Shulou(Shulou.com)06/01 Report--

1. Analysis of ARP package format

How it works:

In the network communication, the application program of the source host knows the IP address and port number of the destination host, but does not know the hardware address of the destination host, and the data packet is first received by the network card and then deals with the upper layer protocol. If the hardware address of the received data packet does not match that of the local machine, it is discarded directly. Therefore, the hardware address of the destination host must be obtained before communicating. The ARP protocol plays this role. The source host sends an ARP request, asking "what is the hardware address of the host whose IP address is 192.168.0.1", and broadcasts the request to the local network segment (the hardware address at the beginning of the Ethernet frame is filled with FF:FF:FF:FF:FF:FF for broadcast). The destination host receives the broadcast ARP request and finds that the IP address matches the local machine, then sends an ARP reply packet to the source host. Fill in your hardware address in the answer packet.

Each host maintains an ARP cache table, which can be viewed with the arp-a command. The table item in the cache table has an expiration time (usually 20 minutes). If a table item is not used again within 20 minutes, the table item will become invalid. Next time, an ARP request will be issued to obtain the hardware address of the destination host. Just imagine if there is no cache, we have to send a broadcast to query the address every time we send an IP packet, isn't it a waste of bandwidth and resources? Moreover, our network equipment can not recognize the authenticity of the ARP packet. If we send the packet according to the format of ARP, as long as the information is valid, the computer will respond accordingly according to the contents of the packet.

ARP Datagram format

Note that the source MAC address and the destination MAC address appear once in the Ethernet header and ARP request, which is redundant in the case where the link layer is Ethernet, but may be necessary if the link layer is another type of network. The hardware type refers to the link layer network type, 1 is Ethernet, the protocol type refers to the address type to be translated, 0x0800 is the IP address, the length of the last two addresses is 6 and 4 (bytes) for the Ethernet address and IP address, respectively, the op field 1 indicates the ARP request, and the op field 2 indicates the ARP reply.

Ethernet first:

Field length (Byte) default value remarks

Ff-ff-ff-ff-ff-ff when the receiver MAC 6 broadcasts

Sender MAC 6

Ethertype 2 0x0806 0x0806 is the type value of the ARP frame

ARP package:

Field length (Byte) default value remarks

Hardware Type 2 0x1 Ethernet Type valu

Upper layer protocol type 2 0x0800 upper layer protocol is IP protocol

MAC address length 1 0x6 Ethernet MAC address length 6

IP address length 1 0x4 IP address length 4

The opcode 2 0x1 indicates the ARP request packet, and the 0x2 represents the reply packet.

Sender MAC 6

Sender IP 4

Recipient MAC 6

Recipient IP 4

Padding data 18 because the minimum length of the physical frame is 64 bytes, the first 42 bytes plus 4 CRC check bytes, there are 18 bytes left

II. Case analysis

Native IP:192.168.0.1 (c0a8 0001)

Native MAC:00-50-56-c0-00-01

Target IP:192.168.0.2 (c0a8 0002)

Target MAC:00-0c-29-0b-42-7e

1. When the target host of Ping is 192.168.0.2, the ARP packet sent by this machine is

00000000: ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01

00000010: 08 00 06 04 0001 00 50 56 c0 0001 c0 a8 0001

00000020: 000000 000000 c0 a8 0002

Ethernet packet destination: ff ff ff ff ff ff (network-wide)

Ethernet packet source: 00 50 56 c0001 (local)

Ethernet packet content type: 08 06 (ARP packet)

ARP packet type: 00 01 (Request)

Data content: tell IP that the target host is c0a80002, the IP of this machine is c0a80001 and the MAC is

00 50 56 c0001, please update and send me your MAC.

The ARP packet of the target host that responds to this machine is

00000000: 00 50 56 c0 00 01 00 0c 29 0b 42 7e 08 06 00 01

00000010: 08 00 06 04 00 02 00 0c 29 0b 42 7e c0 a8 00 02

00000020: 00 50 56 c0 00 01 c0 a8 00 01

Ethernet packet destination: 00 50 56 c0 00 01

Ethernet packet source: 000c 290b 427e

Ethernet packet content type: 08 06 (ARP packet)

ARP packet type: 00 02 (Reply)

Data content: tell the host whose MAC is 005056c0001, I have received your IP and MAC, my MAC and IP are 000c 290b 427e and c0a8.0002, please save the update.

2. When modifying the system IP (without IP conflicts), the ARP packet sent is

00000000: ff ff ff ff ff ff 00 0c 29 0b 42 7e 08 06 00 01

00000010: 08 00 06 04 0001 00 0c 29 0b 42 7e c0 a8 00 03

00000020: 000000 000000 c0 a8 00 03

Ethernet packet destination: ff ff ff ff ff ff (network-wide)

Ethernet packet source: 00C 290b 427e (local)

Ethernet packet content type: 08 06 (ARP packet)

ARP packet type: 00 01 (Request)

Data content: tell the host whose IP is c0a8.0003 that the MAC and IP of this machine are 00c290b 427e and c0a8.0003. Since there is no host c0a80003 in the network, there will be no response to this packet. At this point, the LAN switch will flush the cache so that your IP and MAC correspond.

3. When modifying the system IP (in the case of an IP conflict), the ARP packet sent is

00000000: ff ff ff ff ff ff 00 0c 29 0b 42 7e 08 06 00 01

00000010: 08 00 06 04 0001 00 0c 29 0b 42 7e c0 a8 0001

00000020: 000000 000000 c0 a8 00 01

Ethernet packet destination: ff ff ff ff ff ff (network-wide)

Ethernet packet source: 000c 290b 427e

Ethernet packet content type: 08 06 (ARP packet)

ARP packet type: 00 01 (Request)

Data content: tell the host whose IP is c0a8.0001 that the MAC and IP of this machine are 00c290b 427e and c0a8.0001. Because there are already c0a80001 hosts in the network, a conflict will occur. The ARP Reply packet will be received.

The ARP packets received are

00000000: 00 0c 29 0b 42 7e 00 50 56 c0 00 01 08 06 00 01

00000010: 08 00 06 04 00 02 00 50 56 c0 0001 c0 a8 0001

00000020: 00 0c 29 0b 42 7e c0 a8 00 01

Ethernet packet destination: 000c 290b 427e

Ethernet packet source: 00 50 56 c0001

Ethernet packet content type: 08 06 (ARP packet)

ARP packet type: 00 02 (Reply)

Data content: tell the host whose MAC is 000c 290b 427e that the MAC and IP of this machine are 005056c0.0001 and c0a8.0001. At this time, the host with a MAC of 427e c0a8 0001 receives the packet and knows that his IP conflicts with other hosts.

4. Forge ARP packets

Send a fake ARP Reply to the target MAC to tell a false information to achieve the purpose of deception.

The real IP of this machine is 192.168.0.1 (c0a8 0001)

The real MAC of this machine is: 00-50-56-c0-00-01

Fake MAC: 11-11-11-11-11-11

Deceive the target:

IP: 192.168.0.2 (c0a8 0002)

MAC:00-0c-29-0b-42-7e

The forged packets are as follows:

Packet length: 60

00000000: 00 0c 29 0b 42 7e 11 11 11 08 06 00 01

00000010: 08 00 06 04 00 02 11 11 11 c0 a8 0001

00000020: 00C 29 0b 42 7e c0a8 0002 (the rest is filled with 0)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.