Arp Anyone?

pileofrogs has asked for the wisdom of the Perl Monks concerning the following question:

I have two redundant servers. One will be in an active state at any time and the other will be in a backup or reserve state at any time. The backup server will use fake to take over the IP address of the active server when it needs to become active. Fake works by sending gratuitous arp messages, basically convincing any local hosts or switches that it owns that IP address even though the originally active host is still claiming to own that IP address. Basically, it shouts louder than the other host.

Interestingly, it's very difficult for one of the two hosts to determine it's own state. If a server does not have that main IP address, we know it's not active. If it does and it's running fake, we can say it is active. If, however, it has the main IP and is not running fake, we don't know. IE The original main server doesn't know when the backup server has taken over or not.

Unless! We can analyse the flow of arp messages. If a machine has the main IP and it can see a ton of gratuitous arp claiming someone else has that main IP, I can pretty sure the backup machine has taken over.

So, does anyone have advice for how I could watch the flow of arp packets?

Thanks!

--Pileofrogs

Update

I found Net::Pcap and NetPacket::ARP, and I'm a happy guy.

Comment on Arp Anyone?

Replies are listed 'Best First'.
Re: Arp Anyone? by jethro (Monsignor) on Jul 17, 2008 at 18:45 UTC
Couldn't the backup server just send udp packets at a special port of the main server while he takes over. Since udp is stateless it is fire and forget for the backup server and a simple listen on port x for the main server	[reply]
Re^2: Arp Anyone? by pileofrogs (Priest) on Jul 17, 2008 at 18:50 UTC
That's not a bad idea. Have the process that launches fake also send these alert packets. I'll keep that in mind as a backup, but I don't want to rely on the other server and I don't want to add the complexity. I'd rather just figure it out from the information that's already out there.	[reply]
Re: Arp Anyone? by Bloodnok (Vicar) on Jul 18, 2008 at 10:24 UTC
HI, You don't identify the OS on which you're running ... but I won't let that stop me posting my thoughts:-)) Have you tried ethereal (with a filter) or even snoop(1M)? HTH , At last, a user level that overstates my experience :-))	[reply]
Re^2: Arp Anyone? by pileofrogs (Priest) on Jul 18, 2008 at 17:56 UTC
...or tcpdump? Why, yes, and it works, but for some reason I wanted to wrangle bits in hex rather than parse simple text output... I think I are dumb now...	[reply]
Re: Arp Anyone? by Anonymous Monk on Jul 18, 2008 at 08:08 UTC
So, does anyone have advice for how I could watch* the flow of arp packets?* arp-watch -> ARP Watch Arpwatch	[reply]
Re^2: Arp Anyone? by pileofrogs (Priest) on Jul 18, 2008 at 17:54 UTC
Oh, yeah, I've heard of this thing called the interweb and the google... I should try them out some day...	[reply]