I put together my previous articles to become Github, welcome everyone big guy star github.com/crisxuan/be…
Public serial computer network articles as follows
ARP, the man behind the net
I drew 40 diagrams just to get you to understand the computer network layer
40 maps to understand TCP and UDP
I’m the prettiest guy in the park after the deal
Summary of TCP/IP basic knowledge
Summary of basic knowledge of computer network
So let’s start this article
It is well known that once an IP address is identified, datagrams can be sent to the host at that IP address. However, an IP address only identifies the address of the network layer. Is there an address in the data link layer below the network layer that can tell the host its address? Yes, this address is the MAC address.
Understanding MAC Addresses
The full name of a MAC Address is Media Access Control Address, which is the unique identifier of the Ethernet or network adapter on the network. MAC addresses can distinguish between different network interfaces and are used for a variety of network technologies, especially most IEEE 802 networks.
MAC addresses are also called physical addresses, hardware addresses, and aging addresses.
MAC addresses are used to identify interconnected nodes on data links, as shown in the following figure
The MAC address is 48 bits long. If a NIC is used, the MAC address is usually burned into the ROM. Therefore, the MAC address of any network adapter is unique. The structure of the MAC address is as follows
The 3 to 24 digits in the MAC address indicate the vendor identifier. Each NIC vendor has a unique identifier. The 25-48 bits are used internally by the manufacturer to identify each network card. Therefore, you can guarantee that there will not be network cards with the same MAC address in the world.
MAC addresses can also be duplicated. However, the problem is not serious as long as the two MAC addresses belong to different data link layers.
What is the ARP
The Address Resolution Protocol(ARP) is used to map IP addresses to MAC addresses, that is, to query the MAC Address of the target IP Address. ARP is extremely important in IPv4.
Note: ARP is only used in IPv4. IPv6 uses Neighbor Discovery Protocol, which is included in ICMPv6.
In short, ARP is a protocol for solving the address problem. It uses the IP address as a clue to locate the MAC address of the next host that should receive the data subcontract. If the destination host is not on the same link, the system searches for the MAC address of the next-hop router.
Working mechanism of ARP
Let’s explore how ARP works. Assume that host A and HOST B are on the same link, and host A sends an IP packet to host B. The IP address of host A is 192.168.1.2, and that of host B is 192.168.1.3. Neither of them knows the MAC address of the other. Host C and host D are other hosts on the same link.
If host A wants to obtain the MAC address of host B, host A broadcasts an ARP request packet to all hosts on the Ethernet. The ARP request packet contains the MAC address of host B’s IP address that host A wants to know.
The ARP request packet sent by host A is received and resolved by all hosts or routers on the same link. Each host or router checks the information in the ARP request packet. If the destination IP address in the ARP request packet is the same as its own IP address, the host writes its MAC address into the response packet and returns host A
In this way, you can obtain a MAC address from an IP address through ARP to achieve communication on the same link.
What if it’s a different link?
Proxy ARP is used. Generally, ARP is isolated by routers. However, a router that uses Proxy ARP can forward ARP requests to neighboring network segments. Enables nodes in multiple network segments to communicate as if in the same network segment.
ARP cache
Now you know that you can determine the MAC address by sending an ARP request before sending an IP packet. Does it have to broadcast -> encapsulate ARP response -> send back to the host every time?
If you think about it, how do browsers do that? The browser has a built-in cache for the addresses you’ve been using most recently, so ARP is the same. The key to efficient ARP is to maintain an ARP cache (or table) on each host and router. This cache maintains the mapping between each IP address and MAC address. The MAC address obtained by ARP for the first time is mapped to an ARP cache table. The next time a packet is sent to this address, the ARP request does not need to be sent again. Instead, the MAC address in the cache table is used to send the packet. Each TIME an ARP request is sent, the mapping in the cache table is cleared.
The ARP cache reduces the use of network traffic and prevents a large number of ARP broadcasts to a certain extent.
Generally speaking, once an ARP request is sent, the same request is likely to be sent again. Therefore, THE ARP cache reduces the number of ARP packets to be sent. In addition, the sender of an ARP request can cache the MAC address of the ARP receiver. The receiver can also cache the IP and MAC addresses of ARP requesters, as shown below
However, the MAC address cache has a certain period of time. After this period, the contents of the cache will be cleared.
You can view the ARP cache on Linux or Windows using the arp command. The -a option displays all cache entries in both system caches.
Use ARP query caching in Linux
There are five main items
- Host name — Corresponds to an IP address
- Hardware Address type
- Hardware address
- mark
- Local network interface
Flags are classified into three types: C, M, and P. C indicates that ARP is used to dynamically learn flags. Class M can be added with arp-S. Class P represents publishing, and for any class P item, the host returns an ARP response to an incoming ARP request. This option is used to configure proxy ARP.
Let’s say we do ARP cache queries in Windows
The ARP program in Windows displays the IPv4 address, its interface is a hexadecimal number, and the Windows version indicates whether the address was entered manually or learned dynamically by ARP. In the example above, there are both static and dynamic. A 48-bit MAC address is displayed as six hexadecimal numbers, separated by colons (:) on Linux and hyphens (-) on Windows.
ARP structure
As mentioned above, ARP sends an ARP request to the target host that wants to know the MAC address. What information does this request carry? Now Cxuan will talk with you. The following is a common ARP request or response format for converting an IPv4 address on an Ethernet.
The first 14 bytes form the head of the standard Ethernet. The first two fields, DST and SRC, indicate the destination address of the Ethernet and the source address of the Ethernet respectively. If the destination address of the Ethernet is ff:ff:ff:ff:ff:ff :ff:ff, if both fields are 1, they indicate the broadcast address. All Ethernet interfaces in the same broadcast domain can receive these frames. The length/type of the ARP request is followed by the value 0x0806 for ARP request and ARP reply.
Hardware types
Indicates the type of the hardware address. Common hardware addresses are MAC physical addresses or Ethernet addresses. For Ethernet, the value is 1.Protocol type
Indicates the protocol address type to be mapped. For IPv4 addresses, this value is0x0800
.Hardware size
andDeal size
Indicates the number of bytes for the hardware address and the protocol address, respectively. For ARP requests or replies using IPv4 on Ethernet, the values are 6 and 4, respectively.Op
The field indicates that in ARP request, Op = 1, ARP reply, Op = 2, RARP request, Op = 3, RARP reply, Op = 4.- On the heels of Op
Sender hardware Address (MAC address)
.Protocol address of the sender (IPv4 address)
.Destination Hardware address
和Destination protocol address
.
ARP packet capture combat
We demonstrate ARP packet interception on Mac and Linux respectively
In the Mac environment, I use WireShark to capture packets. You can download the packet from the official website as follows
www.wireshark.org/download.ht…
You can install two plug-ins as prompted. Then you can open the WireShark and start packet interception. The following is the ARP packet I want to solve your questions
One of the nice things about this app is that it has different colors for different packets, which is really nice.
Then we look at the ARP request
As you can see, this is a complete ARP request packet, the hardware type we’re using is Ethernet, the protocol type is IPv4, the default is 0x0800, and then the hardware size is 6 bytes, the protocol size is 2 bytes, Op is Opcode, Op = 1 indicates that this is an ARP request, followed by the sender’s hardware address and protocol address, and the receiver’s hardware address and protocol address.
The ARP response is as follows
You can see Op = 2, indicating that this is an ARP response.
In Linux, you can use tcpdump to intercept ARP packets. If tcpdump is not found, you can use yum install -y tcpdump to install ARP packets.
Tcpdump -I ENS33 can print packets at the ENS33 address. The following is an ARP packet captured by me.
For more information on the use of tcpdump, check out this blog
www.cnblogs.com/ggjucheng/a…
Big guy wrote very detailed, here will not explain.
ARP Cache Timeout
Cache timeouts are usually related to entries in the ARP cache, and the ARP command allows administrators to never set timeouts. ARP sets the lifetime of each mapping address stored in the cache, which is generally 20 minutes. If the mapping is incomplete, the cache timeout is 3 minutes. An incomplete mapping usually forces an ARP request that does not exist on the host.
RARP
In contrast with ARP, the Reverse Address Resolution Protocol (RARP) is used to locate IP addresses from MAC addresses and connect small embedded devices, such as printer servers, to networks.
Generally, there are two ways to set the IP address: manual setting and DYNAMIC OBTAINING by DHCP
However, for embedded devices, it does not have any input interface and cannot obtain dynamic addresses through DHCP.
In this case, RARP is used. You need to prepare an RARP server, register the MAC address and IP address of the device on the server, and then connect the device to the network. The device sends a query request for the IP address and MAC address to the server. The server tells the device its IP address and MAC address.
ARP attack
ARP is a very insecure protocol. At present, there have been a lot of attacks involving ARP, the most important is to use the proxy ARP function to pretend to be the host, respond to ARP requests, and steal the communication data of legitimate users by forging ARP packets, causing serious harm such as affecting the network transmission rate and stealing user privacy information.
ARP Attack Classification
The main ARP attack modes are as follows
ARP flooding attack
: Sends a large number of ARP packets to the gateway. As a result, the gateway cannot respond properly. A large number of ARP request packets are sent and then a large number of false ARP response packets are sent. As a result, the CPU usage of the gateway increases and it is difficult to respond to normal service requests. In addition, the gateway is filled with incorrect ARP cache tables and cannot update and maintain normal ARP cache tables, consuming network bandwidth resources.ARP spoofing host attack
ARP spoofing is a common ARP attack. The attacker uses ARP spoofing to make the traffic information sent to the gateway by the attacked hosts in the LAN actually be sent to the attacker. The host refreshes its OWN ARP and the MAC in its ARP cache table is the MAC of the attacker. In this way, the data flows sent by other users through the gateway are sent to the host, causing data leakage.An attack that spoofs the gateway
Spoofing the gateway means that the data sent by other hosts to the gateway is spoofed to the attacker through the gateway. The target of this attack is not the individual host but the gateway of the LAN, so that the attacker can continuously obtain the data of other users in the LAN. Resulting in data leaks, and the probability of viruses on users’ computers will also increase.Man-in-the-middle attack
: A man-in-the-middle attack spoofs both hosts and gateways on the LAN. The data of users and gateways on the LAN is sent to the same attacker. In this way, the data of users and gateways is leaked.IP address conflict attacks
: Scans for the MAC addresses of physical hosts on the LAN, and attacks the hosts based on their MAC addresses. As a result, IP address conflicts occur on the hosts on the LAN, affecting network access.
conclusion
ARP is a basic protocol in TCP/IP implementations that often operate without the awareness of applications or users. ARP can be used to map IP addresses to MAC addresses.
This article we mainly talk about the basic principle of ARP, ARP frame structure, ARP working mechanism, as well as ARP proxy, ARP attack, RARP and ARP differences.
If the readers of this article feel good, kneel for praise, message, your support will be my motivation to continue to liver article!
In addition, add my becomecXuan on wechat to join the One question of the day group, one interview question of the day to share, for more content, please see my Github,Be the bestJavaer
I have uploaded six PDFS by myself. After cXuan, the programmer, followed the official account on wechat, he replied to CXuan in the background and got all THE PDFS. These PDFS are as follows
Six PDF links