Table of contents
1 Arp protocol definition and function:
5.1. Layer 2 broadcast arp request
5.2 Unicast arp request message
5.3 IP conflict detection arp request
5.4 arp announces the use of this ip address
There are pictures, but if you can't see them clearly, please adjust the browser display ratio to 200% or click on the pictures to view them individually.
1 Arp protocol definition and function:
Address Resolution Protocol, or ARP (Address Resolution Protocol), is a TCP/IP protocol that obtains a physical address based on an IP address . When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the network, and receives the return message to determine the target's physical address; after receiving the return message, the IP address and physical address are stored in the local ARP cache and keep it for a certain period of time. The next request will directly query the ARP cache to save resources.
The address resolution protocol is based on mutual trust between hosts in the network. Hosts on the network can send ARP response messages independently. When other hosts receive the response message, they will not detect the authenticity of the message and will record it. Enter the local ARP cache;
The condition for sending is that according to the routing table, if the destination IP is directly connected to the route, the subnet IP will be used as the source IP to send the arp request message.
For example, a device 192.168.209.201 wants to ping192.168.209.141
Check the routing table, which matches the direct connection routing table entry
The arp -a query found that a new arp entry was generated after the command was executed, and the mac address corresponding to the ip was obtained.
The packet capture is displayed as follows:
2 Structure of Arp message:
The first two fields in the Ethernet header are the Ethernet source and destination addresses. A special address whose destination address is all 1s is
broadcast address.
The two-byte long Ethernet frame type indicates the type of subsequent data. For an ARP request or reply, the field's
The value is 0x0806.
The hardware type field indicates the type of hardware address. Its value of 1 indicates an Ethernet address. The protocol type field indicates that the
The mapped protocol address type. Its value is 0 x 0 8 0 0 which represents the IP address. Its value is the same as the value of the type field in an Ethernet data frame containing an IP datagram, which is by design.
The next two 1-byte fields, hardware address length and protocol address length, indicate the hardware address and protocol address, respectively.
The length of , in bytes. For ARP requests or replies to IP addresses on Ethernet, their values are 6 and 4, respectively.
The operation field indicates four types of operations, which are ARP request (value 1), ARP reply (value 2), RARP request (value 3), and RARP reply (value 4) (we discuss RARP in Chapter 5) . This field is required because the frame type field value of ARP request and ARP reply is the same.
The next four fields are the sender's hardware address (in this case, the Ethernet address), the sender's protocol address
(IP address), the hardware address of the destination, and the protocol address of the destination.
3 Arp request frame format
4 Arp response frame format
5 Types of Arp requests:
- broadcast arp request
- unicast arp request
- IP conflict detection arp request
- announce arp request
5.1.Layer 2 broadcast arp request
Application scenario: When accessing the same network segment ip, if there is no corresponding entry in the arp cache, a Layer 2 broadcast arp message will be sent, such as
Features: In the arp request message body, the destination mac address is empty, all 00, wait for the destination device to fill in its own value.
There is a corresponding response message. The second layer destination mac is 6 ff broadcast messages.
The reply message is unicast, and the source ip and source mac are the destination devices of the request.
5.2 Unicast arp request message
Application scenario:
The existing corresponding entries are cached in arp. In order to detect whether the other party is online, a unicast arp probe message is sent.
Purpose:
Unicast Poll -- Actively poll the remote host by
periodically sending a point-to-point ARP Request o it, and delete the entry if no ARP Reply is received from N successive polls. Again, the timeout should be on the order of a minute, and typically N is 2。
When the arp broadcast request process is completed (actually, the host receives the ARP reply from the device), both parties know the other party's IP-MAC mapping, and will also generate this mapping in their own ARP tables; due to the second ARP aging mechanism - Unicast polling, the host will regularly send point-to-point unicast ARP request messages to the device to confirm whether the other party exists and whether the ARP cache should be updated (mainly to update the aging timer) or deleted. At the same time, Using unicast can also reduce the number of ARP packets on the network.
As shown below:
Arp's cache performance is as follows:
The arp unicast request in the figure below is sent out at intervals, and after the broadcast message, it is sent out continuously.
The response message is a unicast message
5.3 IP conflict detection arp request
Application scenario, plug and unplug the network cable, activate the network card or send out after the dhcp obtains the ip, and is used to detect whether there is an ip conflict in the broadcast domain. Generally issued three times (if there is no conflict). If there is no response three times, it will enter the next arp announcement, announcing the official use of this ip address. Both are sent without request, so they are free. But technically they are not quite the same as gratuitous ARP.
Features: Layer 2 broadcast message, in the arp message body, the source ip and destination mac are empty, all 0. Sent three times with an interval of 1 second.
Note that the complete mapping is not provided in the package. The sender IP is set to all zeros, which means it cannot be mapped to the sender MAC address. The target's MAC address is all zeros, which means it cannot be mapped to the target's IP address. Both of these are uncertain whether they exist in the broadcast domain, so they are 00 first. This is done intentionally, as the reason for sending ARP probes is to prevent IP conflicts. If the target IP address is already in use, other hosts on the network will inadvertently update their ARP cache based on the contents of the ARP probe, which is highly undesirable.
Modify the ip to automatically obtain it through dhcp. It is found that after obtaining the address, an arp probe message is sent, and the obtained address is 192.168.209.139
Issue three arp probe messages.
When there is an IP conflict, the arp probe is sent once and if there is a response, this address is not used. If it is static, an IP conflict will be prompted and the address will become 169.254.xx.xx.
As shown in the figure: It is known that the IP address in the environment is 192.168.209.141, so change the IP address of the PC to 209.141 and see the packet capture results.
Process: After modifying the ip, send an arp probe, and there will be a response for the first time, and then report an ip conflict, use the local link address 169.254.240.20, send the same probe message three times, and use this ip to request the gateway mac address, the gateway does not process this Address request, so arp messages are sent out continuously.
Because the gateway MAC address cannot be obtained, I cannot access the Internet.
5.4 arp announces the use of this ip address
Application scenario: After plugging and unplugging the network cable or obtaining the address through dhcp, if there is no IP conflict in arp detection, declare
Features: Layer 2 broadcast message, the source and destination IP are the same, and the destination mac address is empty.