:49:28.402386 18 40 00:00:83:2a:cb:a3 00:a0:24:f9:d5:06 50: LLC, dsap SNAP (0x
aa), ssap SNAP (0xaa), cmd 0x03, arp reply 192.168.99.101 is-at 00:00:83:2a:cb:a
3 hardware #6
        0x0000:  1840 00a0 24f9 d506 0000 832a cba3 aaaa  .@..$......*....
        0x0010:  0300 0000 0806 0006 0800 0604 0002 0000  ................
        0x0020:  832a cba3 c0a8 6365 00a0 24f9 d506 c0a8  .*....ce..$.....
        0x0030:  6366                                     cf

Another tcpdump example.

# tcpdump -n -i tr0 -s 256 -xx -v -v -e arp
tcpdump: listening on tr0, link-type IEEE802 (Token ring), capture size 256 bytes
16:45:30.883338 10 40 00:00:f6:c8:b2:a1 ff:ff:ff:ff:ff:ff 50: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, arp who-has 192.168.99.101 tell 192.168.99.100 hardware #6
        0x0000:  1040 ffff ffff ffff 0000 f6c8 b2a1 aaaa  .@..............
        0x0010:  0300 0000 0806 0006 0800 0604 0001 0000  ................
        0x0020:  f6c8 b2a1 c0a8 6364 0000 0000 0000 c0a8  ......cd........
        0x0030:  6365                                     ce
16:45:41.133093 10 40 00:00:f6:c8:b2:a1 ff:ff:ff:ff:ff:ff 50: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, arp who-has 192.168.99.102 tell 192.168.99.100 hardware #6
        0x0000:  1040 ffff ffff ffff 0000 f6c8 b2a1 aaaa  .@..............
        0x0010:  0300 0000 0806 0006 0800 0604 0001 0000  ................
        0x0020:  f6c8 b2a1 c0a8 6364 0000 0000 0000 c0a8  ......cd........
        0x0030:  6366                                     cf
16:45:46.131337 10 40 00:a0:24:f9:d5:06 00:00:f6:c8:b2:a1 50: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, arp who-has 192.168.99.100 tell 192.168.99.102 hardware #6
        0x0000:  1040 0000 f6c8 b2a1 00a0 24f9 d506 aaaa  .@........$.....
        0x0010:  0300 0000 0806 0006 0800 0604 0001 00a0  ................
        0x0020:  24f9 d506 c0a8 6366 0000 0000 0000 c0a8  $.....cf........
        0x0030:  6364                                     cd
16:45:46.132019 10 40 00:00:f6:c8:b2:a1 00:a0:24:f9:d5:06 50: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, arp reply 192.168.99.100 is-at 00:00:f6:c8:b2:a1 hardware #6
        0x0000:  1040 00a0 24f9 d506 0000 f6c8 b2a1 aaaa  .@..$...........
        0x0010:  0300 0000 0806 0006 0800 0604 0002 0000  ................
        0x0020:  f6c8 b2a1 c0a8 6364 00a0 24f9 d506 c0a8  ......cd..$.....
        0x0030:  6366                                     cf

arp-scan fails:

# arp-scan --interface=tr0 192.168.99.0/24
Interface: tr0, datalink type: IEEE802 (Token ring)
WARNING: Unsupported datalink type
Starting arp-scan 1.5.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
ERROR: failed to send packet: No buffer space available

ARP on Token Ring uses SNAP encoding:

Header	Field	Size
802.5	AC	1 octet
802.5	FC	1 octet
802.5	destination address	6 octets
802.5	source address	6 octets
802.5	routing information	0-18 octets
802.2	0xaa	1 octet
802.2	0xaa	1 octet
802.2	UI	1 octet
SNAP	protocol ID	1 octet
SNAP	type	1 octet
N/A	data	Varies

RFC 1042 details IP over SNAP.

Retrieved from "http://www.nta-monitor.com/wiki/index.php/Talk:Arp-scan_Desired_New_Features"

Talk:Arp-scan Desired New Features

From NTA-Wiki

Token Ring Support

Views

Personal tools

Navigation

Search

Toolbox