Networking
18 June 2011 0 Comments

An Introduction to ARP Cache Poisoning

Other posts in the ARP series: The ARP protocol explained, Viewing and manipulating the ARP cache on Windows and Linux

Remember that each network interface maintains a table of (IP->MAC) mappings in its ARP cache. The ARP protocol packet has the following structure:

Structure of an ARP packet

There are two types of ARP packets: request and reply. The type is determined by the Operation Code field. The tabel below shows a scenario of normal operation:

  • Host A sends an ARP request looking for the MAC address of Host B
  • Host B responds with ARP reply.

This ARP packet is encapsulated in an Ethernet frame with the following values:

Normally an ARP request is sent because the sender wants to talk to a given IP address and needs to find out the associated MAC address. But sometimes the sender generates an ARP packet to inform the receivers about some information, instead of asking for information. This is called gratuitous ARP and is commonly used in the following situations:

  • Duplicate address detection
  • Change of MAC address
  • Virtual IP

Routers and other network hardware may cache routing information gained from multiple gratuitous ARP packets. Read this page for more information. For gratuitous…

Tags: , , , , , gratuitous, poisoning, reply, request, unsollicited
Networking
17 June 2011 3 Comments

The ARP Protocol Explained

Introduction

The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.

Other posts on the ARP protocol are available here:

  • Viewing and manipulating the ARP cache on Windows and Linux.
  • An introduction to ARP cache poisoning.

ARP Basics

When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.

An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP - MAC).

Source and Destination Hosts on the Same Local Network

The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host…

Tags: , , arp entry, , , , , , , ,