以太网内部是用MAC地址传输的,ARP就是IP到MAC的映射。
本机的IP和MAC信息:
[winlin@dev6 ~]$ ifconfig
eth1 Link encap:Ethernet HWaddr 08:00:27:55:0F:09
在hosts中添加一个地址记录:
vi /etc/hosts
192.168.20.190 winlin002
其中,winlin002的信息:
[winlin@localhost ~]$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:A4:C1:93
然后用tcpdump抓包:
sudo tcpdump -i eth1 -e|grep winlin002
用ssh登录到winlin002:
ssh winlin002
这个时候,可以看到tcpdump打出来的消息:
22:01:35.109166 08:00:27:55:0f:09 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Request who-has winlin002 tell dev6, length 28
22:01:35.110199 08:00:27:a4:c1:93 (oui Unknown) > 08:00:27:55:0f:09 (oui Unknown), ethertype ARP (0x0806), length 60: Reply winlin002 is-at 08:00:27:a4:c1:93 (oui Unknown), length 46
22:01:35.110204 08:00:27:55:0f:09 (oui Unknown) > 08:00:27:a4:c1:93 (oui Unknown), ethertype IPv4 (0x0800), length 74: dev6.46897 > winlin002.ssh: Flags [S], seq 2614233586, win 5840, options [mss 1460,sackOK,TS val 130855853 ecr 0,nop,wscale 5], length 0
第一条是本机(08:00:27:55:0f:09)向以太网广播一条消息,ARP协议,问“who-has winlin002 tell dev6”。
第二条是winlin002(08:00:27:a4:c1:93)回复本机:“Reply winlin002 is-at 08:00:27:a4:c1:93”
第三条就是IP消息了:
08:00:27:55:0f:09> 08:00:27:a4:c1:93, ethertype IPv4 (0x0800), length 74: dev6.46897 > winlin002.ssh
用arp看,多了一条缓存:
[winlin@dev6 ~]$ arp -a
winlin002 (192.168.20.190) at 08:00:27:a4:c1:93 [ether] on eth1
可以删除它:
[winlin@dev6 ~]$ sudo arp -d winlin002
[winlin@dev6 ~]$ arp -a
winlin002 (192.168.20.190) at <incomplete> on eth1
localhost (192.168.20.1) at 28:94:0f:ed:a9:3f [ether] on eth1
localhost (192.168.20.26) at d4:be:d9:a3:51:14 [ether] on eth1
[winlin@dev6 ~]$