OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
Thanks,
-C
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
In general, hosts respond to these in just the same way as they would
respond to a broadcast arp request.
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
arping from the iputils package will switch to unicast requests
after the first unicast ARP response is received, and send the rest
of the pings using unicast arp, assuming you don't use the -b
option
Dear Chris,
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear...
Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host?
Try or read kernel source.
Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language?
http://www.perihel.at/sec/mz/
should be able todo this.
Kind regards,
Ingo Flaschberger
Unicast ARP requests are considered normal. See Section 2.3.2.1 of
RFC1122, "ARP Cache Validation." Specifically,
IMPLEMENTATION:
Four mechanisms have been used, sometimes in
combination, to flush out-of-date cache entries.
[snip]
(2) Unicast Poll -- Actively poll the remote host by
periodically sending a point-to-point ARP Request
to it, and delete the entry if no ARP Reply is
received from N successive polls. Again, the
timeout should be on the order of a minute, and
typically N is 2.
Looks like all the replies I got were private, so thanks all - to summarize, I got everything from "Read The Fine Kernel Source" to "Read The Fine RFC" to "Read RFC 1122, Section 2.3.2.1, it's quite a Fine read".
So for other folks out there like me who obviously can't read RFCs, the answer is "yes". 
-C
I believe they call this a Gratuitous ARP Request. It is used
automatically when interfaces are brought up to detect IP conflicts.