table of Contents
1. Introduction to ARP protocol
3. Wireshark packet capture analysis
4. ARP protocol classification
1. Introduction to ARP protocol
In the " IP Protocol " we explained the contents of the IP address, the IP protocol contains the destination IP address and the source IP address, but when a host sends an Ethernet data frame to another host on the same LAN, The destination interface is determined based on the 48-bit Ethernet address. The device driver never checks the destination IP address in the IP datagram.
Remember that in the Ethernet protocol at the data link layer, every data packet has a MAC address header? We know that every Ethernet card has a MAC address, this address is unique, then how does the IP packet know this MAC address? This is the job of the ARP protocol.
In the OSI model, the ARP protocol belongs to the link layer; in the TCP/IP model, the ARP protocol belongs to the network layer. Which layer of ARP protocol data, different materials have different opinions, we will not focus on the discussion here.
The ARP (Address Resolution) protocol is a resolution protocol. Originally, the host does not know which interface of which host this IP corresponds to. When the host wants to send an IP packet, it will first check its own ARP cache (that is, An IP-MAC address correspondence table cache), if the queried IP-MAC value does not exist, then the host sends an ARP protocol broadcast packet to the network, this broadcast packet contains the IP address to be queried, and directly receives this All hosts of the broadcast packet will query their own IP address. If a host that receives the broadcast packet finds that it meets the conditions, it will prepare an ARP packet containing its own MAC address and send it to the host sending the ARP broadcast. After the host gets the ARP packet, it will update its own ARP cache (the place where the IP-MAC correspondence table is stored). The host that sends the broadcast will use the new ARP cache data to prepare the data link layer for data packet sending.
2. ARP protocol structure
In the previous article " Ethernet Packet Structure ", it can be seen that the figure represents the data structure of the ARP protocol.
Let's take a look at the structure of a typical ARP packet.
The first 12 bytes are the MAC address, which was explained in the article " Ethernet Packet Structure ", and the next is the frame type, where 0806 represents the ARP protocol frame. Next is the ARP packet part. The first hardware type field indicates the hardware interface type hardware that the sender wants to know. For the Ethernet MAC address, its value should be 1. The protocol type field indicates the type of protocol address to be mapped. When its value is 0x0800, it means that it is mapped to an IP address. It can be seen that this value uses the same set of values as the value of the type field in the Ethernet data frame header.
The next two single-byte length fields are called the hardware address length and the protocol address length. They indicate the length of the hardware address and the protocol address respectively, and the length unit is byte. For the ARP request or response on the Ethernet, their values are 6 and 4, respectively, representing the length of the MAC address and the length of the IP address. Setting aside the hardware address length field and the protocol address length field in the ARP protocol packet can enable the ARP protocol to be used in any network, not just in the Ethernet.
The operation field op indicates the type of ARP packet. They can be ARP request (value 1), ARP response (value 2), RARP request (value 3), and RARP response (value 4). Here we only care about the front Two types. RARP is a reverse address resolution protocol. Here is a brief introduction. RARP is used to obtain its own IP address when the host starts. This process is very simple: when the host starts, it broadcasts a RARP request packet, which contains its own MAC address, and then waits for a response. Another host in the network must be set to monitor the RARP request status, and after receiving the request, assign an IP address to the host and return a RARP response to the host. Once the response is received, the host has an IP address and can be Used in.
The next four fields are the Ethernet MAC address of the sender, the IP address of the sender, the Ethernet MAC address of the destination and the IP address of the destination.
For the PAD stuffing byte, please see the explanation in " Ethernet Packet Structure ".
Note: There is the Ethernet MAC address of the sender in the header of the Ethernet data frame and in the ARP packet. For an ARP request packet, all fields except the receiver's Ethernet address should be filled with corresponding values. When the receiving host receives an ARP request message for itself, it fills in its own hardware address, then exchanges the location of the source host information and destination host information of the request packet, and sets the operation field op to It is 2, and finally the newly constructed data packet is sent back, which is the ARP response.
3. Wireshark packet capture analysis
Assuming to query the MAC address with IP 192.168.0.103, use the following command
arp -a 192.168.0.103
Packet capture analysis
Share the capture files of wireshark here
Click to download , if you don't have download coins, you can follow the official account to get it.
4. ARP protocol classification
There are two types of ARP packets:
One is the ARP request packet, which is sent via Ethernet broadcast to send a request to a host with a certain IP address, hoping that the host will return its MAC address;
The second is the ARP response packet. The host that receives the ARP request will compare the IP address in the packet with its own IP address. If so, the host returns an ARP response packet to the source host and reports its own IP address to the source host. MAC address. The source host updates the ARP cache table by extracting relevant fields in the ARP response packet.
A typical arp cache information is as follows, use the "arp-a" command in any system:
Will get this result. Such a cache is time-limited, usually 20 minutes (a derivative of the Berkeley system).
5. ARP protocol application
Basic knowledge: There are two devices under the router. They know each other's IP and MAC, but they cannot communicate directly. They need to be routed for forwarding. If the two devices are directly connected by a network cable, they are communicating directly.
Give a chestnut
There are two devices under routing. The first point: each device (including routing) has its own ARP cache table. Device A communicates with device B under the LAN (device A knows the IP of device B)
Case 1: A knows the MAC address of B, that is, it has device B in its own ARP cache table, and directly packetizes it and hands it to the router.
Case 2: A does not know the MAC address of B, that is, there is no device B in its own ARP cache table. At this time, it is unfortunate that the data needs to be sent after a delay. First, device A will send the gateway (that is, the route) ARP request packet (Ethernet). The destination address of the net is FF-FF-FF-FF-FF-FF). At this time, it is divided into cases A and B.
Situation A: The router knows the MAC of device B, that is, it has device B in its ARP cache table, and returns its known IP and MAC of device B to device A, and device A updates its own ARP cache table according to the situation 1 treatment.
Case B: The router does not know the MAC of device B, and the router sends the ARP request packet on its own LAN, and asks for the MAC of device B. After getting it, send it to A. After A obtains the MAC address, proceed according to case 1.
The above situation shows that if you want network equipment to communicate smoothly for the first time, it is necessary for the equipment in the LAN to know its own MAC address. In the development of network equipment, we generally broadcast our own to the LAN after the network equipment is connected to the network for the first time The <IP, MAC> address information is called a gratuitous ARP request. Such an ARP packet will tell other hosts about themselves, and other hosts will update their ARP table entries based on the ARP packets they receive. In the derivative system of the Berkeley system mentioned above, the ARP cache table is generally stored for 20 minutes. If it is not updated in time, the host will delete the ARP table of the "offline" device. Because the host ARP cache table has limited memory, it is impossible to store unlimited ARPs. Table information. In response to this situation, when we develop network equipment, we need to broadcast our own <IP, MAC> address information at regular intervals to indicate that we are "alive". But it should not be sent too frequently. Frequent sending will be considered as a virus by some types of routers.
6. ARP attack
The last article " IP Protocol " explained IP attacks, and then explained the ARP attacks we often hear.
There is a big loophole in the ARP protocol. If all users on the network follow the rules, there will be no problems when using ARP in accordance with the above process. But if a malicious device receives an ARP request packet (the ARP request packet is sent in broadcast form and can be received by all hosts on the LAN), it will generate an ARP response packet regardless of whether the IP address in the packet is the same as itself. Tell the requesting user: The MAC address of my host is the MAC address that matches the destination IP address you requested. On the other hand, since the source host sending the ARP request does not have any fault tolerance and authentication functions (the ARP protocol does not provide any mechanism to implement these functions), it will easily believe this ARP response and add it to its ARP Cache table. The consequences of this can be imagined. The source host will send the data packet with the destination P address to the malicious host in the future. In this way, it can easily implement data eavesdropping, which is the basic principle of ARP attacks that we often hear.
When PC1 sends the ARP protocol to ask for the MAC address of PC2, because it is broadcast, PC3 also receives the ARP request packet. PC3 receives the broadcast packet that does not belong to itself, and responds with a false response packet, telling PC1 that I am PC2. In this way, PC1 will receive two response packets (a correct IP2-MAC2 and a false IP2-MAC3), but PC1 does not know which one is true, so PC1 will make a judgment, and the one that arrives after the judgment is true , Then how to make the false response packet arrive later, PC3 can send such response packets continuously, and it will always overwrite which correct response packet.
Then PC1 will create an ARP cache entry such as IP2-MAC3. Later, when PC1 sends information to PC2, PC1 will encapsulate the data with the packet header of IP2 at the network layer from top to bottom according to the OSI model, and query it at the link layer The ARP cache table encapsulates the data frame whose destination MAC is MAC3 and sends it to the switch. According to the query of the CAM table, it is found that the interface corresponding to MAC3 is Port3, so the information is delivered to PC3, and an ARP attack is completed.
If the ARP attack is serious, a malicious network device can overhear all <IP, MAC> address information in the network by reading all the broadcast ARP request packets sent to the door in the network, and then monitor multiple network devices.
Preventive measures:
We can use a static ARP cache table to prevent ARP attacks, but the disadvantage is that it violates the dynamic address resolution principle of the ARP protocol.
Click to view the album where this article is located, STM32F207 network development
Pay attention to the official account, and receive article updates as soon as possible .
