2

I have a computer with 2 NICS that are bridged and I need a means of distinguishing between machines connected to eth0 from machines connected to eth1.

I was hoping to use something like the "arp -a" command. However, when the NICS are bridged, the arp table is always empty. I believe this is correct since section 2.1.1. Overview of Address Resolution Protocol [http://linux-ip.net/html/ether-arp.html], mentions that "Since networking hardware such as switches, hubs, and bridges operate on Ethernet frames, they are unaware of the higher layer data carried by these frames".

Is anyone aware of other tools that I could use which will maintain an arp table on a particular NIC even when the NIC has been bridged?

user975326
  • 121
  • 1
  • 4
  • Perhaps try '$ sudo tcpdump -i [brX|ethX] "arp"' first to see what ARP traffic you can see and on what interface. – ab77 Oct 08 '13 at 09:15
  • The bridge can be used as an (L3-) interface in the bridged network. Assign an IP address and there you go. – Michuelnik Oct 08 '13 at 09:43
  • I had a similar idea, however the problem is the packets appear on both NICs (they are bridged). So for this to work you'd need to compare the packets arrival time - the inbound port seems to arrive slightly earlier than on the other port, but this is a bit dirty. – user975326 Oct 08 '13 at 09:47
  • I assigned the bridge an IP address but "arp -a" still comes up empty. Is "ifconfig br0 X.X.X.X netmask Y.Y.Y.0 up" sufficient? – user975326 Oct 08 '13 at 09:50
  • No, it's the same with 'arp -a' - machines have to actually exchange traffic to initiate arp resolution. So a pingsweep just do the trick. – Michuelnik Oct 08 '13 at 09:52

2 Answers2

1

You won't get the IP address this way, but you can see which MACs the bridge has learned:

# brctl showmacs br0
port no mac addr                is local?       ageing timer
  1     00:16:3e:aa:bb:cc       no                 3.02
  1     00:16:3e:ab:bb:cc       no                30.37
  1     00:16:3e:ac:bb:cc       no                90.66
  2     fe:ff:ff:ff:ff:ff       yes                0.00

Note the port column, this tells you on which interface (port) the packet entered the bridge. If unclear which one is which, run brctl show.

If you need the IP address too, you'd have to assign a network address to the bridge and initiate a ping scan:

ip addr add X.X.X.X/yy dev br0
nmap -T5 -sP X.X.X.Z/yy
arp -a
ip addr del X.X.X.X/yy dev br0
fuero
  • 9,591
  • 1
  • 35
  • 40
  • Yes, I found this command as well (I'd up-vote if I had the rep). I just need a nice way of translating the mac into an ip address and I'd have all the information required! – user975326 Oct 08 '13 at 09:54
0

Although the answers above are correct and will work, I wanted something a little more silent than having to make ping scans.

I'm still slightly confused as to why the standard arp command doesn't work. I'm sure there's probably some configuration I've missed.

My current solution however, is to use arpwatch [http://en.wikipedia.org/wiki/Arpwatch] in conjunction with "brctl showmacs".

Arpwatch generates different output files mapping ip addresses to mac address. "brctl showmacs" provides mac address to physical port mapping. With these two tools I have everything I need.

[Edit] Also, arpalert has very similar functionality an is a bit simpler to get working.

Thanks to everyone that commented.

user975326
  • 121
  • 1
  • 4