A host that communicates in the same network (which is not specifically referred to as an Ethernet network) must have the MAC address of the target host to correctly send the data to the target host, so how to know the MAC address of the target host. Can be passed through the ARP protocol. The ARP protocol is used to obtain the corresponding MAC address of the destination IP address, that is, the ARP protocol can dynamically establish a mapping relationship between the three-tier IP address and the two-tier MAC address. You can use the following schematic diagram to represent its role:
As you can see, the above diagram is a protocol that divides the ARP protocol into the network layer and considers it to be a network layer, which is due to its service to the IP protocol of the network layer. In fact, because the ARP protocol is used to parse the address (physical address/hardware address) of the data link layer of the IP address (logical address), it is not a problem to divide it into the data link layer, which is not strictly defined.
we will analyze four kinds of common ARP packets: ARP Request packet, ARP response packet, gratuitous ARP packet and IP address conflict detection, and analyze the process of ARP proxy.
The following environments are used:
Network device Simulator: GNS3
Grab Package software: Wireshark
1. Network Environment Construction
For the sake of brevity, there is not a large network environment to meet the needs of the previous four cases of ARP packet analysis, but in the analysis of different ARP conditions, respectively, to build a smaller network environment, so that we can make our analysis more targeted.
2.ARP Packet Message Format
as follows:
Note that we are concerned about the 28-byte ARP packet, but the above diagram also contains the Ethernet header field information (obviously the Ethernet header frame type is ARP, mentioned in the analysis of IP protocol, this is a concept of data separation).
because of the ARP packet analysis, in fact, we should be more concerned about the ARP request packets, ARP response packets, gratuitous ARP packets or ARP agent-related knowledge, and the following practice is mainly discussed in categories. So the following gives a general ARP packet (Request packet) of the actual structure, and then give the specific meaning of each field (referring to the "TCP/IP Detailed Volume 1: Protocol" part of the content), first make a basic understanding, and finally detailed analysis of the process of these packages:
a common ARP packet (the actual structure of the request packet)
the specific meaning of each field of the ARP packet (compared to the bag actually caught above)
| Field | Meaning |
| Hardware type | Accounted for 16 people Represents the type of hardware address, and a value of 1 means the Ethernet address, which is the MAC address |
| Protocol type | Point 16 bit Represents the type of protocol address to be mapped, with a value of 0x0800 representing the IP address, because this article is analyzed on the basis of the IP protocol (that is, the network layer logical address is the IP address), so the packet caught by the field type is 0x0800 |
| Hardware address length | Accounted for 8 people Indicates the length of the hardware address, in bytes, because this article is for Ethernet, and the Ethernet address is the MAC address, which accounts for 48 bits, or 6 bytes, so the value of the field in the packet after the catch is 6, no longer a special description |
| Protocol Address length | Accounted for 8 people Indicates the length of the three-layer logical address, in bytes, because this article is for the Ethernet address and IP address mapping, and the IP address accounted for 32 bits, that is 6 bytes, so the packet caught later in the value of the field is 4, no longer for special instructions |
| Action Field | Indicate the type of operation, the corresponding value is as follows: ARP Request: 1 ARP Response: 2 Rarp Request: 3 Rarp Response: 4 But because Rarp is now rarely used, this article will not discuss |
| Send-side Ethernet Address | Accounted for 48 people This is exactly the "send-side hardware address", but because this article is discussed only for Ethernet, it is expressed as "send-side Ethernet address" |
| Send-side IP address | Accounted for 32 people This is exactly the "send-side network layer logical address", but because this article is only for the discussion of Ethernet address and IP address mapping, it is expressed as "send-side IP address" |
| Destination Ethernet Address | Accounted for 48 people |
| Destination IP Address | Accounted for 32 people |
3. Analyze the implementation of ARP in practice: ARP request, ARP response
(1) Network environment Construction
This section is mainly to crawl the ARP Request packet and ARP response packets to parse the ARP request and response of a detailed process, and corresponding ARP packet related fields meaning, this practice of the network environment is relatively simple, as follows:
make the following configuration on the R1 router:
R1#conft R1 (config) #intf0/0 R1 (config-if) #noshu R1 (config-if) #ipadd192.168.1.1255.255.255.0 R1 (config-if) #dowr
make the following configuration on the R2 router:
R2#conft R2 (config) #intf0/0 R2 (config-if) #noshu R2 (config-if) #ipadd192.168.1.2255.255.255.0 R2 (config-if) #dowr
then view the ARP cache table on the R1 router:
R1#showarp protocoladdressage (min) hardwareaddrtypeinterface internet192.168.1.1-cc01.127f.0000arpafastethernet0/0
you can see that the ARP cache table does not have a 192.168.1.2 MAC address, so if you will R1 send data to R2, there will inevitably be ARP requests occur, so please make sure R1 does not have 192.168.1.2 MAC address, if any, it is recommended to restart two routers. (Although a clear arp-cache can be executed on the router to clear the ARP cache table, it is generated immediately after the purge, so it is recommended to restart directly)
(2) fetching and parsing ARP request packets and ARP response packets
First, start the Wireshark on the R1 and R2 links to monitor the R1 interface. (This is the function of GNS3, can directly crawl through the link between the two routers of the packet)
execute the following command on the R1:
router#ping192.168.1.2 Typeescapesequencetoabort. Sending5,100-byteicmpechosto192.168.1.2,timeoutis2seconds: .!!!! Successrateis80percent (4/5), round-tripmin/avg/max=44/62/76ms
. Indicates that the data was sent successfully, and you can see that the first is ".", which indicates that the data sent failed because the first package was sent R1 does not have a 192.168.1.2 MAC address, so go to send an ARP request to get its MAC address, but when the MAC address, the first packet has timed out (waiting for the MAC address timeout), and did not send out, you can see the following packets caught:
you can see that there are already 2 ARP packets (one request and 1 answer) and 8 ICMP packets (4 requests and 4 answers), here we mainly analyze ARP packets.
ARP Request packet
The packet structure is as follows:
The field analysis is as follows:
A. Hardware type, protocol type, hardware address length, protocol address length
The contents of these fields are the same as discussed earlier, as they are for Ethernet and IP addresses
B. action field opcode
you can see that the value of opcode is request (1), so this is an ARP request packet.
c. Send-side Ethernet address
we are sending data from R1 to R2.
to execute the result from the previous command:
R1#showarp protocoladdressage (min) hardwareaddrtypeinterface internet192.168.1.1-cc01.127f.0000arpafastethernet0/0
This is indeed the MAC address of the R1 (the MAC address of the interface that has the 192.168.1.1 IP address configured).
d. Send-side IP address
The sending end is also really 192.168.1.1, that is, R1.
E. Destination Ethernet Address
As you can see here is full 0, in the ARP request packet, the value of the destination Ethernet address field is set to 0, because at this point it is not known what the destination Ethernet address is (that is, you do not know what the 192.168.1.2 MAC address is).
F. Destination IP address
the packet is sent from R1 to R2, so the destination IP address is 192.168.1.2,R2 received this ARP request packet, if you see the content of this field is its own IP address, will reply to this ARP packet, that is, will send an ARP response packet.
The field content is not difficult to understand, but it is important to note that the destination MAC address of the data link layer of this ARP request packet is viewed:
will find that it is a broadcast address, which means that an ARP request packet is sent, all hosts in the Ethernet can receive the ARP request packet, but not all hosts will reply to this ARP request packet, only if the IP address of the receiver and the target IP in the ARP Request packet The destination IP addresses identified in address are the same when the reply is made.
ARP Response package
The packet structure is as follows:
compared to the ARP Request packet analysis, actually found that there is no correlation, but there are several differences: a. ARP Response package action field opcode value is reply (2)
b.arp Response Packet Two-tier destination MAC address for ARP Request packet sender's MAC address
That is , the ARP Request packet is sent as a broadcast, but the ARP is sent as unicast, and then to whom. The ARP request package who sent the ARP response packet to whom, the corresponding two-tier destination MAC address is the ARP Request packet sender's MAC address
c. Send-side Ethernet address, send-side IP address, destination Ethernet address, destination IP address
As opposed to the contents of the ARP request package, except that the values of all address fields in the ARP response package are known, this is easy to understand, but it is important to note that at this point the ARP response packet is clearly being sent to, so the ARP response packet is a unicast packet.
as seen above, the process of understanding the regular ARP Request packets and ARP response packets is not complicated, as long as you know the fundamentals of network communication, the values of each field are easy to understand.
4. Analysis of the implementation process of ARP in practice: gratuitous ARP and IP address conflict detection
paid ARP
Before getting an IP address corresponding to the MAC address is, you need to send an ARP request packet, and then by receiving an ARP response packet to know the corresponding MAC address of the IP address, because the need to send ARP Request packet, we can think that this is "paid", that is to pay some price.
gratuitous ARP
and the so-called gratuitous ARP, refers to, I do not need to send an ARP request package, the other side will be "free" to an ARP response packets to me (in fact, the main is actively sent over), to tell me its MAC address.
(1) Network environment Construction
but in summing up when the other side will take the initiative to send an ARP response packets, we first practice, the network environment or with the above:
However, we need to modify the R2 IP address, modified to 192.168.1.252 (in the process of grasping the package software Wireshark to open), as follows:
r2>en r2#conft R2 (config) #intf0/0 R2 (config-if) #ipadd192.168.1.252255.255.255.0
(2) fetching and parsing ARP request packets and ARP response packets
after doing so, open the Wireshark software, and you will find a package that catches the following:
can see a column of info, there is a gratutous logo, Chinese meaning is "free of charge" means, we can look at the structure of the packet:
by looking at the value of the action field opcode, it can be found that the gratuitous ARP is actually an ARP response packet (although the normal ARP response packet is sent in the form of unicast, and the gratuitous ARP is sent in the form of broadcast), but this ARP response packet is very special, it is actively sent, That is, it is gratuitous, free of charge.
It is also important to note that the sender IP address and destination IP address is the same, this is the gratuitous ARP differs from the ordinary ARP response packet where, when this packet is the network of other hosts (obviously our network environment here is relatively simple, so only R1) received, It will let these hosts update their ARP cache tables with new IP and MAC address relationships. Because this ARP packet is unsolicited, which causes the client to update the ARP cache, it is called a gratuitous arp.
after the analysis of the gratuitous ARP, given the following cases, there will be a gratuitous ARP process occurs:
A. Changed the IP address of the device
B. Some operating systems send gratuitous ARP (both Windows and Linux) after the boot is complete
(3) IP address conflict detection
again, what is the benefit of gratuitous ARP? as follows:
A. Allow hosts in Ethernet to update their ARP cache tables in a timely manner, ensuring that the correct address information can be accurately closed when data is sent
B. Detecting IP address conflicts
In this connection, you can reconfigure an IP address for R2 and the same as R1:
r2>en r2#conft R2 (config) #intf0/0 R2 (config-if) #ipadd192.168.1.1255.255.255.0
The output of the error log can be seen almost immediately on the console of R1 and R2:
r1> *mar100:54:39.007:%ip-4-dupaddr:duplicateaddress192.168.1.1onfastethernet0/0, sourcedbycc02.1a18.0000 *mar100:55:09.043:%ip-4-dupaddr:duplicateaddress192.168.1.1onfastethernet0/0, sourcedbycc02.1a18.0000 *mar100:55:39.739:%ip-4-dupaddr:duplicateaddress192.168.1.1onfastethernet0/0, sourcedbycc02.1a18.0000 *mar100:56:10.011:%ip-4-dupaddr:duplicateaddress192.168.1.1onfastethernet0/0, sourcedbycc02.1a18.0000 *mar100:56:40.715:%ip-4-dupaddr:duplicateaddress192.168.1.1onfastethernet0/0, sourcedbycc02.1a18.0000 *
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
