Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to use the ARP protocol". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Hosts communicating on the same network (without special instructions, all refer to Ethernet networks) must have the MAC address of the target host in order to correctly send data to the target host, so how do you know the MAC address of the target host? It can be done through ARP protocol. ARP protocol is used to obtain the MAC address corresponding to the target IP address, that is to say, ARP protocol can dynamically establish a mapping relationship between layer 3 IP address and layer 2 MAC address. Its function can be vividly represented by the following schematic diagram:

You can see that the diagram above divides the ARP protocol into the network layer and considers it to be a network layer protocol because it provides services for the IP protocol in the network layer. But in fact, because the ARP protocol is used to resolve the address (physical address / hardware address) in the data link layer corresponding to the IP address (logical address), it is no problem to divide it in the data link layer, which is not strictly defined.

We will analyze four common ARP packets through the specific practice process: ARP request packet, ARP response packet, unpaid ARP packet and IP address conflict detection, and also analyze the occurrence process of ARP agent.

The environment to be used here is as follows:

Network equipment Simulator: GNS3

Package grab software: Wireshark

1. Construction of network environment

For the sake of brevity, we do not set up a larger network environment to meet the needs of ARP packet analysis in the previous four cases, but build a smaller network environment when analyzing different ARP situations, which can make our analysis more targeted.

2.ARP packet message format

As follows:

Note that we are looking at 28-byte ARP packets, except that the figure above also contains Ethernet header field information (obviously the Ethernet header frame type is ARP, which was mentioned in the analysis of the IP protocol, which is a concept of data division).

Because for the analysis of ARP package, in fact, we should be more concerned about the knowledge of ARP request package, ARP response package, unpaid ARP package or ARP agent, and the following practice is mainly discussed by classification. Therefore, the actual structure of an ordinary ARP package (request packet) is given first, and then the specific meaning of each field is given (refer to part of the content of "TCP/IP detailed unwrapping 1: protocol"). At last, the process of generating these packets is analyzed in detail:

A normal ARP package (the actual structure of the request package)

The specific meaning of each field of the ARP package (compare the actual captured packages above)

Field meaning hardware type

Occupies 16 places

Indicates the type of hardware address. A value of 1 indicates the Ethernet address, that is, the MAC address

Protocol Typ

Point 16 bit

Indicates the type of protocol address to be mapped. A value of 0x0800 means IP address. Because this article is analyzed on the basis of IP protocol (that is, the logical address of the network layer is IP address), the field type of the captured packets is 0x0800.

Hardware address length

Occupy the 8th place

It is pointed out that the length of the hardware address is in bytes, because this article is aimed at Ethernet, and the Ethernet address is the MAC address, accounting for 48 bits, that is, 6 bytes, so the value of this field in the packet caught later is 6, which will not be specified.

Protocol address length

Occupy the 8th place

It is pointed out that the length of the three-layer logical address is in bytes, because this article aims at the mapping between Ethernet address and IP address, while the IP address occupies 32 bits, that is, 6 bytes, so the value of this field in the packet caught later is 4, which is not specified.

Action field

Indicates the type of operation, and the corresponding values are as follows:

ARP request: 1

ARP response: 2

RARP request: 3

RARP response: 4

But because RARP is rarely used now, I won't discuss it in this article

Sender Ethernet address

Occupy 48th place

To be exact, it is "sender hardware address", but because this article only discusses Ethernet, it is expressed as "sender Ethernet address".

Sender IP address

Occupy 32 bits

To be exact, it is "sender network layer logical address", but because this article only focuses on the discussion of the mapping between Ethernet address and IP address, it is expressed as "sender IP address".

Destination Ethernet address occupies 48 bits destination IP address occupies 32 bits

3. Analyze the implementation process of ARP in practice: ARP request, ARP response

(1) Construction of network environment

This section is mainly a detailed process of grabbing ARP request packets and ARP response packets to analyze ARP requests and responses, as well as the meaning of the relevant fields in the corresponding ARP package. The network environment of this practice is relatively simple, as follows:

Do the following configuration on the R1 router:

R1#conf tR1 (config) # int f0/0R1 (config-if) # no shuR1 (config-if) # ip add 192.168.1.1 255.255.255.0R1 (config-if) # do wr

Do the following configuration on the R2 router:

R2#conf tR2 (config) # int f0/0R2 (config-if) # no shuR2 (config-if) # ip add 192.168.1.2 255.255.255.0R2 (config-if) # do wr

Then view the arp cache table on the R1 router:

R1#show arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 192.168.1.1-cc01.127f.0000 ARPA FastEthernet0/0

You can see that there is no MAC address of 192.168.1.2 in the arp cache table, so if R1 sends data to R2 later, there must be an ARP request, so make sure that there is no MAC address of 192.168.1.2 in R1, and if so, it is recommended to restart both routers. (although clear arp-cache can be executed on the router to clear the arp cache table, it will be generated immediately after it is cleared, so it is recommended to restart directly.)

(2) capture and analyze ARP request packet and ARP response packet

First start Wireshark on the link between R1 and R2 to monitor the interface of R1. (this is a GNS3 function that crawls packets directly through the link between the two routers)

Execute the following command on R1:

Router#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 secondsbank. Thank you success rate is 80 percent (4 ms 5), round-trip min/avg/max = 44-62-76 ms

! If the data is sent successfully, you can see that the first one is ".", it means that the data transmission failed. This is because when the first packet was sent, R1 did not have the MAC address of 192.168.1.2, so it sent an ARP request to obtain its MAC address. However, after obtaining the MAC address, the first packet has timed out (waiting for the MAC address timed out) and has not been sent. You can see the packet captured below:

You can see that there are already 2 ARP packets (1 request and 1 answer) and 8 ICMP packets (4 requests and 4 answers). Here we mainly analyze the ARP package.

ARP request packet

The packet structure is as follows:

The field analysis is as follows:

a. Hardware type, protocol type, hardware address length, protocol address length

The contents of these fields are the same as discussed earlier, because they are for Ethernet and IP addresses

b. Action field Opcode

You can see that the value of Opcode is request (1), so this is an ARP request package.

c. Sender Ethernet address

We are sending data from R1 to R2.

Execute the result from the previous command:

R1#show arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 192.168.1.1-cc01.127f.0000 ARPA FastEthernet0/0

This is indeed the MAC address of R1 (the MAC address of the interface configured with the 192.168.1.1 IP address).

d. Sender IP address

The sender is indeed 192.168.1.1, which is R1.

e. Destination Ethernet address

You can see that this is all zero, and in the ARP request packet, the destination Ethernet address field is set to all zero, because you don't know what the destination Ethernet address is (that is, you don't know what the MAC address of 192.168.1.2 is).

f. Destination IP address

The packet is sent from R1 to R2, so the destination IP address is 192.168.1.2. After the ARP request packet is received by R2, if you see that the content of this field is its own IP address, it will reply to the ARP packet, that is, it will send an ARP response packet.

In fact, the contents of the field are not difficult to understand, but it is important to note that look at the destination MAC address of the data link layer of the ARP request packet:

It is found to be a broadcast address, which means that when an ARP request packet is sent, all hosts in Ethernet can receive the ARP request packet, but not all hosts reply to the ARP request packet, only if the recipient's IP address is the same as the destination IP address identified in the Target IP address in the ARP request packet.

ARP response package

The packet structure is as follows:

Compared with the ARP request packet, it is found that it is not relevant, except that there are the following differences:

The operation field Opcode value of the a.ARP response package is reply (2)

The layer 2 destination MAC address of the b.ARP response packet is the MAC address of the sender of the ARP request packet

That is, the ARP request packet is sent as a broadcast, but the ARP is sent as a unicast, so who is it sent to? The ARP response packet will be sent to whoever sent the ARP request packet, and the corresponding layer 2 destination MAC address is the MAC address of the sender of the ARP request packet.

c. Sender Ethernet address, sender IP address, destination Ethernet address, destination IP address

Contrary to the content of the ARP request packet, except that the values of all the address fields in the ARP response package are known, which is easy to understand, but it is important to note that at this time, it is clear who the ARP response package will be sent to, so the ARP response package is a unicast packet.

As you can see above, the process of understanding regular ARP request packets and ARP response packets is not complicated, and as long as you know the basic principles of network communication, the values of each field are easy to understand.

4. Analysis of the implementation process of ARP in practice: unpaid ARP and IP address conflict detection

Paid ARP

Before getting the MAC address corresponding to an IP address, we need to send an ARP request packet, and then receive an ARP response packet to know the MAC address corresponding to the IP address. Because we need to send the ARP request packet, we can think that this is "paid", that is, we have to pay some price.

Unpaid ARP

The so-called free ARP means that I do not need to send an ARP request packet, the other party will "free" send me an ARP response packet (in fact, the Lord sends it voluntarily), in order to tell me its MAC address.

(1) Construction of network environment

But before summarizing when the other party will take the initiative to send an ARP response packet, let's practice that the network environment still uses the one above:

However, we need to modify the IP address of R2 to 192.168.1.252 (the packet grabbing software Wireshark should be opened during this process), as follows:

R2 > enR2#conf tR2 (config) # int f0/0R2 (config-if) # ip add 192.168.1.252 255.255.255.0

(2) capture and analyze ARP request packet and ARP response packet

After doing so, open the Wireshark software and you will find that you have caught the following package:

You can see the Info column with a Gratutous logo, which means "free, free" in Chinese. We can take a look at the structure of the packet:

By looking at the value of the operation field Opcode, you can find that the unpaid ARP is also an ARP response packet (but the ordinary ARP response packet is sent in the form of unicast, while the unpaid ARP is sent in the form of broadcast), but this ARP response package is special, it is sent actively, that is, it is gratuitous, free.

It is also important to note that the sender's IP address is the same as the destination IP address, which is what distinguishes unpaid ARP from ordinary ARP response packets. When this packet is received by other hosts in the network (obviously our network environment here is relatively simple, so only R1), it will ask these hosts to update their ARP cache tables with the new IP and MAC address relationships. Because this ARP packet is unsolicited, which causes the client to update the ARP cache, it is called a pro bono ARP.

After analyzing the unpaid ARP, the following situations are given, and the unpaid ARP process will occur:

a. Changed the IP address of the device

b. Some operating systems send pro bono ARP after booting (both Windows and Linux)

(3) IP address conflict detection

Again, what are the benefits of unpaid ARP? As follows:

a. Hosts in Ethernet can update their ARP cache tables in a timely manner, which ensures that the correct address information can be accurately closed when the data is sent.

b. Detect if there is a conflict in the IP address

At this point, R2 can be reconfigured with the same IP address as R1:

R2 > enR2#conf tR2 (config) # int f0/0R2 (config-if) # ip add 192.168.1.1 255.255.255.0

The output of the error log can be seen almost immediately on the consoles of R1 and R2:

R1 > * Mar 100 sourced by cc02.1a18.0000*Mar 54 on FastEthernet0/0 39.007:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0, sourced by cc02.1a18.0000*Mar 100V 55V 09.043:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0, sourced by cc02.1a18.0000*Mar 100V 55V 39.739:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0 Sourced by cc02.1a18.0000*Mar 1 00 on FastEthernet0/0 56 on FastEthernet0/0 10.011:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0 40.715:% IP-4-DUPADDR: Duplicate address 192.168.1.1 IP-4-DUPADDR:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0 Sourced by cc02.1a18.0000R2 (config-if) # * Mar 100 IP-4-DUPADDR 45 48. 135:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0, sourced by cc01.127f.0000*Mar 1 00 46 IP-4-DUPADDR 18.623:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0, sourced by cc01.127f.0000*Mar 1 00 46 IP-4-DUPADDR 48.927:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0 Sourced by cc01.127f.0000*Mar 1 00 Duplicate address 47 on FastEthernet0/0 19.651:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0, sourced by cc01.127f.0000*Mar 1 00 47 on FastEthernet0/0 49.959:% IP-4-DUPADDR: Duplicate address 192.168.1.1 on FastEthernet0/0, IP-4-DUPADDR:% IP-4-DUPADDR: 192.168.1.1 Sourced by cc01.127f.0000*Mar 1 00 on FastEthernet0/0 48 on FastEthernet0/0 51.919:% IP-4-DUPADDR: Duplicate address 192.168.1.1

This is because when it modified the IP address of R2, it sent a free ARP packet. R1 found that its IP address was the same as its own, so it reported an error on the console, but why did R2 report an error? Because when R1 finds that there is an address conflict, it also sends a free ARP packet indicating the IP address conflict, as follows:

Note that this is a broadcast packet, so R2 must also receive it. Check its packet structure:

Based on the contents of the packet, R2 also knows that an IP address conflict has occurred, so it will output the error log on the console.

4. Analysis of the implementation process of ARP in practice: ARP Agent

If an ARP request is sent from a host on one network to a host on another network, the router connecting the two networks can answer the request, a process known as the ARP agent. This is a very concise and easy-to-understand explanation, which we can experience through the following practice.

(1) Construction of network environment

As follows:

On the basis of the previous, R1 adds the following configuration:

R1 > enR1#conf tR1 (config) # ip route 0.0.0.0 0.0.0.0 f0lap0

R2 adds the following configuration:

R2 > enR2#conf tR2 (config) # int f1/0R2 (config-if) # no shuR2 (config-if) # ip add 192.168.2.2 255.255.255.0R2 (config-if) # do wr

R3 is configured as follows:

R3 > enR3#conf tR3 (config) # int f0/0R3 (config-if) # no shuR3 (config-if) # ip add 192.168.2.3 255.255.255.0R3 (config-if) # ip route 0.0.0.0 0.0.0.0 f0/0R3 (config-if) # do wr

(2) grab the ARP package and analyze the ARP agent process

Start Wireshark on the link between R1 and R2, and then execute the following command on R1:

R1#ping 192.168.2.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.3, timeout is 2 secondsbank. Successful rate is 40 percent (2Action5), round-trip min/avg/max = 36-50-64 ms

That is, R1 sends data to R3, and we look at the captured packets:

Then view the detailed package structure separately:

ARP request packet

You can see that the ARP request packet is the same as usual, that is, R1 wants to know the MAC address of 192.168.2.3.

ARP response package

There seems to be no difference between ordinary ARP response packages, but there is really no difference, but you might as well execute the following command on R2 to take a look at the ARP cache table:

R2#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 192.168.1.1 3 cc01.127f.0000 ARPA FastEthernet0/0Internet 192.168.2.2-cc02.1a18.0010 ARPA FastEthernet1/0Internet 192.168.2.3 3 cc03.2327.0000 ARPA FastEthernet1/0Internet 192.168.1.2-cc02.1a18.0000 ARPA FastEthernet0/0

In this ARP cache table, the corresponding MAC address of 192.168.2.3 is cc03.2327.0000, not cc02.1a18.0000packets in the packet structure seen above! Cc02.1a18.0000 is the MAC address corresponding to 192.168.1.2! It can be analyzed as follows:

Expansion 1:

R1 wants to know the MAC address of 192.168.2.3, so it sends an ARP request packet, but it is clear that 192.168.2.3 and 192.168.1.1 are not on the same network When the 192.168.1.2 interface received the ARP request packet, R2 found that although 192.168.2.3 was not its own, it could reach the 192.168.2.3 network, 192.168.2.0 Universe 24, so it sent an ARP response packet back to R1, telling R1192.168.2.3 that its MAC address was itself (that is, the MAC address of the interface configured with 192.168.1.2). Although this is a "lie", but because it does help R1 send data to R3, we sometimes call the ARP agent a "white lie".

Expansion 2:

This also means that even if R1 knows that 192.168.2.3 is on a different network from itself, it will not directly ask for the MAC address of the gateway (although the final data must be sent to the gateway first), but will send a normal ARP request as usual for the MAC address of the same segment IP address, which is particularly important to note.

Expansion 3:

We say that if the data is sent to different networks, then the data should be sent to the gateway first, so why is this not the case? That's because when I configure the default route for R1, I configure it out of the interface, which means that there is no gateway, that is, I don't know who the gateway is. If so, how can R1 directly request the MAC address of the gateway? For it, there is no gateway! However, because the default route is configured, the data destined for the unknown network is sent directly from the interface of 1.1, so it directly requests the MAC address of the destination IP address, and then the later ARP agent process occurs. Of course, if the gateway is configured (the configuration on the Cisco router is: ip route 0.0.0.0 0.0.0.0 next hop is the gateway address), the normal process will be followed, that is, no proxy ARP process occurs.

This point for in-depth understanding of data forwarding is very important, of course, if you find it difficult to understand, do not worry too much, this requires a certain amount of time to accumulate, at the same time, you should also pay attention to thinking, in the actual learning process can not be swallowed, if you want to have in-depth understanding, you must do in-depth analysis.

Then through the above practice and analysis, it is very clear what the ARP agent is. That is, if an ARP request is sent from a host on one network to a host on another network, then the router connecting the two networks can answer the request. This process is called the ARP agent.

This is the end of the content of "how to use ARP Protocol". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.