Summary of the ARP protocol

One, ARP overview

ARP (Address Resolution Protocol) is used to realize the mapping of IP address to MAC address, which realizes the encapsulation process of data, which belongs to the network layer on Ethernet.

Second, how ARP works

How ARP Works: IP----->mac Address

When the host sends the message, the ARP request that contains the destination IP address is broadcast to all hosts on the network, the corresponding host receives the broadcast packet, the ARP unicast reply message is received, the return information is sent to determine the destination's MAC address, and the IP address and MAC address are stored in the local ARP cache. On the next request, query the ARP cache directly.

NOTE: ARP requests are sent as broadcasts, and ARP replies are sent in unicast form.

Third, ARP spoofing

1. Introduction

because the host on the network can send ARP reply information autonomously, the other host will not detect the authenticity of the ARP packet when it receives the message and record it into the ARP cache of the native computer, so the attacker can send a pseudo-ARP reply message. The information sent by the host fails to reach the intended host, resulting in an ARP spoofing attack

2. Working principle

①hacker tells PC1 that the IP of the gateway----hacker ' s MAC

②hacker tells the gateway that A's IP---->hacker ' s MAC

③a and gateway traffic to be communicated through hacker hosts

④hacker can capture packets, analyze, attack and steal data through Wireshack.

(Common attack Software: Peer Terminator, Cyber Marshal .....) ）

Four, ARP grouping format

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/70/C5/wKiom1W9vLSij2swAAEzqMXBbUA281.jpg "title=" ARP grouping. png "alt=" wkiom1w9vlsij2swaaezqmxbbua281.jpg "/>

Field Analysis:

1. Ethernet Destination Address

6 bytes, all 1 means broadcast address

2. Ethernet Source Address

6 bytes

3. Frame Type

2 bytes, indicating the type of subsequent data; for an ARP request or answer: a value of 0x0806

and Rarp is 0x0835 .

4. Hardware type

2 bytes, which represents the type of hardware address, and a value of 1 indicates the Ethernet address

5. Type of agreement

2 bytes that represents the protocol address type to be mapped

0X0800: Represents an IP address

Value is the same as the value of the Type field in the Ethernet data frame of the IP datagram

6. Hardware address length

1 bytes, ARP request or answer for Ethernet IP address, value 6

7. Protocol Address length

1 bytes, ARP request or answer for Ethernet IP address, value 4

8. Action Fields

2 bytes, indicating the type of operation

ARP Request: 1

ARP Answer: 2

Rarp Request: 3

Rarp Answer: 4

9. The hardware address of the sending side (6bytes)

10. Protocol address of the sender (4bytes)

11. Destination hardware address (6bytes)

12. Destination protocol address (4bytes)

Five, Proxy ARP

1. Proxy ARP (also called ARP rental) is a variant of the ARP protocol, for computers that do not have a default gateway configured to communicate with computers in other networks, the gateway receives ARP requests from the source computer to answer the source computer using its own MAC address and the destination computer's IP address.

2. Proxy ARP is a host that responds to another host ARP.

3. Question 1: What is an ARP proxy?

Answer: when the router receives the ARP request, if the destination IP address of the query is found to be in a different subnet , the router will play the role of the proxy ARP, answer it, and tell the caller the MAC address it wants to do (with the MAC address of the interface)

question 2: Why do I have an ARP proxy?

A: An important function of the router is to limit the LAN broadcast packets within the network, do not allow proliferation, or it will cause network storms. The ARP request is a broadcast packet, and the object it asks is answered if it is within the same LAN. But what if the query object is not on the same LAN? To solve this problem, the router provides a service: proxy ARP.

3: Is there any way to solve the cross-LAN address query?

A: If the host is configured with a default gateway, the query task can be assigned to the default gateway when the object that queries the MAC address is outside the LAN.

Question 4: Under what circumstances is ARP proxy used?

A: The network hosts, routers have ARP cache. Hosts are typically configured with default gateways that query MAC addresses outside the LAN with their default gateways. When a router needs to query the MAC address in a remote network segment, the router connected to it will play the role of proxy ARP when it receives the ARP request.

Six, free ARP

1. The free ARP message is a special ARP message, which carries the sending IP address and destination IP address are the native IP address, the source MAC address is the native MAC address, the destination MAC address is the broadcast address

2. The role of free ARP:

① advertises the role of the broadcast, tells the host of the entire broadcast domain, what is the MAC address of the current IP

② See if the hosts in the broadcast domain have their own IP addresses, and if they are used, an IP address conflict is displayed

③ A router running Hot backup routing protocol (HSRP) within a subnet becomes the primary router from another router, and it sends a gratuitous ARP to Update theARP cache-----on this subnet (the device changes the hardware address and notifies other devices to update the ARP table entry by sending a free ARP message.) )

Seven, reverse arp---IARP

1. Introduction

IARP Reverse Address Resolution protocol (inverse addresses Resolution Protocol). Inverse ARP is used for the dynamic maintenance of the mapping relationship between IP address and virtual circuit number in Frame Relay network, which is mainly used in frame relay network.

Iarp is a method of establishing dynamic routing in the Network, which allows the access server to know the network address of the device associated with the virtual circuit.

Iarp is used to automatically establish the mapping between router IP address and Frame Relay DLCI in Frame Relay network.

2. Working principle

What is the IP address of the ①a sending a broadcast message requesting its corresponding destination MAC address? It also comes with its own IP address in the broadcast message.

After ②b accepts the broadcast packet, it modifies the request packet, extracts the hardware address from the Frame Relay frame header into the source Hardware address field of the request packet, and forms A's address map.

③ then forms a unicast response, which contains the IP address of B and the IP address and hardware address of a.

④a receives a response, modifies the response packet, removes the hardware address from the frame header into the source Hardware address field of the response packet, and adds it to the address mapping table.

⑤ devices A and B can transmit data normally.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/70/C2/wKioL1W9vtTBoR3aAAGXobosZDM730.jpg "title=" Image.png "alt=" Wkiol1w9vttbor3aaagxoboszdm730.jpg "/>

Eight, reverse ARP

1. Introduction

The Reverse Address Translation protocol (Rarp:reverse addressing Resolution Protocol) allows a physical machine on the LAN to request its IP address from the ARP table or cache on the gateway server (router).

2. Working principle

---->IP address by a known MAC address

Each device on the ① network will have a unique hardware address, usually a MAC address assigned by the device vendor. PC1 reads the MAC address from the NIC and then sends a RARP request broadcast packet over the network requesting the RARP server to reply to the IP address of the PC.

The ②rarp server receives a RARP request packet, assigns it an IP address, and sends a RARP response to PC1

③PC1 receives the RARP response, it communicates with the resulting IP address.

This article is from the "9305074" blog, please be sure to keep this source http://9315074.blog.51cto.com/9305074/1680972

Summary of the ARP protocol