We know, when we enter the URL in your browser, the DNS server will automatically resolve it to the IP address, and the browser actually looks up the IP address instead of the URL. Then how the IP address is converted to a second layer of physical address (ie MAC address)? In the local area network, this is done through the ARP protocol. The ARP protocol is of great significance to network security. Implement ARP spoof by counterfeiting IP addresses and MAC addresses, a large number of ARP traffic can be generated in the network to block networks. Therefore, the mesices should understand the ARP protocol.
First, what is the ARP protocol ARP protocol is an abbreviation for "Address Resolution Protocol". In the local area network, the actual transmission in the network is "frame", and the frame is a MAC address with the target host. In Ethernet, a host is directly communicating with another host, and must know the MAC address of the target host. But how is this goal MAC address get? It is obtained by address resolution protocol. The so-called "address parsing" is the process of converting the target IP address into a target MAC address before sending frames. The basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth progress of the communication.
Second, the working principle of the ARP protocol
There is a computer that is installed with TCP / IP protocols.
ARP cache table
The IP address in the table corresponds to the MAC address, as shown in the Schedule.
Schedule
We use host A (192.168.1.5) to send data to host B (192.168.1.1) as an example.
When sending data, host A looks for whether there is a target IP address in its own ARP cache table.
1. If you find it, you will know the target MAC address, you can send the target MAC address to the frame directly.
2. If the corresponding IP address is not found in the ARP cache table, host A will send a broadcast on the network, and the target MAC address is "ff.ff.ff.ff.ff.ff.ff.ff", which means to the same network All hosts in the segment say this inquiry: "What is the MAC address of 192.168.1.1?" The other hosts on the network do not respond to the ARP inquiry, only such response to the host A when host B receives this frame: "192.168.1.1 MAC address is 00-AA-00-62-C6-09". Thus, the host A knows the MAC address of the host B, which can send information to the host B. At the same time, it also updated its own ARP cache table. When sending information next time, you can find it directly from the ARP cache table. The ARP cache table uses the aging mechanism, which is deleted if there is no use in a certain line in a period of time, which can greatly reduce the length of the ARP cache table and speed up the query speed.
Third, how to check the ARP Cache table ARP cache table is to view, or you can add and modify it. At the command prompt, enter "ARP -A" to view the contents of the ARP cache table, as shown in the drawings.
Use the "arp -d" command to delete the contents of a row in the ARP table; use "arp -s" to manually specify the IP address and the MAC address in the ARP table.
Use the "arp -d" command to delete the contents of a row in the ARP table; use "arp -s" to manually specify the IP address and the MAC address in the ARP table.
Use the "arp -d" command to delete the contents of a row in the ARP table; use "arp -s" to manually specify the IP address and the MAC address in the ARP table.
