first, the protocol formatThe format of the ARP protocol is as follows: two chunks to explain: 1, the red box up is: Ethernet header, a total of 14 bytes. This is part of the packet that you send whatever Ethernet protocol you want, and it is necessary. Description of each field:
Field |
The number of bytes occupied |
Description |
Ethernet Destination Address |
6 |
To which host to send information, the host's MAC address |
Ethernet Source Address |
6 |
Which machine the information is sent from, the MAC address of the host computer |
Frame type |
2 |
Indicates what type of packet this is. If it is rap, the value is: 0x0806 |
2, blue box up the section, this is the format of the ARP Protocol (request/reply)
Field |
The number of bytes occupied |
Description |
Hardware type |
2 |
Typically 1 indicates the Ethernet hardware address type |
Protocol type |
2 |
Typically 0x0800, which represents the IP address type |
Hardware address length |
1 |
The length of the MAC address, fill 6 |
Protocol Address length |
1 |
IP address length, fill 4 |
Op |
2 |
Action fields: ARP Request: 1 ARP corresponding: 2 Rarp Request: 3 Rarp corresponding: 4 |
Send-side Ethernet Address |
6 |
|
Send-side IP address |
4 |
|
Destination Ethernet Address |
6 |
|
Destination Ethernet IP Address |
4 |
|
For an ARP request, all other fields except the destination hardware address have padding values. When the system receivedto a destination for the native ARP request message, it will fill in the hardware address, and then with two destination address sub-do not replace the two sender address, and set the Operation field to 2, and then send it back.
second, the analysis of the ARP protocolHere to use a grab bag tool: Wireshark, this is a free grab bag tool, people winpcap drive, you can go online to download. Below I mainly use this tool to analyze the ARP protocol format. (Linux can use tcpdump to grab the package, this ARP explanation is all based on Win7)
1, Wireshark basic usage about the use of Wireshark, you can go to search, and in the download package, also brought a copy of the instructions. Here is a brief explanation of its basic use.
Install, open Wireshark This interface will appear:
Click Grab Bag--network interface
The window that appears, the 1th column details, is your computer's network adapter (NIC) Description information, I have 3, the first is the wireless network card, the second is a virtual wireless network card, the third is the network card inserted into a network cable. The 2nd Column IP address is the IP/MAC address of each network card. The default display is the MAC address, in the above under the click, will show the IP address 3rd package, is the number of packets through the network card 4th Package/Second, is the number of packets per second above the 3 network card, it can be seen that only the first network card is by the traffic (the number of packets), so on this machine, The first NIC is available. Of course, there may be more than one available network card, this time, to listen to which network card data, it is up to you to decide. (Can be distinguished by Ip/mac address)
Wireshark can have a lot of filtering rules, and if not set, it will show all packets that pass through the NIC. Here, I do not filter the settings, click on the Start button above, appear:
In the picture, I divided 4 parts with the red box: The 1th part filter: Here fill in the expression you want to filter (not just fill in, you can refer to its documentation) the 2nd part is the main part, here mainly shows the packet through the network card, the meaning of each paragraph, we look at the field name can see what it means, I will not dwell on it here. The 3rd part is the corresponding package format Description Section 4 is the contents of the original packet (hex)
2, the ARP package explained well, this time, we according to the rap protocol, to study, the ARP in the real network is how to transmit. Other than thatonce the Wireshark is turned on, it will keep showing the package, in order to avoid the display of too many packets, without our analysis, can be paused,
In protocol This column we find ARP, if too much, you can enter ARP in the filter box, we filter out the ARP protocol
We randomly elect an ARP packet:
The Red line or the box above is the various fields of the ARP protocol format that we said before, and we all understand the protocol.
Some classmates asked, this bag, then I can control it?
OK, in the following article, we mainly study if ARP is programmed.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
ARP Protocol (2) an explanation of the ARP protocol format