Address Resolution Protocol-ARP

1. What is ARP?

Meaning: Address Resolution Protocol

Meaning: Address Resolution Protocol (RFC-826)

Is located in the TCP/IP protocol stackLow-level protocolResolves an IP address to a corresponding MAC address.

In the LAN, the network actually transmits a "frame", and the frame contains the MAC address of the target host. The so-called"Address ResolutionThe host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. During the entire conversion process, a host pC1 sends a broadcast packet containing IP address information to the target host pc2. this is an ARP request, then, the target host sends a packet containing the IP address and MAC address to the host (instead of being broadcast, it directly sends the packet to the host pC1 ), you can transmit data between two hosts through the MAC address.

 

2. ARP Environment

ARP is only used in Ethernet. That is to say, it is only used when the local host considers the target host to be directly connected to it, for example, pC1 and PC2 are in the same network segment, before pC1 communicates with PC2, ARP is used to obtain the MAC address of Pc2, which is encapsulated into the MAC frame for communication. If pC1 communicates with a host outside the CIDR block where pC1 is located, it does not use ARP, but viewsHost route tableTo forward data packetsGatewayAnd then forwarded by the gateway. Point-to-point connections do not require arp. ARP is used in broadcast networks. Because the number of nodes that a host can connect to in a broadcast network can be multiple, there must be an Address Resolution Protocol to parse the logical address (IP address) and host address (MAC address ). ARP is designed for this operation. The PPP protocol is a point-to-point network. A host can only connect to a unique peer. Therefore, you do not need to parse the logical address as the host ID. Therefore, in the PPP protocol, no ARP or RARP protocols.

 

3. ARP principle

To send a message to host B, machine a queries the local ARP cache table and finds the MAC address corresponding to IP address B. Then, data transmission is performed. If not, an ARP request packet (carrying the IP address IA of host a-physical address Pa) is broadcasted, and host B with the IP address IB replies to the physical address Pb. All hosts on the Internet, including B, receive ARP requests, but only host B recognizes its own IP address, so it sends an ARP response packet to host. It contains the MAC address of B. After receiving the response from B, A updates the local ARP cache and then uses the MAC address to send data (the MAC address is appended to the NIC ). Therefore, the local high-speed cache ARP table is the basis for local network circulation, and the cache is dynamic.

 

4. Examples of ARP Work Process

To explain the role of ARP, you must understand the data transmission process on the network. Here is a simple example of Ping. Assume that the IP address of our computer is 192.168.1.1. Run this command to ping 192.168.1.2. This command sends ICMP data packets through the ICMP protocol. This process follows the steps below:

1. The application constructs a data packet. In this example, an ICMP packet is generated and submitted to the kernel (Network Driver );

2. Check whether the kernel can convert the IP address to the MAC address, that is, to view the corresponding table of the IP-MAC in the local ARP cache;

3. If the IP-MAC ing exists, jump to Step 7; if the IP-MAC ing does not exist, continue the following steps;

4. the kernel carries out ARP broadcast, the destination ARP Address is the FF-FF-FF-FF-FF-FF, the ARP command type is request (1), which contains its own MAC address;

5. After the host 192.168.1.2 receives the ARP request, it sends an ARP reply (2) command, which contains its own MAC address;

6. Obtain the IP-MAC address correspondence of host 192.168.1.2 locally and save it to ARP cache;

7. The kernel will convert the IP address to the MAC address, encapsulate it in the Ethernet header structure, and then send the data.

 

You can use the ARP-a command to view the local ARP cache content. Therefore, after executing a local ping command, the ARP cache will have a record of the destination IP address. Of course, if your packet is sent to a destination of different CIDR blocks, there must be a record corresponding to the IP-MAC address of a gateway.

Knowing the role of the ARP protocol, we can clearly know that packet forwarding relies heavily on the ARP Protocol. Of course, it depends on the ARP cache. You must know that all ARP operations are automatically completed by the kernel and have nothing to do with other applications. At the same time, it should be noted that the ARP Protocol only applies to this network.

 

 

 

5. Does ARP not receive ARP responses only when an ARP request is sent ??

When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, assume that in the above network, B sends a self-built ARP response to a, and the data in this response is that the sender's IP address is 192.168.10.3 (C's IP address ), the MAC address is a DD-DD-DD-DD-DD-DD (the MAC address of C should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When a receives B's forged ARP response, it updates the local ARP cache and replaces the local IP-MAC table with the received data format, because all of this is automatically completed by system kernel A, A does not know it has been forged.

 

 

6. Free ARP

We know that if a host with the same IP address exists in the network, an IP address conflict warning will be reported. How did this happen?

For example, if host B sets the IP address to 1923168.0.1, changing the IP address of host a to 192.168.0.1 will cause an IP address conflict. The principle is: When host a connects to the network (or changes the IP address), it will send an ARP packet to the network to broadcast its own IP address, that isFreearp. If host B with the same IP address exists in the network, B will reply the address through arp. When a receives this reply, a will jump out of the IP address conflict warning, of course, B also has a warning.

Therefore, ARP spoofing can be used to forge this arpreply, which keeps the target suffering from IP address conflict warnings.

 

 

7. Two ARP spoofing Methods

1. Send forged ARP response packets to the target. The sender's IP address is the gateway address, while the MAC address is a forged IP address. When the target receives the ARP packet, it updates its ARP cache. If the spoofing continues, the target gateway cache is always a forged error record. Of course, if some people know ARP-A, they will know the problem.

2. This method is very embarrassing and can fool the gateway. Send a forged ARP response packet to the Gateway. the sender's IP address is the destination IP address, while the MAC address is a forged IP address. In this way, the target ARP record on the gateway is incorrect, and all the data packets sent by the gateway to the target use the wrong MAC address. In this case, the target can send data to the gateway, but cannot receive any data from the gateway. At the same time, the target can view ARP-A without any problems.

 

 

8. How can I detect Sniffer In a lan?

First, let's take a look at how data is transmitted in the LAN. When the destination address of a data packet is a computer in the LAN, the data packet is sent to each computer in the network as a broadcast. The NIC of each computer will analyze the destination MAC address (that is, the ethernet address) in the packet, if this address is the MAC address of this computer or the broadcast address (FF-FF-FF-FF-FF-FF), then, the packet will be received, and if not, the NIC will discard it directly. However, there is a premise that the NIC of the computer on the receiving end works in normal mode. If the NIC is setHybrid modeThen it can receive all the packets that pass through (including, of course, packets whose destination is not local ). That is to say, as long as the packet is sent to the LAN, it will be received by the NIC in the mixed mode! This is the basic principle of sniffer.

In view of the principle of sniffer is to set the network card to the mixed mode, we can find a way to detect the network card that is set to the mixed mode in the network, in order to determine whether there is sniffer. Here, let's take a look at the computer's rules for receiving data packets. As mentioned above, in normal mode, the network adapter first determines the destination MAC address of the data packet. If it is a local MAC address or a broadcast address, the data packet will be received into the system core, otherwise, it will be discarded. If the NIC is set to the hybrid mode, all data packets will directly enter the system core. After the data packets arrive at the system core, the system will further filter the data packets: the system only responds to packets whose destination MAC address is the local MAC address or broadcast address. If arp request packets are received, the system returns an ARP response packet.

However, the difference is that the core of the system and the NIC have different judgment on the broadcast address: in windows, the NIC determines all the six digits of the MAC address, the system core only determines the first two digits of the MAC address (Win98 or even the first digit). That is to say, for the system core, the correct broadcast address FF-FF-FF-FF-FF-FF and the wrong broadcast address FF-FF-FF-FF-FF-FE are the same, are considered as broadcast addresses, and even the FF-FF-00-00-00-00 will be considered as broadcast addresses! Here, smart readers probably know how to do it. If we construct an ARP request packet whose destination MAC address is the FF-FF-FF-FF-FF-FE, the packet will be discarded for the NIC in normal working mode, of course, no packet will be returned; for NICs in hybrid mode, data packets are received at the core of the system. The system core considers this MAC address as a broadcast address, so it returns an ARP response packet. In this way, we can determine that sniffer exists on this machine.

 

9. When the NIC is in normal mode, it receives data packets.

When the network adapter is in normal mode, it only receives packets from the host and broadcast address on the Mac. I think it receives broadcast packets to detect IP conflicts, such as free arp, if there is no conflict, nothing will be done. However, the host receiving Mac is used to respond to ARP requests.

 

 

Article Source: http://blog.chinaunix.net/u/27698/showart_311084.html