The 23rd Chapter Rl-tcpnet Address Resolution Protocol ARP
This section for everyone to explain the ARP (address Resolution Protocol, addresses resolution Protocol), through the previous chapters on TCP and UDP learning, you need to have a basic understanding of ARP.
(The knowledge points in this chapter are mainly organized from the network)
23.1 Important tips for beginners
23.2 ARP Basic knowledge reference
23.3 ARP Basics points
23.4 ARP function
23.5 Summary
23.1 Important tips for beginners
Through the previous chapters on TCP and UDP learning, beginners need to understand the basic knowledge of ARP.
23.2 ARP Basic knowledge reference
In order to have a more comprehensive understanding of TCP and UDP, it is necessary to understand some basic knowledge of the ARP protocol. You can get the basic knowledge of the ARP protocol from the following address:
- RFC826 Address: Ftp://ftp.rfc-editor.org/in-notes/rfc826.txt.
- Wiki Wikipedia Chinese Version: Address link (this is a hyperlink)
- Wiki Wikipedia English: Address link (this is a hyperlink)
- Baidu Encyclopedia: Address Link (this is a hyperlink)
For beginners, learning the above four references is enough. If you have a network of books, such as "TCP/IP detailed", you can also directly read books.
23.3 ARP Basics points
(The knowledge points here are collated from the reference address above)
Tutorial here also on the basic knowledge of ARP to do an introduction, so that we have a general understanding of the first.
23.3.1 ARP Brief description
The basic function of ARP (address Resolution Protocol) is to query the MAC address of the target device through the IP address of the target device, so as to ensure the smooth communication. It is an essential protocol for the network layer in IPV4, but is no longer applicable in IPv6 and is replaced by NDP (Neighbor Discovery Protocol, Neighbor Discovery Protocol).
It is stipulated in the Ethernet protocol that one host in the same LAN must know the MAC address of the target host in order to communicate directly with another host computer. In the TCP/IP protocol, the network layer and transport layer only care about the IP address of the target host. This results in the use of the IP protocol in Ethernet, the data link layer of the Ethernet protocol to the upper IP protocol provided by the data, only the destination host IP address. Therefore, a method is needed to obtain its MAC address based on the IP address of the destination host. This is what ARP is going to do. Address resolution is the process by which a host translates a destination IP address into a destination MAC address before sending a frame.
In addition, when the sending host and the destination host are not in the same LAN, even if the MAC address of the destination host is known, the two cannot communicate directly and must be routed forward. So at this point, the sending host through the ARP protocol will not be the destination host's real MAC address, but a network to the outside of the router's MAC address. Then all the frames sent to the destination host by the sending host will be sent to the router, which sends it outward. This condition is called a delegated arp or ARP proxy.
No ARP is used in a point-to-point link, and the MAC address is not actually used in a point-to-point network, because the IP address of the peer is already acquired in such a network.
23.3.2 ARP Working process
Working conditions:
- Host A has an IP address of 192.168.1.1,mac address of 0a-11-22-33-44-01.
- Host B has an IP address of 192.168.1.2,mac address of 0a-11-22-33-44-02.
Working process:
When host A is communicating with Host B, the Address Resolution Protocol resolves the IP address (192.168.1.2) of Host B to the MAC address of Host B, which is the following workflow:
- 1th step: According to the contents of the routing table on host A, IP determines the forwarding IP address used to access Host B is 192.168.1.2. The A host then checks Host B's matching MAC address in its own local ARP cache.
- 2nd step: If host A does not find a mapping in the ARP cache, it will ask the 192.168.1.2 's hardware address to broadcast the ARP request frame to all hosts on the local network. The IP address and MAC address of source host A are included in the ARP request. Each host on the local network receives an ARP request and checks to see if it matches its own IP address. If the host discovers that the requested IP address does not match its own IP address, it discards the ARP request.
- 3rd Step: Host B determines that the IP address in the ARP request matches its own IP address, then adds the IP address and MAC address mappings of host A to the local ARP cache.
- 4th Step: Host B sends an ARP reply message containing its MAC address directly back to host a.
- 5th step: When host a receives an ARP reply message from Host B, the ARP cache is updated with the IP and MAC address mappings of Host B. The native cache has a lifetime, and after the lifetime is over, the above procedure is repeated again. Once the MAC address of Host B is determined, host a can send IP traffic to Host B.
23.3.3 ARP Cache table
ARP cache is a buffer used to store IP addresses and MAC addresses, which is essentially an IP address to the MAC Address table, each entry in the table records the IP address of the other hosts on the network and the corresponding MAC address. Each Ethernet or Token Ring network adapter has its own separate table. When the address Resolution Protocol is queried for the MAC address of a known IP address node, it is first viewed in the ARP cache and, if present, directly returns the corresponding MAC address and, if not present, sends an ARP request to the LAN.
To minimize the amount of broadcast, ARP maintains a cache of IP addresses to MAC address mappings for future use. The ARP cache can contain both dynamic and static items. Dynamic items are automatically added and deleted over time. The potential life cycle for each dynamic ARP cache entry is 10 minutes. Items that are added to the cache have a timestamp, and if an item is not reused within 2 minutes of being added, the item expires and is removed from the ARP cache, and if an item is already in use, it receives a 2-minute life cycle, and if an item is always in use, it receives an additional 2-minute life cycle. Up to 10 minutes for the longest life cycle. Static items remain in the cache until the computer is restarted.
The computer-side ARP cache table gets the following methods:
- Win+r to open the Run window and enter CMD.
- In the command window that pops up, enter Arp-a.
- After entering Arp-a, enter.
This is the ARP cache table on the computer side.
23.3.4 ARP Message format
In order to map IP addresses to 48-bit Ethernet addresses for transmission, a packet format that embodies the address translation protocol is required. The following is an ARP message format with Ethernet header data:
- Ethernet Transport Layer
- Destination Ethernet Address: Destination MAC address. FF:FF:FF:FF:FF:FF (binary full 1) is the broadcast address.
- Source Ethernet Address: The sender's MAC address.
- Frame type: Ethernet type, ARP 0x0806
- Ethernet message Data
- Hardware type: such as Ethernet (0X0001), packet Radio network.
- Protocol type: such as IP Internetwork Protocol (0x8000), IPv6 (0X86DD).
- Hardware address length: The byte length of each hardware address, typically 6 (Ethernet).
- Protocol address length: the byte length of each protocol address, typically 4 (IPV4).
- OpCode: 1 is ARP request, 2 is ARP Echo, 3 is RARP request, 4 is rarp reply.
- SOURCE Hardware Address: n bytes, n is obtained by hardware address length, usually the sender's MAC address.
- SOURCE protocol Address: M bytes, M is obtained by the protocol address length, usually the sender IP address.
- Destination hardware address: n bytes, n is obtained from the hardware address length and is generally the destination MAC address.
- Destination protocol Address: M bytes, M is obtained by the protocol address length, and is generally the destination IP address.
23.3.5 ARP fraud/arp attack
ARP Spoofing (ARP spoofing), also known as ARP poisoning (ARP poisoning, multi-interpreter on the network as ARP virus) or ARP attack, is an attack technique for Ethernet Address Resolution Protocol. This type of attack can allow an attacker to acquire packets on the LAN or even tamper with the packets, and make it impossible for a particular computer or all computers on the network to connect properly.
ARP spoofing is one of the most commonly used attacks by hackers, and ARP spoofing is divided into two types:
- One is the spoofing of the router ARP table.
The first method of ARP spoofing is to intercept gateway data . It notifies the router of a series of wrong intranet MAC addresses, and at a certain frequency, so that the real address information can not be saved in the router, the result of all the router's data can only be sent to the wrong MAC address, resulting in normal PC can not receive information.
- The other is the gateway spoofing of the Intranet PC.
The second principle of ARP spoofing is-- forge a gateway . The idea is to set up a fake gateway that lets the PC it cheats send data to the fake gateway, rather than surfing the web through a normal router path. In the PC's opinion, it is not on the net, the network dropped the line.
In general, the consequences of ARP spoofing attacks are very serious and in most cases cause large area drop-off. Some network administrators do not understand this, in the event of failure, that the PC is not a problem, the switch does not drop the "ability", telecommunications also do not recognize broadband failure. And if the first ARP spoofing occurs, as long as the router is restarted, the network can be fully restored, the problem must be on the router. For this reason, broadband routers back a lot of "the blame."
----------------------------------
For this point of knowledge, involving a wide range of knowledge, we are here to introduce so much, more relevant knowledge can be learned at the following address:
- Wiki Wikipedia Chinese Version: Address link (this is a hyperlink).
- Wiki Wikipedia English: Address link (this is a hyperlink).
- Baidu Encyclopedia: Address Link (this is a hyperlink).
23.4 ARP function
About Arp,rl-tcpnet provides the following three functions:
function function: Find out whether the corresponding MAC address exists in the ARP cache table according to the known IP address, and if not, force the Rl-tcpnet network protocol stack to parse. The protocol stack sends an ARP request to the network and, if it responds, it saves the IP address and the returned MAC address to the ARP buffer.
function function: To find out whether an IP address exists in the ARP cache table based on a known MAC address, and if not, force the Rl-tcpnet network protocol stack to parse. The protocol stack sends an ARP request to the network and, if it responds, it saves the MAC address and the returned IP address to the ARP buffer.
function function: It is supported to return the corresponding MAC address recorded in the ARP cache table according to the IP address, or to return the corresponding IP address recorded in the ARP cache table according to the MAC address.
For a detailed explanation of these 3 functions and their use examples can be seen in the tutorial 3rd Chapter 3.4 of the reference Rlarm.chm file, we are no longer dedicated to the example to illustrate (note that the following functions do not support re-entry, that is, multi-tasking is not supported):
23.5 Summary
This chapter is to explain so much, more relevant knowledge of ARP need you to consult the relevant books to study, or online search for relevant information to learn.
"Rl-tcpnet Network Tutorial" 23rd chapter Rl-tcpnet Address Resolution Protocol ARP