C.K.B.

Version 0.0.9

Czaku`s Knowladge Base

ARP - Address Resolution Protocol

Translates IP to MAC.

ARP broadcasts a request packet to all the machines on the LAN and asks if any of the machines are using that particular IP address. When a machine recognizes the IP address as its own, it sends a reply so ARP can update the cache for future reference and proceed with the communication.

ARP is encapsulated in Ethernet frame:
SRC MAC: own
DST MAC: FF:FF:FF:FF:FF:FF
EtherType: 0x0806 - next header is ARP
ARP Header:
Ethertype: 0x0800 - next header is IPv4 but there is no IP header
OpCode: 1 - request, 2 - reply
SRC MAC: own
DST MAC: MAC we are looking for
SRC IP: our IP
DST IP: 0.0.0.0

Types of messages:

Request (who-has)

We use it to find MAC address for known IP address:

HW_SRC - myself
HW_DST - FF:FF:FF:FF:FF:FF - b-cast MAC
operation code - 1 

Ethernet II
  Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Address: Broadcast (ff:ff:ff:ff:ff:ff) <<< b-cast
    .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
  Source: XiaomiMobile_0c:c7:f0 (28:d1:27:0c:c7:f0)
    Address: XiaomiMobile_0c:c7:f0 (28:d1:27:0c:c7:f0)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Type: ARP (0x0806)
Address Resolution Protocol (request)
  Hardware type: Ethernet (1)
  Protocol type: IPv4 (0x0800)
  Hardware size: 6
  Protocol size: 4
  Opcode: request (1)
  Sender MAC address: XiaomiMobile_0c:c7:f0 (28:d1:27:0c:c7:f0)
  Sender IP address: 10.13.13.101
  Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) <<< We are looking for this address
  Target IP address: 10.13.13.122 <<< We are asking who has this IP

Reply ()

It is reply to the ARP request. If we are the owner of the IP, we should reply with our MAC address:

HW_SRC - myself
HW_DST - HW_MAC who asked
operation code - 2

Ethernet II
  Destination: XiaomiMobile_0c:c7:f0 (28:d1:27:0c:c7:f0)
    Address: XiaomiMobile_0c:c7:f0 (28:d1:27:0c:c7:f0) <<< u-cast
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Source: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
    Address: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Type: ARP (0x0806)
Address Resolution Protocol (reply)
  Hardware type: Ethernet (1)
  Protocol type: IPv4 (0x0800)
  Hardware size: 6
  Protocol size: 4
  Opcode: reply (2)
  Sender MAC address: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec) <<< We got the MAC
  Sender IP address: 10.13.13.122
  Target MAC address: XiaomiMobile_0c:c7:f0 (28:d1:27:0c:c7:f0)  
  Target IP address: 10.13.13.101

Gratuitous ARP

If we want to announce our MAC-IP binding. Usualy when the interface goes UP. It is like reply but to b-cast:

HW_SRC - myself
HW_DST - FF:FF:FF:FF:FF:FF or 00:00:00:00:00:00 - b-cast MAC
operation code - 2
Is gratuitous - True

Ethernet II
  Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Address: Broadcast (ff:ff:ff:ff:ff:ff) <<< b-cast
    .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
  Source: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
    Address: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN
  000. .... .... .... = Priority: Best Effort (default) (0)
  ...0 .... .... .... = DEI: Ineligible
  .... 0000 1100 1000 = ID: 200
  Type: ARP (0x0806)
Address Resolution Protocol (reply/gratuitous ARP)
  Hardware type: Ethernet (1)
  Protocol type: IPv4 (0x0800)
  Hardware size: 6
  Protocol size: 4
  Opcode: reply (2)
  Is gratuitous: True
  Sender MAC address: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68) 
  Sender IP address: 10.13.13.1  <<< we anounce our IP
  Target MAC address: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68) 
  Target IP address: 10.13.13.1  <<< we anounce our IP

Reverse ARP

RFC 3927, which is based on Gratuitous ARP, specifies 00:00:00:00:00:00 for the target MAC.

The client asks/requests IP from the router:

HW_SRC - myself
HW_DST - 00:00:00:00:00:00 or FF:FF:FF:FF:FF:FF - b-cast for G-ARP MAC
operation code - 3 request, 4 reply
In ARP we ask for IP of target MAC address

Ethernet II
  Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Address: Broadcast (ff:ff:ff:ff:ff:ff)  <<< b-cast
    .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
  Source: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
    Address: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  Type: ARP (0x0806)
Address Resolution Protocol (reverse request)
  Hardware type: Ethernet (1)
  Protocol type: IPv4 (0x0800)
  Hardware size: 6
  Protocol size: 4
  Opcode: reverse request (3)
  Sender MAC address: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
  Sender IP address: 0.0.0.0
  Target MAC address: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
  Target IP address: 0.0.0.0

Inverse ARP

It is used in ATM/FrameRelay networks. We use it to find IP for a given MAC address.

HW_SRC - myself
HW_DST - no idea
operation code - 8 request, 9 reply
In ARP we ask for IP of target MAC address

Download:

Download arp.pcap

Last updated on 13 Jun 2024
Published on 13 Jun 2024
 Edit on GitHub