arp
ARP protocol can implement any network layer addresses to arbitrary physical address, the IP address to the discussion of the conversion from an Ethernet address (MAC address). Its working principle is: Host an ARP request to the network broadcasts its location, the request contains the network address of the target machine. Other machines on the network will receive this request, but only requested the target machine will respond to an ARP reply that contains its own physical address.
ARP protocol to obtain real MAC address of the destination host not only to get their real MAC address when the destination host in the same local area network, or obtain the MAC address of the router.
From here you can also come to the reasons IP address and MAC address indispensable.
First, if no IP address, since the ARP protocol to find the MAC address is in the form of a broadcast, if a broadcast manner to locate in the entire wide area network, almost identical to the needle in a haystack. Only when combined with the IP address, in order to combine the relevant addressing algorithm to find the source host to the destination host router through which the composition path. Meanwhile, ARP cache only need to record the MAC address of the host to the LAN, WAN MAC address if the host is also down, memory is ringing off the hook easily.
On the other hand, it records the IP header source IP and destination IP, but that alone does not know the path information two-hop router address of the upper and lower, therefore the address with the MAC address recorded in the next-hop router.
Thus, for a network packet sent out to the network address, Ethernet + IP + header data (transport layer, application layer), the Ethernet MAC header records the address of the next hop router, the IP header of the IP header destination address recording unit. Although this packet is sent on a physical router, but is addressed to a logical destination host, the former is represented by a physical address, which is indicated by the network address.
First check arp cache table:
:arp -a
192.168.8.1 (192.168.8.1) at a4:be:2b:8b:d1:5a on en0 ifscope [ethernet]
192.168.8.45 (192.168.8.45) at 64:76:ba:a1:55:8a on en0 ifscope [ethernet]
192.168.8.89 (192.168.8.89) at e0:b5:5f:d5:a9:65 on en0 ifscope [ethernet]
192.168.8.94 (192.168.8.94) at 4c:6b:e8:d3:ca:d4 on en0 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]
? (239.255.255.250) at 1:0:5e:7f:ff:fa on en0 ifscope permanent [ethernet]
tcpdump packet capture:
:sudo tcpdump -v arp -c 6
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
23:14:54.865354 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.96, length 28
23:15:25.890714 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.96, length 28
23:16:20.739324 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.93 tell 192.168.8.1, length 28
23:16:20.739343 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.93 is-at c4:b3:01:94:f5:3a (oui Unknown), length 28
23:16:20.744230 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.93 tell 192.168.8.1, length 28
23:16:20.744246 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.93 is-at c4:b3:01:94:f5:3a (oui Unknown), length 28
6 packets captured
2471 packets received by filter
0 packets dropped by kernel
See there are two main types of requests and responses:
23:16:20.739324 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.93 tell 192.168.8.1, length 28
23:16:20.739343 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.93 is-at
To be learned. .
