1. The ARP overview

The ARp-Address Resolution Protocol is a network Protocol used to find the hardware (MAC) Address of a host from an IP Address. ARP is used on Ethernet lans because hosts that want to communicate with each other need to know their respective MAC addresses. This is a request-reply protocol; ARP request messages are used to request a MAC address, and ARP reply messages are used to send the MAC address of the request.

A host on an Ethernet network can communicate with the host only when it knows the MAC address of the host. Advanced protocols like IP use a different low-level hardware addressing scheme than, say, MAC addresses. ARP is used to obtain the Ethernet address of a host from its IP address. ARP is widely used by all hosts on the Ethernet network. The Ethernet data link driver never checks the destination IP address in an IP packet.

ARP provides dynamic mapping between IP addresses and MAC addresses. Users are unaware of this process.

2. ARP header structure

The following figure shows the structure of the ARP header.

Hardware Type: Indicates the Type of the Hardware used to transmit ADDRESS Resolution Protocol (ARP) information on the local network. Ethernet is a common hardware type and has a value of 1. The size of this field is 2 bytes. For more information about hardware types, see Address Resolution Protocol (ARP) Parameters.

Protocol Type: Each Protocol is assigned a number for this field. IPv4 is 0 x0800. For more information about Protocol Type, see Address Resolution Protocol (ARP) Parameters.

Hardware Address Length: Indicates the Hardware Address Length in ARP messages, in bytes. The Ethernet MAC address is 6 bytes long.

Protocol Address Length: Indicates the Length (in bytes) of a logical Address (IPv4 Address). IPv4 addresses are four bytes long.

Operation: indicates the Operation code. This field indicates whether the ARP packet is a request packet or a reply packet and the type of the address resolution protocol (ARP/RARP). RARP is a reverse process of RAP, which aims to enable a host to obtain network address IP from the data link layer. The operation codes and operation types of ARP and RARP are as follows: 1-ARP request. 2 – the ARP reply; 3 – RARP requests; 4 – RARP response.

Sender Hardware Address: Indicates the source host Hardware Address (MAC).

Sender Protocol Address: indicates the source host Protocol (IP) Address.

Target Hardware Address: indicates the MAC Address of the Target host. In ARP request packets, the field is ignored and set to 0.

Target Protocol Address: indicates the IP Address of the destination host.

ARP packets are directly encapsulated in data link frames. As shown in the following figure, an ARP packet is encapsulated in an Ethernet frame. Note that the type field indicates that the data carried by the frame is an ARP packet.

Address Resolution Protocol (ARP)

3. Working principle of ARP

3.1 MAC Hardware Address

A MAC address consists of six hexadecimal digits. The highest possible hexadecimal number is FF:FF:FF:FF:FF:FF :FF, separated by a colon, which is the broadcast address. The first three bytes represent the unique identifier of the NIC manufacturer, and the last three bytes are assigned by the NIC manufacturer to the network adapter (NIC), which is essentially a computer circuit card that allows your computer to connect to the network. NIC converts data into electrical signals that can be transmitted over the network). Common well-known NIC manufacturers include Dell, Belkin, Nortel and Cisco. For example, if the MAC address is 98:8B: 0A: DB: 76:6B, the first three 8-bit groups 98:8B: 0A indicate the manufacturer of the network adapter, and the last three 8-bit groups (DB: 76:6B) indicate the unique sequence ID of the network adapter.

The ids of some well-known NIC manufacturers are as follows: Dell: 00-14-22 Nortel: 00-04-DC Cisco: 00-40-96 Belkin: 00-30-BD

Each NIC has a hardware address called a MAC for media access control. When an IP address is associated with TCP/IP (network software), the MAC address is linked to the hardware of the network adapter. When manufactured, the MAC address is assigned to the network adapter. It is hardwired or hardcoded into the computer’s network interface card (NIC) and is unique. Something called ARP (Address resolution Protocol) translates IP addresses into MAC addresses. ARP acts like a pass, retrieving data from IP addresses through actual computer hardware (see WhatIsMyIPAddress).

MAC addresses are also likely to be duplicated, as some manufacturers have begun to reuse their numbers. This is usually not a problem because copies of the same MAC address almost never appear on the same network. Some cards allow you to change your MAC address by using special software or methods (see How do I Change My MAC Address?). .

3.2 the ARP cache

For each network communication, data at the application layer is encapsulated from the application layer to the physical layer. That is, the destination MAC address is used when the data link layer encapsulates data frames. If every communication needs to broadcast an ARP request, the network pressure, bandwidth, and device performance will be greatly affected, after all, the entire device (server) has too much running. Each IP host maintains an ARP buffer in its own memory to reduce the impact of broadcast ARP requests on network pressure. Similar to a table, the buffer records the mapping between IP addresses and their corresponding MAC addresses, and can be dynamically added or deleted.

Run the arp -a command to obtain the ARP buffer table of the current device.

IP | -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- -- - | - MAC -- -- -- -- -- -- -- -- -- -- - | - nic binding mode - |? (10.66.114.4) at 38: AD :be: C1:15 :b0 [ether] on bond0? (10.66.114.11) at 74:ea:c8:a7:80:b2 [ether] on bond0? (10.254.254.19) at <incomplete> on ens2 gateway (10.66.114.254) at AC :74:09:66:be:e7 [ether] on bond0? (10.254.254.9) at <incomplete> on ens2? (10.254.254.18) at <incomplete> on ens2? (10.254.254.8) at "incomplete > on ens2... ? (10.254.254.1) at 00:00:23:34:45:01 [ether] on ens2? (10.254.254.20) at <incomplete> on ens2? (10.66.114.253) at 70:4d:7b:33:9d:d1 [ether] on bond0? (10.66.114.10) at 74:ea: C8 :a7:7c:f2 [ether] on bond0? At <incomplete> on ens2Copy the code

ARP buffer supports manual operations, such as manually adding an IP address and the corresponding MAC address, and manually deleting ARP buffer data. Arp — help for more details.

To manually delete the ARP cache information of a specified IP address, run ARP -d Specify IP.

Arp -d Specifies the IP address. For example, run the arp -d 10.66.114.115 command. The arp cache information is removed from the ARP memory bufferCopy the code

To manually add an ARP cache mapping for a specified IP address, run ARP -s IP MAC.

[root@Thor tcpdump]# arp -s 10.66.114.117 98:8b:0a:db:76:9f Again using arp -a view to arp buffer information of corresponding MAC 10.66.114.117 IP mapping information [root @ Thor tcpdump] # arp -a... . ? (10.66.114.117) at 98:8b:0a:db:76:9f [ether] PERM on bond0Copy the code

3.2.1 ARP Static Cache

ARP buffers have two types: dynamic and static. For static ARP caching, address resolution is manually added (i.e., ARP -S IP MAC) to the device’s cache table and is permanently stored in the cache (2020/04/07 Added: unless temp. Arp -s IP MAC Temp. I manually added the IP-MAC address mapping of device 117 (that is, the IP address of device 117 is XX.xx.xx.117) to device 115 and confirmed that the mapping took effect permanently.

3.2.2 ARP Dynamic Cache

After receiving a broadcast ARP request, the mapping between the destination IP address and MAC address is stored in the ARP memory buffer for a period of time and then refreshed. ARP cache can include static cache and dynamic cache.

3.3 How does ARP Work

The function of ARP is to broadcast an ARP request to the same LAN (if on another network, the routing table needs to be added) to obtain the MAC address (hardware address) information of the destination host.

Its main flow is as follows:

  1. Search the MAC address information of the target IP host in the local ARP memory buffer.

2. If it is found, use it directly; otherwise, perform flow 3. 3. Broadcasts an ARP request packet, waits for the response, parses the ARP packet, and maps the CORRESPONDING IP address and MAC address to the cache. There are usually not just a few devices in a LOCAL area network (LAN). In most cases, there are hundreds or thousands of devices. To simplify the process, use the five devices in the figure below to act as several host devices. In fact, the principle implementation process is the same whether two or several devices.

Assume that PC5 needs to communicate with PC2, but PC5 does not know the MAC address of PC2. Therefore, PC5 needs to broadcast an ARP request to obtain the MAC address of the corresponding host. First, PC5 checks for the host MAC address 10.66.114.117 in the ARP cache. If it finds the HOST MAC address, it directly uses the HOST MAC address without sending an ARP broadcast request. Otherwise, an ARP request packet is broadcast to other hosts on the LOCAL Area network (LAN). PC1, PC2, PC3, and PC4) all receive broadcast data from host PC5. After receiving the request packet, these hosts parse and check whether the destination IP address in the packet corresponds to their OWN IP address. If not, they lose the packet and ignore it (that is, do not respond to the request). Otherwise, the packet is parsed and the source IP+ MAC information is obtained, and the necessary information is packaged (filled with the local IP and MAC data) in response to the host PC5 that sends the ARP request (only the corresponding destination host IP address responds to the request message).

After receiving the response from PC2, PC5 resolves the IP and MAC and stores them in its OWN ARP memory buffer for the next communication response. To save memory space and reduce maintenance costs, each piece of data in the ARP buffer has a life cycle. By default, it is recorded in 2 minutes (120s) and then deleted. Avoid maintaining ARP cache information that has not been used for a long time.

Again, the client and server code in the TRANSPORT layer of TCP/IP is used as a demonstration. 10.66.114.115 equipment is the service side, 10.66.114.95 is the client, we’ll manually clear out the above two device corresponding to the ARP cache memory information (10.66.114.95, ARP – d 10.66.114.115 10.66.14.115, Arp -d 10.66.114.95).

Start the service process on device 115. Then, enable packet capture on device 115 and client process on device 95.

Open the files captured by tcpdump using Wireshark, and filter (manually enter filter criteria) to filter out the request interaction process in this communication as shown in the following figure:

The information in the ARP cache has been manually cleared. Therefore, you need to obtain the MAC address of the destination host before establishing a handshake, start the handshake connection and communication, and then close the connection.

The following figure shows the header of a broadcast ARP request. ARP request packets contain source HARDWARE (MAC) addresses, source IP addresses (protocol) addresses, and destination IP addresses (protocol) addresses. The destination hardware address (MAC) field is all set to 0, indicating that the information is unknown.

The following figure shows the header structure of the ARP response packet. In the response packet, the destination host 115 has filled its MAC address into the corresponding header structure field.

The Wireshark displays ARP Filter Reference: Address Resolution Protocol.

ARP responds only to unicast messages from the requesting host (PC5 in this example), rather than broadcast to all hosts on the same LAN. Some sources refer to ARP as a Layer 2 protocol, while others place ARP at Layer 3.

From the GEEK UNIVERSITY

All questions related to ARP can be answered in ARp-Q&A.

This additional address resolution protocol (ARP) introduced by IP is used to map between the target hardware address and IP network address in MAC frames. ARP belongs to the TCP/IP protocol family and belongs to the data link layer.

Image from IPv4 over Ethernet

3.4 ARP Usage

Here are four different situations in which the ARP service can be used:

  1. The sender is a host that wants to send packets to another host on the same network. In this case, the logical address that must be mapped to the physical address is the destination IP address in the data header.

  2. The sender is a host that wants to send packets to another host on another network. The host looks at its routing table and looks up the IP address of the next hop (router) to this destination. If there is no routing table, look up the IP address of the default router. The IP address of the router becomes the logical address that must be mapped to the physical address.

  3. The sender is a router that receives a datagram sent to another network host. It checks its routing table and finds the IP address of the next router. The IP address of the next router becomes the logical address that must be mapped to the physical address.

  4. The sender is a router that receives a datagram destined for a host on the same network. The destination IP address of the datagram becomes the logical address that must be mapped to the physical address.

As shown in the figure:

Address Resolution Protocol (ARP)

For example, a host with IP address 130.23.43.20 and physical address B2:34:55:10:22:10 has a packet to send to another host with IP address 130.23.43.25 and physical address A4:6E:F4:59:83:AB (this is unknown to the first host). The two hosts are on the same Ethernet. Displays ARP request and reply packets encapsulated in Ethernet frames.

Images and examples from Address Resolution Protocol (ARP)

4. The ARP attack

Also known as ARP poisoned Routing (APR) or ARP cache poisoning, a method of attacking Ethernet lans by updating the ARP cache of the target computer while using forged ARP request and reply packets in an effort to change the Layer 2 Ethernet MAC address (that is, the address of the network card) sent to an address that the attacker can monitor. Because the ARP reply is forged, the target computer first sends the frame intended for the original destination to the attacker’s computer in order to read the frame. A successful APR attempt is not visible to the user.

For details about ARP spoofing, see ARP spoofing and its prevention.

5. To summarize

This section describes the definition, header structure, and functions of ARP in detail. It also briefly analyzes its working principle, and describes the application scenarios and modes of ARP. The general principle of ARP spoofing is also mentioned.