Shulou(Shulou.com)06/01 Report--

The first thing to know is that in fact, in arp packets, the transmission of real data is identified by the source MAC and destination MAC addresses in the layer 2 Ethernet header, and the layer 3 arp protocol only plays a parsing role. If the target MAC is all F, it is a broadcast, which is actually visible in arp request. If the destination MAC address is a single real MAC, it is in the form of a unicast arp reply packet. Real testing and practical application can be flexible. (that is, the so-called arp request packet does not have to send a broadcast, if unicast can also play a "spoofing role")

Arp request:

This arp package is a standard arp request package, which can be simply understood as: who is 172.16.1.7? Please tell 172.16.1.224. The receiver records and updates the source mac and source ip in arp parsing to its own local arp cache, and sends back an arp reply packet. In fact, the destination mac can be changed to the destination ip, that is, unicast, which better avoids broadcasting and adds some concealment.

The performance on the target machine can be seen as follows:

The source mac and ip can be changed to arp spoofing, and the original ip address and destination ip address can be changed to the same in the arp header, and the alarm of ip conflict can also be reached on the destination host. In fact, after you configure a pc with static ip network information on the network, it will send an arp request broadcast across the network to verify that there are other hosts on the network configured with the same ip address. At this point, your ip address will not be configured successfully, and you will get the following information

On the other hand, another host will prompt the ip conflict in its lower corner, as shown in the following figure

For some arp firewalls on the market now, the way to detect the * * is to unlock the relevant ip and mac information in the arp packet, so if you only leave the correct target mac and the rest of the forged information can not only achieve arp deception, but also hide the role of the * *, here, the author suggests that we should not often use the form of broadcast, because the broadcast conference is first suspected.

Arp reply packet

This is a standard arp reply package

00:0C:29:06:DC:FA is the real destination address, and the simple description of the packet can be understood as: 172.16.1.7 in 172.16.1.7, on the basis of parsing the source mac and source ip in the protocol header for arp, it is not difficult to find that if the destination ip address is the same as the source ip address, pc will alarm the ip conflict. Note here that although arp is fully automatic and the host initiates and records the cache, for friends who use arp reply to achieve arp spoofing, the arp cache will not record or update the mac address entry corresponding to the new (originally non-existent) ip address, but can only update the cache of ip corresponding mac address in the existing arp. I don't know if I understand what I said. Please experience it in detail.

Target computer details:

Carefully check the location of the arp packet where the hardware address of the detected conflict is located

In fact, now, for the popular ipV4 network, arp is a necessary protocol, which was formulated by IETF in more than 19 years. It is really very old, but I don't remember it very much. Originally, the purpose of the Internet is to achieve interconnection, without much consideration for security, but now the arp protocol has been used to a large extent. It can be said that at present, more than 90% of enterprises have actually been infected with arp virus, but you have not found it. Maybe you rebooted the switch at that time, and you didn't pay much attention to it.

The reason why IPv4 turned to IPv6 is well known. Address resolution (and reverse address resolution) is a very important problem in TCP/IP-based networks. ARP and RARP have been used to solve this problem. IPv6 uses a new protocol, neighbor Discovery Protocol, for this problem, which is included in ICMPv6, where neighbor announcement and neighbor request are combined to replace the ARP protocol in IPv4. We can also bid farewell to the troubles of arp in the v4 era. Hey, look forward to the gradual replacement process of ipV6. The above is casual chat. I saw the reply as soon as I had a friend exchange. Don't spray the old bird and follow the guidance modestly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.