Network of dry goods, whether it is operation or development are to know the Network Knowledge Series (iv)

ARP protocol

The ARP protocol is an abbreviation for "Address Resolution Protocol" (Addresses Resolution Protocol).
The ARP Address Resolution protocol is used to convert the computer's network address (IP address 32-bit) to a physical address (MAC address 48-bit) [RFC826]. The ARP protocol is the protocol that belongs to the data link layer, and the other host that arrives in the network from one host in the Ethernet is determined by the 48-bit Ethernet address (the hardware address) to determine the interface, rather than the 32-bit IP address. The kernel (such as drivers) must know the hardware address of the destination to send data

1, the application constructs the packet, the example is to generate the ICMP packet, is submitted to the kernel (network driver), 2, the kernel checks whether the IP address can be converted to the MAC address, that is, in the local ARP cache to view the ip-mac corresponding table [1];3, if there is a ip-mac corresponding relationship, Then skip to step 7, if there is no such ip-mac correspondence, then follow the steps below, 4, the kernel for ARP broadcast, the destination MAC address is the FF-FF-FF-FF-FF-FF,ARP command type is request (1), which contains its own MAC address; 5. When the 192.168.1.2 host receives the ARP request, it updates the source host's IP address and Mac to its own ARP buffer, and then sends an ARP reply (2) command with its own MAC address; 6. The Ip-mac address correspondence of the 192.168.1.2 host is obtained locally and saved to the ARP cache; 7, the kernel will convert the IP to MAC address, then encapsulate the Ethernet header structure, and then send the data out;

The local ARP cache content can be viewed using the arp-a command, so after a local ping command is executed, the ARP cache will have a record of the destination IP. Of course, if your packet is destined for a different network segment, there must be a record for the Ip-mac address of the gateway

The first two fields in the Ethernet header are the source and destination addresses of the Ethernet.

A special address with a destination address of all f is a broadcast address. All Ethernet interfaces on the cable will receive the broadcast data frame
A two-byte long Ethernet frame type represents the type of data that follows. For ARP requests or replies, the value of this field is 0x0806
Hardware (Hardware) and Protocol (protocol) are used to describe the various fields in the ARP grouping.

For example, an ARP Request packet asks the protocol address (here is the IP address) corresponding to the hardware address (here is the Ethernet address)
The Hardware Type field represents the type of hardware address. Its value is 1, which means the Ethernet address. The protocol type field represents the type of protocol address to map. Its value is 0x0800, which means the IP address
The hardware address length and the protocol address length respectively indicate the length of the hardware address and protocol address, in bytes. For ARP requests or responses for IP addresses on Ethernet, they are 6 and 4, respectively. Each occupies 1 bytes
The OP action field indicates four types of operations, which are ARP requests (value 1), ARP Responses (value 2), Rarp requests (with a value of 3), and R ARP responses (a value of 4).
The next four fields are the hardware address of the sending side (in this case, the Ethernet address), the Protocol address (IP address) of the sender, the hardware address of the destination, and the protocol address of the destination side.

Note that there is some duplication of information: there is a hardware address for the sending side in the data frame header of the Ethernet and the ARP request data frame.
For an ARP request, all other fields except the destination hardware address have padding values. When the system receives an ARP request message from the destination, it fills in the hardware address, replaces the two sending address with two destination addresses, and then resets the Operation field to 2 and sends it back.

Rarp is the reverse address Translation protocol

The Reverse Address Translation protocol (Rarp:reverse addressing Resolution Protocol) Reverse Address Translation Protocol (RARP) allows the physical machine on the LAN to request its IP address from the Gateway server's ARP table or cache. The network administrator creates a table in the LAN gateway router to map the physical address (MAC) and its corresponding IP address. When a new machine is set up, its RARP client program needs to request the appropriate IP address from the RARP server on the router. Assuming a record has been set in the routing table, the RARP server will return an IP address to the machine, which will be stored for later use.

tcpdump fetching ARP Packets:

[root@station040 ~]# tcpdump-i eth0 ARP and host192.168.0.18tcpdump:verbose output suppressed, use-V OR-VV forFull protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size thebytes -: -:59.533494ARP Who-has192.168.0.18Tell192.168.0.40                   //Request for ARP     -: -:59.533874ARP reply192.168.0.18  is-atxx: 0c: in: to:d c:4b (Oui Unknown)//ARP Response[root@station040~]# tcpdump-i eth0 Arp and host192.168.0.2-w/var/ftp/arp.tcpdump tcpdump:listening on eth0, link-type EN10MB (Ethernet), capture size thebytes2Packets Captured215packets received by filter thepackets dropped by kernel [root@station040~]# tcpdump-i eth0 Arp and host192.168.0.2-C5-w/var/ftp/Arp.tcpdump [root@station040~]# tcpdump-i eth0 Arp and host192.168.0.2-R/var/ftp/arp.tcpdump//read from FileReading fromFile/var/ftp/pg/arp.tcpdump, link-type EN10MB (Ethernet) -: +:48.307307ARP Who-has192.168.0.2Tell192.168.0.40     -: +:48.307630ARP reply192.168.0.2  is-atxx: 0c: in: 9e: About: EF (oui Unknown)//tcpdump By default, only the first bytes,-s 1500 of the package is captured to capture the entire packet of data

View Code

Viewing cache tables
[root@station040 ~]# ARP
Note: If there are two Macs, the target host may be a dual NIC, or it may be an IP conflict
If unable to communicate properly (ping does not pass), that is the IP conflict, otherwise the dual NIC

Answer the question

1. What is the nature of IP conflict?
We know that if a host with the same IP address exists on the network, a warning of IP address collisions is reported. How did this come about?
For example, a Host B specifies that the IP address is 192.168.0.1, if it is turned on, then other machine A is more
Changing the IP address to 192.168.0.1 will cause an IP address conflict. The principle is: Host a when connected to the network (or change the IP address) will be sent to the network ARP packet broadcast its own IP address, that is, Freearp. If Host B with the same IP address is present on the network, B will reply the address via ARP, and when a receives the reply, a will jump out of the IP address conflict warning, and B will also have a warning
2.ARP Spoofing
The ARP protocol does not receive ARP replies more than just sending an ARP request. When the computer receives an ARP reply packet, the local ARP cache is updated, and the IP and MAC addresses in the answer are stored in the ARP cache. So, in the hypothetical network above, B sends a self-forged ARP response to A, And the data in this answer is the sender IP address is 192.168.10.3 (IP address of C), MAC address is DD-DD-DD-DD-DD-DD (C's MAC address should be CC-CC-CC-CC-CC-CC, here is forged). When a receives a spoofed ARP response, it updates the local ARP cache, replacing the local Ip-mac table with the received data format, since it is all automatic for A's system kernel, and A is not known to be forged.

ARP features of the Protocol

① resolving IPV4 addresses to MAC addresses

② Maintaining a mapped cache

Description

The network layer corresponds to an IP address, which is used across network segments

The link-layer address corresponds to the MAC address, which is the physical address and is used inside the LAN

MAC address is like your nickname, only the local area network is valid

ARP protocol Process Description

Internet Layer-related tools

Ping Traceroute/tracert

Analysis of Internet communication Engineering by example

① host a want to access the Host B, assuming that PCA is telnet to the PCB to access ② host A by the application layer to build a packet, send to the Transport Layer ③ Transport layer has the concept of port number, will be sent over the top of the packet with the TCP header, namely the source port and the destination port, the source port number is random, The destination port is 23 because access is the destination address of the Telnet service, and then the encapsulated packets to the lower ④ in the Internet layer on the IP concept, will be sent over the top of the packet with the IP header, that is, the source IP address  and destination IP address, the source IP address is the IPA address, The destination IP address is IPB  and then the encapsulated packet to the network access Layer ⑤ Network access layer has the concept of MAC address, will be sent over the top of the packet plus MAC address that is the source MAC address  and destination MAC address, the source MAC address is the IPA Mac, The MAC address of the target  is the MAC address of the Gateway interface, by default, if there is no MAC address of the Gateway interface, an ARP broadcast is sent, and the MAC address of the Gateway interface is obtained ⑥ host A will transmit the encapsulated packet to the router ⑦ router after receiving the packet. The packet is unpacked, the destination IP segment address is obtained, and the routing table is queried for routing forwarding. ⑧ the router arrives at the destination network, the router broadcasts ARP, locates the MAC address of the destination IP address, and forwards the data to the Host B based on the target MAC address obtained.

　　

Disclaimer: As this article is based on books written blog, if you have a similar article blog, please contact me, I will be in the Declaration of origin.

Network of dry goods, whether it is operation or development are to know the Network Knowledge Series (iv)