Shulou(Shulou.com)06/01 Report--

2014 is almost over, and 2015 is striding towards us. Write this log to sort out the knowledge scum you learned in 2015, and at the same time comb your mood and look forward to the arrival of 2014 in a good mood!

ARP, the address resolution protocol, is a TCP/IP protocol that resolves IP addresses to Mac addresses. When a host wants to communicate with the outside world, it will first send a request broadcast to the outside world, and send a packet containing the destination IP address at the same time. In addition, the host can also accept the information returned on the network. The Mac address of the target host is included in the return information. After receiving the return message, the host matches and collates the IP address of the target host and the Mac address in the return message, and then stores it in the local ARP cache.

ARP cache is essentially a table of correspondence between IP address and MAC address, which can be stored locally for a period of time, and the next request can directly find the MAC address of the target host IP from the local ARP cache, so as to save access time. The ARP cache is only stored locally for a certain period of time and has a certain life cycle. The next time you access it, you need to send a broadcast on the network to obtain the MAC address.

The working process of the ARP protocol is described as follows (from Baidu):

1. PC1 wants to send the data to PC2, but it doesn't know the MAC address of PC2, so it sends an ARP request, which is a broadcast packet, asking other PC on the network: "what is the MAC address of 192.168.0.2?" Other PC on the network have received this broadcast package.

2. PC2 looked at the broadcast packet and found that the IP address in it was mine, so he replied to PC1 with a packet telling PC1 that my MAC address was 00-aa-00-62-c6-09. When PC3 and PC4 received the broadcast packet, they found that the IP address in it was not mine, so they kept silent and did not reply to the packet.

3. PC1 knows the MAC address of PC2, and it can send data to PC2. At the same time, it updates its ARP cache table, and the next time it sends a message to PC2, it can look up the MAC address of PC2 directly from the ARP cache, and there is no need to send an ARP request again.

Commonly used commands at the command prompt:

C:\ Users > arp

Displays and modifies the IP to physical address translation table used by the address Resolution Protocol (ARP). ARP-s inet_addr eth_addr [if_addr]

ARP-d inet_addr [if_addr]

ARP-a [inet_addr] [- N if_addr] [- v]

-a displays the current ARP entry by asking about the current protocol data.

If inet_addr is specified, only the specified computer is displayed

The IP address and physical address of the If there is more than one network

If the interface uses ARP, the entries for each ARP table are displayed.

-g is the same as-a.

-v displays the current ARP entry in detail mode. All invalid items

Items on the and loopback interfaces are displayed.

Inet_addr specifies the Internet address.

-N if_addr displays the ARP entry for the network interface specified by if_addr.

-d Delete the host specified by inet_addr. Inet_addr can

Therefore, the wildcard * is used to delete all hosts.

-s add the host and inet_addr the Internet address

Associated with the physical address eth_addr. The physical address is using the

6 hexadecimal bytes separated by hyphens. This item is permanent.

Eth_addr specifies the physical address.

If if_addr exists, this item specifies the interface that the address translation table should modify.

The Internet address of. If it does not exist, use the first

An applicable interface.

Example:

> arp-s 157.color music. 85.212 00 color aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaamuraaaaaaaaaaaamurmur.85.212 00. > arp-s 157. Add a static item.

> arp-a.... Displays the ARP table.

ARP*** and Defense

The ARP request is sent in the form of broadcast, and the host on the network can send the ARP reply message independently, and when other hosts receive the reply message, they will record it in the local MAC address translation table without detecting the authenticity of the message, so that the * * can send pseudo ARP reply message to the target host, thus tampering with the local MAC address table. ARP spoofing can not only cause the failure of communication between the target computer and the gateway, but also lead to communication redirection, and all data will pass through the user's machine, so there is a great security risk. As a popular method, ARP*** can be used to cheat, hang up horses, steal game accounts, and so on. Interested friends can google, there are a lot of content in this area on the Internet.

ARP message

The first problem to be solved is how to obtain ARP protocol messages.

WireShark-professional package grabbing software

ARP protocol message format:

Analysis of ARP request packet: as shown below is an ARP request package 0000 ff ff ff ff ff ff 00C F1 d4 d9 60 08 06 00 01. `.

0010 08 00 06 04 00 01 00C F1 d4 d9 60c0a8 01 0f. `.

0020 00 00 00 c0 a8 01 02.

By definition, the first six bytes are the Ethernet destination address ff ff ff ff ff ff, which is a broadcast address that can be received by all terminals in the whole network, and the next six bytes are the Ethernet source address, that is, the sender's MAC address (00c F1 D4 D9 60 is my MAC address).

Frame type 0806 takes up two bytes, and this is where the Ethernet frame header ends. 0806 means that the following data belongs to the arp package.

Then analyze the ARP header. The first two bytes are hardware type 00 01, and the next two bytes are protocol types, that is, ARP uses the IP protocol code 08 00. The hardware address length and protocol address length are 6 and 4, respectively. This corresponds to the ARP message format. The next two bytes of OP indicate whether the current packet is a request packet or an answer packet, with corresponding values of 0x0001 and 0x0002, respectively. The original data is 00 01, so this is a request packet, then 6 bytes are the sender MAC address 00 0c F1 d4 d9 60, the next 4 bytes are the sender IP address c0a8 01 0f, converted to dotted decimal format that is 192.168.1.15, this is my IP, the next 6 bytes are left blank, 00 00 00 can also be other data in the arp request packet Because later the IP address c0a8 01 02 (192.168.1.2) will populate the six bytes with its own MAC address.

After filling, the sender hardware address in the arp packet | the destination hardware address and the Ethernet destination address of the Ethernet header | the Ethernet source address is exactly switched. Finally, send out the encapsulated ARP packet, so that the two terminals can know each other's IP and MAC back and forth.

These are the basic contents of ARP. I am not good at learning skills. I hope you can give me more advice!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.