Friday, 24 August 2012

Can ARP Request be unicast ?

Yes ? Don't make that funny face :-) , i know in normal scenarios it is always broadcast. It has to be broadcast as it is used to get the mac address of the destination or the target. If you know mac address why you will send ARP request at the first place ?

All are correct but read this, as per RFC 1122:

(2)  Unicast Poll -- Actively poll the remote host by
                      periodically sending a point-to-point ARP Request
                      to it, and delete the entry if no ARP Reply is
                      received from N successive polls.  Again, the
                      timeout should be on the order of a minute, and
                      typically N is 2.
This is one of four mechanism to timeout the stale ARP entries.  

So if you are seeing in your network Unicast ARP Request, see if this is the case.

Any other case , i am not aware of , let me know if you any ...

Also one Linux tool is there which generates unicast ping request "Arpping".
But it first sends broadcast, get the mac address and changes subsequent requests to
unicast , its a tool .

How do ARP flush Entries ?

Its given in RFC 1122


Four mechanisms have been used, sometimes in
                 combination, to flush out-of-date cache entries.

                 (1)  Timeout -- Periodically time out cache entries,
                      even if they are in use.  Note that this timeout
                      should be restarted when the cache entry is
                      "refreshed" (by observing the source fields,
                      regardless of target address, of an ARP broadcast
                      from the system in question).  For proxy ARP
                      situations, the timeout needs to be on the order
                      of a minute.

                 (2)  Unicast Poll -- Actively poll the remote host by
                      periodically sending a point-to-point ARP Request
                      to it, and delete the entry if no ARP Reply is
                      received from N successive polls.  Again, the
                      timeout should be on the order of a minute, and
                      typically N is 2.

                 (3)  Link-Layer Advice -- If the link-layer driver
                      detects a delivery problem, flush the
                      corresponding ARP cache entry.

                 (4)  Higher-layer Advice -- Provide a call from the
                      Internet layer to the link layer to indicate a
                      delivery problem.  The effect of this call would
                      be to invalidate the corresponding cache entry.
                      This call would be analogous to the
                      "ADVISE_DELIVPROB()" call from the transport layer
                      to the Internet layer (see Section 3.4), and in
                      fact the ADVISE_DELIVPROB routine might in turn
                      call the link-layer advice routine to invalidate


What is Hardware type in ARP header ?

If You see ARP frame in Wireshark, you will notice "Hardware type" a two byte field , value given as 0x0001 ( Ethernet ). What are other hardware types defined for ARP ? Did you had any time to think about it ?

We have few more hardware types defined for ARP , and here Ethernet refers to10 Mb Ethernet.  If you go through RFC 826 the ARP RFC , they are always talking about 10 Mb Ethernet , so for Ethernet protocol the hardware type is fixed as 1 ( Ethernet 10 Mb).

Why we did not change the hardware type when Fast Ethernet or Gig Ethernet came ? Not sure . Let me know if you know the answer.

What about "Hardware type" for Wireless ARP packets between 802.11 a/b/g/n AP or station?

Well the hardware type is  1  ( Wrong or is it a Bug !) Dont have enough expertise to comment on this , so no comments on this too....Let me know if you know any reason for it . Check in Wireshark/Omniipeek for wireless packets , if you dont trust me.

Anyway you should never trust anyone if you a tester , but test it, verify it and then give your comments !!!

Back to main topic what are different hardware types defined for ARP? Here is the list , and it is defined in RFC 1060.


Hardware Type (hrd)

      Type   Description                                 
      ----   -----------                                 
        1    Ethernet (10Mb)                                  
        2    Experimental Ethernet (3Mb)                      
        3    Amateur Radio AX.25                             
        4    Proteon ProNET Token Ring                        
        5    Chaos                                            
        6    IEEE 802 Networks                                
        7    ARCNET                                           
        8    Hyperchannel                                     
        9    Lanstar                                           
       10    Autonet Short Address                          
       11    LocalTalk                                       
       12    LocalNet (IBM PCNet or SYTEK LocalNET)           


Do ARP RFC Requires validatation of Source Ip address ?

ARP is defined in RFC 826.The ARP packet size is 28 bytes. The EtherType for ARP is 0x806. Packet format for IPV4 is :
ARP header :

Hardware type (HTYPE) : 2 byte
    This field specifies the network protocol type. Example: Ethernet is 1.

Protocol type (PTYPE) : 2byte
     For IPv4, this has the value 0x0800

Hardware length (HLEN) : 1 byte
    Length (in octets) of a hardware address. Ethernet addresses size is 6.

Protocol length (PLEN) : 1 byte
      IPv4 address size is 4.

Operation  : 2 byte
     1 for request, 2 for reply.

Sender hardware address (SHA) : 4 byte
     Source mac address

Sender protocol address (SPA) : 6 byte
     Source Ip address

Target hardware address (THA) : 4 byte
         ( o.o.o.o for request, in reply (destination mac of target)

Target protocol address (TPA) : 6 byte
    Destination Ip address


Do you know that RFC 826 does not talk about source MAC validation. So if you send ARP request with  ARP header source MAC address as , the windows and Linux PC will accept it , as it is and update the arp table. Dont trust me test it.

How do you send these packets, use Colasoft packet builder .

Windows :

Linux :

So why this is not done ? Well if you check in routers/ switches like in Cisco, Juniper they have separate commands to handle this. Something called "arpspoof", using this you can enable the validations.

Why in Linux it is not done ? Well its open source .....and Windows  ?  Well they do what they think is correct !!!!

Please check in your companies router/switches if it is done or not ?

Keep Learning, Keep Breaking !!!

Thursday, 16 August 2012

Why IP ( internet protocol ) is considered as connection less protocol ?

Internet protocol is defined in RFC 791.  This protocol works at network layer.  The network layer is also called as Internet protocol layer or IP layer. Some one recently asked me why Internet protocol is mentioned as connectionless protocol. We all know that the connection oriented and connection less protocols comes at transport layer, then why IP is called as connection less protocol ? Was it required to be specific about this ?

I did some study and came across this information. Connection less protocols can be anything which does not require prior establishment of channel or links to transfer data. Some of the examples of connection less protocols are HTTP, UDP, IP, ICMP, Ethernet, IPX, NetBEUI etc.

Why HTTP 1.0 is considered as connection less protocol even if it uses TCP ? Well it did not keep track earlier requests and every request is new request for it. HTTPS is connection oriented protocol.

Now IP , why IP is connection less protocol ? It is mentioned in RFC 1122


Internet Layer

              All Internet transport protocols use the Internet Protocol (IP) to carry data from source host to destination host.IP is a connectionless or datagram internetwork service, providing no end-to-end delivery guarantees. Thus, IP datagrams may arrive at the destination host damaged,duplicated, out of order, or not at all.  The layers above IP are responsible for reliable delivery service when it is required.  The IP protocol includes provision for addressing, type-of-service specification, fragmentation and reassembly, and security information.The datagram or connectionless nature of the IP protocol is a fundamental and characteristic feature of the Internet architecture.  Internet IP was the model for the  OSI Connectionless Network Protocol [INTRO:12].


Keep learning , Keep sharing !!!

Sunday, 5 August 2012

How to enable email/notification settings in OpenKM ( document management system)

We are using OpenKM as our knowledge management system. To enable notification/email generation we need to do only one change in xml file. We are using SMTP server as mail server.

1) go to


2) Change only the highlighted portion with your mail server.

<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: mail-service.xml 62349 2007-04-15 16:48:15Z $ -->

  <!-- ==================================================================== -->
  <!-- Mail Connection Factory                                              -->
  <!-- ==================================================================== -->

  <mbean code="org.jboss.mail.MailService"
    <attribute name="JNDIName">java:/Mail</attribute>
    <attribute name="User">nobody</attribute>
    <attribute name="Password">password</attribute>
    <attribute name="Configuration">
      <!-- A test configuration -->
        <!-- Change to your mail server prototocol -->
        <property name="" value="pop3"/>
        <property name="mail.transport.protocol" value="smtp"/>

        <!-- Change to the user who will receive mail  -->
        <property name="mail.user" value="nobody"/>

        <!-- Change to the mail server  -->
        <property name="" value=""/>

        <!-- Change to the SMTP gateway server -->
        <property name="" value=""/>

        <!-- The mail server port -->
        <property name="mail.smtp.port" value="25"/>

        <!-- Change to the address mail will be from  -->
        <property name="mail.from" value=""/>

        <!-- Enable debugging output from the javamail classes -->
        <property name="mail.debug" value="false"/>

  <!-- OpenKM -->
  <mbean code="org.jboss.mail.MailService" name="jboss:service=OpenKM">
    <attribute name="JNDIName">java:/mail/OpenKM</attribute>
    <attribute name="User">nobody</attribute>
    <attribute name="Password">password</attribute>
    <attribute name="Configuration">
        <property name="mail.transport.protocol" value="smtp"/>
        <property name="" value=""/>
        <property name="mail.smtp.port" value="25"/>
        <property name="mail.from" value=""/>
        <property name="mail.debug" value="true"/>

Thursday, 2 August 2012

Issue in Windows or issue in Media File Players ?

Well , if you have used VLC , you must have noticed this issue.

if you open VLC-> Media-> "Open Folder" and select the folder , it plays files in random order.

It will always play in same order but the files selection is random. I am observing this issue for some time , but as i do not maintain the playlist and any order is fine with me. I never cared about the order.

Today i tried to investigate the issue, on what basis it is playing the files?

I opened  the folder and try to analyze the files. The track number for 1st song and second song displays same "1 only". The name of the first file started with "D" and second was "B" so it was not playing in alphabetical order. 

FYI, in VLC-> Tools->Preferences-> "Advanced Setting"-> Playlist->"Play files randomly forever " is not checked in.So it is not playing in random order, some order is there but which order it follows ?

I could not get anything after comparing these two files, so i went to play third and fourth files. Again everything was so random , no relation with track, file names, album, artist ?

OK, so next i asked friend  "Google".

And see what , it seems that "it all depends on creation date of the file" . Viola !!!

I checked all four files again and YES ! all has proper order , seconds difference in creation date and accordingly it was being played.

Well ! so now the issue is found , but solution Alas !!! Not yet fixed it seems !!

This issue exists because it seems Windows give the files in this order to media players and they play . The issue still exists in WINAMP and VLC players as of August 02, 2012.

So if you are developer, try to fix it and if you are testers, help me in finding the workarounds.

Ref :

Wednesday, 1 August 2012

Difference Types of Networks and their standards !

We have many types of networks :

1) LAN : Local Area Network ( Family of IEEE 802 standards)

  •  HAN : Home Area Network (   ITU-T G.9951–3,G.9954,G.9954,G.9960–1,G.9963,G.9970,G.9972)
  •  SAN : Storage Area Network ( Internet Small Computer Systems Interface (iSCSI) : RFC 3720)                           

2) CAN : Campus Area Network

3) MAN : Metropolitan Area Network ( IEEE Std 802-2002)

4) WAN : Wide Area Network

  •  Leased Line [PPP(RFC 1661), HDLC (RFC 2687, RFC 1662) , SDLC( RFC 1747) , HNAS]
  •  Circuit Switching (PPP, ISDN)
  •  Packet Switching ( X.25 Frame-Relay)
  •  Cell Relay (ATM)

5) PAN : Personal Area Network

6) WPAN : Wireless Personal Area Network ( Family of IEEE 802.15 Standards)

7) BAN : Body Area Network ( IEEE 802.15.6)

8) VPN : Virtual Private Network ( RFC 4026)