The project needs to use DPI to parse ARP packets (you can also learn from open dpi?), and organize the ARP packet structure as follows:
The structure ether_header defines the Ethernet frame header; the structure arphdr defines the following 5 fields, and its information is used to transmit ARP requests and replies on any type of medium; the ether_arp structure includes the source host and destination in addition to the arphdr structure. The address of the host.
Define the Ethernet header:
typedef struct ehhdr
{
unsigned char eh_dst[6]; /* destination ethernet addrress */
unsigned char eh_src[6]; /* source ethernet addresss */
unsigned short eh_type; /* ethernet pachet type */
}EHHDR, *PEHHDR;
Define the Ethernet arp field:
typedef struct arphdr
{
/* arp header*/
unsigned short arp_hrd; /* format of hardware address */
unsigned short arp_pro; /* format of protocol address */
unsigned char arp_hln; /* length of hardware address */
unsigned char arp_pln; /* length of protocol address */
unsigned short arp_op; /* ARP/RARP operation */
/* sender information (mac + ip) */
unsigned char arp_sha[6]; /* sender hardware address */
unsigned long arp_spa; /* sender protocol address */
/* Destination information (mac + ip) */
unsigned char arp_tha[6]; /* target hardware address */
unsigned long arp_tpa; /* target protocol address */
}ARPHDR, *PARPHDR;
The ARP reply message will fill in its own mac + ip in the sender information; the requester's mac + ip will be filled in the destination information; that is, the information in the ARP request message is reversed.
According to the above structure, the entire arp packet can be defined, with a total length of 42 bytes:
typedef struct arpPacket
{
EHHDR ehhdr;
ARPHDR arphdr;
} ARPPACKET, * PARPPACKET;
By definition, the first 6 bytes are the Ethernet destination address ff ff ff ff ff ff This is a broadcast address, which can be received by all terminals in the entire network, and the next 6 bytes are the Ethernet source address. i.e. the sender's MAC address ( 00 0c f1 d4 d9 60 is my MAC address). Frame type 0806 occupies two bytes, and the Ethernet frame header ends here. 0806 means that the following data belongs to the arp package.
Then analyze the ARP header. The first two bytes are the hardware type 00 01, and the next two bytes are the protocol type, that is, ARP uses the IP protocol code 08 00. The hardware address length and protocol address length are 6 and 4, respectively. This corresponds to the ARP packet format. The following 2 bytes OP indicate whether the current packet is a request packet or a response packet, and the corresponding values are 0x0001 and 0x0002 respectively. The original data is 00 01, so this is a request packet, and then the 6 bytes are the sender's MAC address 00 0c f1 d4 d9 60 , and the last 4 bytes are the sender's IP address c0 a8 01 0f , converted into dots The decimal format is 192.168.1.15, this is my IP, the next 6 bytes are left blank, 00 00 00 00 00 00 can also be other data in the arp request packet, because later the IP address is c0 a8 01 02 (192.168.1.2) will fill in these 6 bytes with its own MAC address.
After filling, the sender hardware address|target hardware address in the arp packet and the Ethernet destination address|Ethernet source address in the Ethernet header are just reversed. Finally, the encapsulated ARP packet is sent out, so that the two terminals can know each other's IP and MAC.Use wireShark to capture packets as follows:
Linux defines the structure of ARP protocol packets as follows:
