ARP protocol
1 ARP protocol overview
The IP data is sent to Ethernet. Ethernet equipment does not recognize 32-bit IP addresses: they are transmitted to the Ethernet data packet with 48 Ethernet addresses. Therefore, the IP driver must convert the IP destination address to an Ethernet network destination address. There is a static or algorithm mapping between these two addresses, often requiring a table. Address Resolution Protocol, ARP is used to determine protocols for these images.
When ARP is working, a Ethernet broadcast packet containing the desired IP address is sent. Destination owners, or another system representing the host, with a packet containing IP and Ethernet address as a response. The sender caches this address to the cache to save unnecessary ARP communications.
If there is a node that is not trusted to have a write access permission for the local network, there will be some risk. Such a machine can release false ARP packets and turn all communications to it yourself, then it can play some machines, or by simple changes to the data stream. The ARP mechanism is often automatic. On a particularly secure network, the ARP mapping can use firmware and have the purpose of preventing interference with automatic suppression protocols.
Figure 1 Ethernet ARP packet format
Figure 1 is an example of an ARP packet used as an IP to Ethernet address translation. Each line in the figure is 32 bits, that is, four eight groups, in the later chart, we will follow this way.
ARP report format Description:
1. The hardware type field indicates the type of hardware interface that the sender wants to know, the value of the Ethernet is 1.
2. The protocol type field indicates the type of high-level protocol provided by the sender, and IP is 0806 (16). It can be seen that the ARP is located between the IP layer and the link layer, providing the conversion of the IP report to the MAC frame.
3. The hardware address length and protocol length indicate the length of the hardware address and the high-level protocol address, so that ARP packets can be used in the network of any hardware and any protocol. The Ethernet hardware address length is 48bit, the IP address length is 32 bit.
4. The operation field is used to represent the purpose of this message, the ARP request is 1, the ARP response is 2, the RARP request is 3, the RARP response is 4.
5. The first part of the sender is a 48bit MAC address. The sender IP address is sent to send 32 bit of IP address.
6. The first part of the destination is the 48bit MAC address, which is NULL. The destination IP address is the IP address of the destination 32bit.
When [ARP request message] is issued, the sender fills the sender's head (MAC) and the sender IP address, but also fill in the target IP address. When the target machine receives this ARP broadcast package, you will fill your own 48-bit host address (Mac) in [ARP Response Packet].
It can be seen that the request report and the response report have changed the first and IP address changes, and others are constant. When encapsulated into a Mac frame, the destination MAC is a broadcast MAC address, ff: ff: ff: ff: ff: ff.
A data structure instance of an ARP report (a total of 9 items):
Typedef struct arp_hrd; / * hardware type * / unsigned short arp_pro; / * protocol type * / unsigned char arp_hln; / * hardware address length * / --- MAC address unsigned char ARP_PLN; / * Protocol address length * / --- ip address unsigned short arp_op; / * ARP operation type * /
Unsigned char Arp_sha [6]; / * Hardware address * / unsigned long arp_spa; / * sender's protocol address * / unsigned char Arp_tha [6]; / * Hardware address * / * / * Agreement address * /} arphdr, * prphdr; ==============================
2 ARP use example
Let's take a look at the ARP command under Linux (if you start the content in the ARP table, you need to connect a host to a connection, such as ping the target host to generate an ARP item):
D2Server: / home / kerberos # arp
Address Hwtype Hwaddress Flags Mask IFAce
211.161.17.254 ether 00:04:
9A: AD:
1C:
0A C ETH0
Address: Host IP Address
HWTYPE: Hardware Type
Hwaddress: Host's hardware address
Flags Mask: Record Sign, "C" indicates an entry in the ARP cache, "M" represents a static ARP entry.
Use the "arp --a" command to display the host address and the IP address of the IP address, which is the ARP cache information saved in the machine. This cache stores the most recent Internet address to the mapping record between the hardware address. The survival time of each of the cache is generally 20 minutes, and the start time begins to count from being created.
D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00:04:
9A: AD:
1C:
0A [Ether] on Eth0
It can be seen that there is a ARP cache entry corresponding to a 211.161.17.254 in the cache.
D2Server: / home / kerberos # Telnet 211.161.17.21
Trying 211.161.17.21 ...
CONNECTED to 211.161.17.21.
Escape Character is '^]'.
^].
Telnet> quit
Connetion closed.
While performing the top telnet command, use TCPDUMP to listen:
D2Server: / home / kerberos # tcpdump -e dst Host 211.161.17.21
TCPDUMP: LISTENING ON ETH0
We will hear a lot of packages, we take 2 packages related to our ARP protocol:
1 0.0 00: D0: F8:
0A: FB: 83 ff: ff: ff: ff: ff: FF ARP 60
WHO HAS 211.161.17.21 Tell D2Server
2 0.002344 (0.0021) 00: E0:
3C: 43: 0D: 24 00: D0: F8:
0A: FB: 83 ARP 60
ARP Reply 211.161.17.21 is at 00: E0:
3C: 43: 0D: 24
In line 1, the hardware address of the source host (D2Server) is 00: D0: F8: 0A: FB: 83. The hardware address of the destination host is ff: ff: ff: ff: ff: ff, this is an Ethernet broadcast address. Each Ethernet interface on the cable should receive this data frame and process it.
One output field in line 1 is ARP, indicating that the value of the frame type field is 0x0806, indicating that this data frame is an ARP request or answered.
In each line, the value 60 behind the word refers to the length of the Ethernet data frame. Since the data frame length of the ARP request or answered is 42 bytes (28-byte ARP data, 14-byte Ethernet frame header), each frame must be added to the minimum length requirements of the Ethernet : 60 bytes.
The next output field ARP WHO-HAS in line 1 represents this data frame as an ARP request, the destination I P address is the address of 211.161.17.21, and the I P address of the sender is the address of the D2Server. TCPDUMP prints the default I P address corresponding to the host name.
As can be seen from line 2, although the ARP request is broadcast, the destination address of the ARP response is 211.161.17.21 (00: E0:
3C: 43: 0D: 24). The ARP response is delivered directly to the requesting terminal, but broadcast. TCPDUMP prints the words of ARP Reply while printing the host IP and hardware addresses of the responder.
In each row, the numbers behind the line number indicate that TCPDUMP receives the time (in seconds) of the packet. In addition to the first line, each line also contains the time difference (in seconds) of the previous line in parentheses.
At this time we look at the ARP cache in the machine:
D2Server: / home / kerberos # Arp -a (211.161.17.254) at 00:04:
9A: AD:
1C:
0A [Ether] on et × (211.161.17.21) at 00: E0:
3C: 43: 0D: 24 [Ether] on et0
A mapping of 211.161.17.21 has been added in the ARP cache.
Look at other ARP-related commands:
D2Server: / home / kerberos # arp -s 211.161.17.21 00: 00: 00: 00: 00: 00:
D2Server: / home / kerberos # arp
Address Hwtype Hwaddress Flags Mask IFAce
211.161.17.254 ether 00:04:
9A: AD:
1C:
0A C ETH0
211.161.17.21 ether 00: 00: 00: 00: 00:
00 cm eth0
D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00:04:
9A: AD:
1C:
0A [Ether] on Eth0
(211.161.17.21) AT 00: 00: 00: 00: 00: 00 [Ether] Perm on eth0
It can be seen that we have set up 211.161.17.21 with the ARP -S option to 00: 00: 00: 00: 00: 00: And the flag field of this mapping is cm, which means that the ARP option for us. For static ARP options, it remains unchanged without timeout, unlike entries in the cache to update after a certain time interval.
If you want to make the ARP option for manual settings, you can add TEMP options.
D2Server: / home / kerberos # arp -s 211.161.17.21 00: 00: 00: 00: 00 Temp
D2Server: / home / kerberos # Arp -a (211.161.17.254) at 00:04:
9A: AD:
1C:
0A [Ether] on Eth0
(211.161.17.21) AT 00: 00: 00: 00: 00: 00 [Ether] on eth0
D2Server: / home / kerberos # arp
Address Hwtype Hwaddress Flags Mask IFAce
211.161.17.254 ether 00:04:
9A: AD:
1C:
0A C ETH0
211.161.17.21 ether 00: 00: 00: 00: 00:
00 c th0
You can see the static ARP flag "M" of the flag field has been removed, and we are hand-made is a dynamic entry.
Please pay attention to the difference between the ARP static entry and the dynamic entry.
In different systems, manually set ARP static entries are different. In Linux and Win2000, static entries do not change because of forged ARP response packages, while dynamic entry changes. In WIN98, manually set static entries will change because of the preceding ARP response package.
If you want to delete an ARP entry (including static entry), you can use the following command:
D2Server: / home / kerberos # arp -d 211.161.17.21
D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00:04:
9A: AD:
1C:
0A [Ether] on Eth0
(211.161.17.21) at on eth0
It can be seen that the ARP entry of 211.161.17.21 is incomplete.
There are some other commands, you can refer to the Man documentation under Linux:
D2SERVER: / HOME / KERBEROS # man ARP
Back about ARP address spoof reference
Http://www.net130.com/2004/5-30/20201.html
