Forehead
First of all, I would like to thank the network security senior expert Luhuchuan and the information provided by the VC web version of the Limin friends and help ^ _ ^
I often see that the forum asks questions about the interception and analysis of the data package. Fortunately, I also know this slightly, so I want to write a series of articles to explore the knowledge about the data package, I hope to pass This series of articles can make knowledge about the packets to be popular, so every article in this series will have an explanation, detailed analysis, and coding steps, and additional source code with detailed comments. (In order to take care of most friends, I provide the source code of the MFC).
However, since it is also an initiator, he is still looking forward to it.
This article condenses the author's heart, if you want to reprint, please indicate the original author and the source, thank you! ^ _ ^
OK ,. Let's go! Have Fun! ! q ^ _ ^ P
The first hand is handed to teach you to play the ARP package
table of Contents:
One. Basic knowledge about ARP protocol
1. Working principle of ARP
2. ARP packet format Author:
9CBS VC / MFC Network Programming PiggyXP ^ _ ^
One. Basic knowledge about ARP protocol
1. ARP working principle
Originally, I don't want to repeat the basic common sense about ARP, but in order to maintain the integrity of the article, I will be some text, and senior readers can skip this section directly.
We all know that Ethernet equipment such as NIC has its own unique MAC address, which is the MAC address to transmit Ethernet data packets, but they can't identify IP addresses in our IP package, so we do in Ethernet. IP communication requires an agreement to establish an IP address to correspond to the MAC address, so that the IP packet can be sent to a certain place. This is the ARP (Address Resolution Protocol, address resolution protocol).
Tell this, we can enter in the command line window.
ARP -A
Look at the effect, similar to such entries
210.118.45.100 00-0B
-5f
-E6-C5-D7 Dynamic
It is the correspondence of the IP address and the MAC address stored in our computer. The Dynamic represents an entry that is temporarily stored in the ARP cache. After a while, it will be deleted (XP / 2003 system is 2 minutes).
In this way, as our computer is in communication with a machine, such as 210.118.45.1, it will first check the ARP cache, find if there is a corresponding ARP entry, if not, it will send ARP request to this Ethernet Bao Guangxown inquiry 210.118.45.1 corresponds to the corresponding MAC address, of course, each computer will receive this request package, but they find 210.118.45.1 Notself, will not make the corresponding, and 210.118.45.1 will give us The computer replies an ARP answer package, tells us that its MAC address is XX-XX-XX-XX-XX-XX, so our computer's ARP cache will refresh it accordingly, more this:
210.118.45.1 XX-XX-XX-XX-XX-XX Dynamic
Why do you have such an ARP cache? Imagine if there is no cache, we have to send a broadcast query address every IP package, isn't it a waste of bandwidth and waste?
And our network devices are unable to identify the authenticity of the ARP package. If we send packets in accordance with the ARP format, as long as the information valid computer will respond according to the content in the package.
Imagine if we refresh your own ARP cache in accordance with the corresponding content of the ARP response package, hey, can we play some ARP packets in the network without security prevention? In the back article, I will teach you how to fill the ARP package, but don't worry, we will continue to learn the basic knowledge ^ _ ^ 2. ARP package format
Since we have to do our own ARP package, of course, we must first learn the format of the ARP package.
From the bottom of the network, an ARP package is divided into two parts. The front is a physical frame head, and one is an ARP frame. First, the physical frame head will exist in front of any protocol packet, we call DLC Header because this frame head is constructed in the data link layer, and its main content is the physical address of both parties, so that Hardware device identification.
DLC Header
Field
BYTE
Defaults
Note
Receiver Mac
6
In broadcast, for FF-FF-FF-FF-FF-FF
Sender Mac
6
EtherType
2
0x0806
0x0806 is the type value of the ARP frame
Figure 1 Physical frame head format
Figure 1 shows the format of the physical frame header we need to fill, we can see that we need to fill the physical address of the sender and the receiving end, is it simple?
Let's take a look at the format of the ARP frame.
ARP FRAME
Field
BYTE
Defaults
Note
Hardware type
2
0x1
Ethernet type value
Upper layer protocol type
2
0x0800
The upper protocol is an IP protocol
MAC address length
1
0x6
Ethernet MAC address length is 6
IP address length
1
0x4
IP address length is 4
Operate code
2
0x1 represents the ARP request package, 0x2 indicates a response package
Sender Mac
6
Sender IP
4
Receiver Mac
6
Receiver IP
4
Data input
18
Because the minimum length of the physical frame is 64 bytes, the front 42 bytes plus 4 CRC check bytes, 18 bytes
Figure 2 ARP frame format
We can see that we need to fill the same Mac, IP, plus one 1 or 2 opcode.
..................
============================================================================================================================================================================================================= =====================
Halo, I didn't think of it. I didn't expect such a word to 64K limit. I don't know if it is a color word and form relationship. I have no way. I have to set the article into four, five petals to send -_- b, Let's talk about it next time.
Please look forward to following:)
------- Finished AT 2004-05-29 19:41
------- Made in dLUT | DIP
