1. Introduction of ARP . protocol
1.1. Ask questions
In a computer network system, there are 2 addresses assigned to computers:
Logical address: is the address of network protocols such as IP, IPX, … This type of address is only relative and can be changed according to the needs of the user. These addresses are usually divided into two separate parts, the network address part and the machine address part. Such addressing is intended to make it easier to find connections from one network to another.
Viewing: What is arp protocol
Physical address: also known as MAC address – Medium Access Control address is a 48-bit address, used to uniquely identify each device by the vendor. This is a flat, non-classified address, so it is difficult to use for routing.
In fact, network cards (NICs) can only connect to each other by MAC address, a fixed and unique hardware address.
=> Therefore, there must be a mechanism to map logical – layer 3 addresses to physical – layer 2 addresses so that devices can communicate with each other.
From there, we have the ARP – Address Resolution Protocol to solve the above problem.
1.2. What is ARP
?– ARP is a dynamic address resolution method between a network layer address and a datalink layer address. The process is done by: an IP device in the network sends a local broadcast packet to the entire network asking another device to send back its hardware address (datalink layer address) or Mac Address.
– ARP is Layer 2 protocol – Data link layer in OSI model and Link layer protocol in TCP/IP model.
– Initially ARP was only used in Ethernet networks to resolve IP addresses and MAC addresses. But today ARP has been widely adopted and used in other technologies based on layer two.
2. ARP message structure The size of the ARP message is 28 bytes, encapsulated in an Ethernet II frame, so in the OSI model, ARP is considered a low-level layer 3 protocol.
The structure of the ARP message is described as follows:
Determine the type of hardware interface you need to know.
Identified with Ethernet type value 1.
Specifies the type of high-level protocol (layer 3) the sender uses to communicate.
The protocol for IP has a value of 0x0800.
Hardware address length: Specifies the length of the physical address (in bytes). MAC address so its value will be 6.
Protocol address length: Specifies the logical address length used by the upper layer (layer 3). Depending on the IP used, the value will be different, now that IPv4 is widely used, this field will have a value of 4 (bytes).
Operation code: Determines the type of ARP message the sender sends. There are several common values:
1: ARP request message.
2: ARP rely message.
3: RARP request message.
4: RARP reply message.
Sender hardware address (SHA): Specifies the sending machine’s MAC address.
In the ARP request message: this field identifies the MAC address of the host sending the request.
In the ARP reply message: this field identifies the MAC address of the host machine that the sender above wants to look up.
Sender protocol address (SPA): Specifies the sender’s IP address.
Target hardware address (THA): Specifies the receiver’s MAC address that the sender needs to find.
In the ARP request message: This field is not specified (so the value will be: 00:00:00:00:00:00)
In the ARP reply message: This field will enter the address of the host sending the ARP request message.
3. How ARP . Works
3.1. ARP operation in LAN
Step 1: The sending machine checks its cache. If there is already information about the mapping between the IP address and the MAC address, go to Step 7.
Step 2: The sender initiates an ARP request packet with the SHA and SPA address as its address, and the TPA address as the IP address of the machine that needs to know the MAC. (The THA field is set to all 0 to indicate that the MAC address has not been found.)
Step 3: Broadcast the ARP packet across the network (The destination MAC address of the Ethernet II packet is the broadcast MAC address ff:ff:ff:ff:ff:ff).
Step 4: All devices in the network receive the ARP request packet. The packet is processed by all devices looking at the Target Protocol Address field.
Devices that do not match the TPA address will drop the packet.
The device with the same IP as the IP in the Target Protocol Address field will begin the process of initializing the ARP Reply packet by taking the Sender Hardware Address and Sender Protocol Address fields in the received ARP packet as the Target in the outgoing packet. . At the same time, the device will take its MAC address to put in the Sender Hardware Address field. At the same time, update the IP and MAC address mapping values of the sending machine into its ARP cache table to reduce the processing time for the next time.
Step 5: The destination device starts sending the initialized Reply packet to the source device that just sent the ARP request. The reply packet is a unicast send packet.
Step 6: The source device receives the reply packet and processes it by storing the Sender Hardware Address field in the reply packet as the hardware address of the target device to be searched.
Step 7: The source device updates its ARP cache with the corresponding value between the IP address and the MAC address of the target device. Next time will no longer need ARP request.
3.2. ARP operation in the internet environment
ARP works in a more complex environment where two networks are tied together through a router.
Host A on network A wants to send a packet to host B on network B. These two networks connect to each other through router C.
See also: What is Atelectasis – Atelectasis After Surgery
Because MAC layer broadcasts cannot be transmitted through the Router, then Host A will consider Router C as a bridge or an intermediary (Agent) to transmit data. Before that, machine A will know the IP address of Router C (Gateway address) and know that in order to transmit the packet to B, it must go through C.
To reach router C, host A must send the packet to port X of router C (which is the gateway in LAN A). The data transfer process is described as follows:
Host A sends an ARP request to find the MAC of port X.
Router C replies, providing A with the MAC address of port X.
Host A transmits the packet to port X of router C (where the destination MAC is the MAC of port X, the destination IP is the IP of machine B).
Router C receives the packet of A, forwards it to port Y. In the packet containing the IP address of machine B, router C will send an ARP request to find the MAC of machine B.
In fact, in addition to this routing table, people also use the ARP proxy method (will learn later), in which there is one device that takes care of the address resolution for all other devices. Accordingly, the workstations do not need to keep the routing table anymore. Router C will be responsible for performing and answering all ARP requests of all machines.
4. ARP and ARP Caching messages
4.1. ARP messages
ARP probe: This is the type of ARP message used for the machine to probe whether the address that the machine is allocated (manual configuration or DHCP, …) matches the IP address of any other machine in the same network. At the beginning, the machines all broadcast this ARP message.
This message has the IP address structure of the sending machine 0.0.0.0 (shows that the sender of this message has not yet identified IP, and also prevents other computers in the network from updating the machine’s MAC to ARP caching – because it has not been assigned any specific IP)
Destination MAC address is 00:00:00:00:00:00
The destination IP address is the IP address that the sending machine is allocated.
Normally, this ARP request message will not have a reply.
ARP announcements: ARP also uses a simple way to notify hosts on the network when its IP address or MAC address changes. That is the gratuitous ARP message
Gratuitous ARP messages are sent broadcast requests in the network with the MAC address and IP address of the sender as the address after the change.
The destination MAC address is 00.00.00.00.00.00. The destination IP address is itself. This ensures that the machines in the network when receiving this message will only update the MAC and IP addresses of the sending machine into their ARP caching => no reply for this message.
ARP request: Is an ARP request message that the sender broadcasts to find the MAC address of the receiver.
The sending MAC and IP addresses are the addresses of the sending machine.
The received MAC address is set to zero.
The receiving IP address is the IP address of the machine to be searched.
ARP reply: The message that the receiving machine after receiving the ARP request will repack its MAC and send a reply message to the sending machine.
It will pack its IP and MAC addresses into SHA and PHA addresses.
The address the machine sends to it will be encapsulated and the THA and TPA address parts.
Send unicast messages.
4.2. ARP Caching
ARP is a dynamic address resolution protocol. Sending Request and Reply packets consumes network bandwidth. Therefore, minimizing the sending of Request and Reply packets will contribute to increasing the network’s performance.
=> From there born the need of ARP Caching.
In addition to reducing network traffic, ARP cache also ensures fast resolution of frequently used addresses, ensuring overall network performance.
The ARP Cache looks like a table of correspondences between hardware addresses and IP addresses.
(In Windows: use the command arp -a in Command Prompt to show the ARP cache in the machine)
There are two ways to put the corresponding elements in the ARP table:
Static ARP Cache Entries: This is how the corresponding entries in the ARP table are entered in turn by the administrator. The work is done manually.
Use in cases where workstations should have a static ARP entry to the router and file server located on the network. This will limit the sending of packets to perform the address resolution process.
Use the command arp -s ip_addr mac_addr to add a Static ARP entri to the ARP cache.
Cons: in addition to the limitation of having to enter manually, the static cache also has the additional limitation that when the IP addresses of the devices in the network change, it will lead to the ARP cache having to be changed.
Dynamic ARP Cache Entries: This is the process by which hardware/IP address components are entered into the ARP cache automatically by software after the address resolution process is completed.
They are cached for a period of time and then deleted.
Dynamic Cache is more widely used because all processes happen automatically dynamic and does not require administrator interaction.
In the actual network environment, there are many reasons leading to the influence of changing IP and MAC mapping information, so the information in the dynamic cache will be automatically deleted after a certain period of time. . This process is done automatically when using ARP, usually 10 or 20 minutes (or longer depending on the type of device you use, depending on the provider). After a certain amount of time is cached, the information is deleted. The next time you use it, the information will be updated again. (this is where ARP announcements come into play).
Use some more commands with ARP caching here.
4.3. ARP Proxy
ARP is designed for devices located on the network, has a local nature. However, if two devices A and B are separated by a router, they will be considered as non-local to each other. When A wants to send information to B, A will not be able to send it directly to B at the layer two address, but must send it through the router and is considered 1 hop apart in the third layer.
See more: What is Key Mak – Key Retail, Mak, Oem, Kms What’s the difference
This technology is intended to meet the needs of sending messages in an internetworking environment. Routers located between two local networks will be configured to respond to broadcast packets sent from A instead of B.
5. Parsing ARP Messages Using Wireshark Here are some ARP messages captured from Wireshark. (before capturing packets, you should clear all the ARP cache in your machine with the command arp -d *, but in my opinion, most ARP is configured dynamically, so turn off the network card)
Perform filtering of ARP packets:
Packet 2 is the ARP request packet that the sending machine (192.168.1.100) asks to find the gateway’s MAC.
Packets 23, 79, and 159 are ARP probe packets.
Packet 185 is the ARP announcements packet.
6. Reference<1> Wiki – ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol#External_links