测试ARP/ND双发效果的小工具
2025年8月14日 20:30
在上一篇Blog里说了一下关于ARP/ND双发的实现,但是还遗留了一个小问题,就是如何测试最终的效果,毕竟正常情况下,ARP还有ND相关的报文,都是由内核协议栈根据需要发出的,不太稳定,总不能一直抓包等着内核发包吧?所以还是需要借助一些工具来实现。
ARP双发检测
ARP双发的测试还是比较简单的,毕竟大家都知道arping这个工具,可以用来发送ARP请求并接收ARP应答。使用起来也是非常顺畅的:
# arping 192.68.100.1 -c 2ARPING 192.68.100.1 from 192.68.100.21 eth0Unicast reply from 192.68.100.1 [00:11:22:33:44:01] 1.315msUnicast reply from 192.68.100.1 [00:11:22:33:44:01] 1.355msUnicast reply from 192.68.100.1 [00:11:22:33:44:01] 1.112msUnicast reply from 192.68.100.1 [00:11:22:33:44:01] 1.233msSent 2 probes (1 broadcast(s))Received 4 response(s)可以发现,arping工具发送了2个ARP请求,成功地收到了4次ARP应答,这表明ARP双发功能正常。两次请求中,第一次是广播请求,可以模拟第一次学习MAC地址时的场景,第二次是单播请求,可以模拟已有MAC后的确认场景,尝试抓包,也是可以看到结果是符合预期的:
# sudo tcpdump -i eth0 arp -nnndropped privs to tcpdumptcpdump: verbose output suppressed, use -v[v]... for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes20:16:03.982709 ARP, Request who-has 192.68.100.1 (ff:ff:ff:ff:ff:ff) tell 192.68.100.21, length 2820:16:03.983231 ARP, Reply 192.68.100.1 is-at 00:11:22:33:44:01, length 4620:16:03.983298 ARP, Reply 192.68.100.1 is-at 00:11:22:33:44:01, length 4620:16:04.982738 ARP, Request who-has 192.68.100.1 (00:11:22:33:44:01) tell 192.68.100.21, length 2820:16:04.983343 ARP, Reply 192.68.100.1 is-at 00:11:22:33:44:01, length 4620:16:04.983412 ARP, Reply 192.68.100.1 is-at 00:11:22:33:44:01, length 466 packets captured6 packets received by filter0 packets dropped by kernelND双发检测
接下来轮到IPv6的ND报文了,这里介绍一个工具包NDisc6,可以部分替代arping的功能,为什么是部分替代呢?因为和arping不同,...
剩余内容已隐藏
查看完整文章以阅读更多