Shulou(Shulou.com)06/01 Report--

1.arp introduction

Arp: address resolution protocol; maps IP addresses to MAC addresses.

two。 Why is there an arp?

We all know that we need an IP address to surf the Internet, so what does arp do? If we have studied computer networks, we should know that surfing the Internet requires network protocols-"the TCP/IP protocol (abstractly) has four layers, the upper three layers require IP address transmission, and the bottom layer data transmission requires ARP to parse into MAC addresses for transmission.

3. A brief introduction of data transmission between two computers in local area network

Suppose:

Source host An ip:192.168.1.1

Target host B ip:192.168.1.2

If A wants to send data to B, how can A send it to B?

A first write the content to be sent through the software, click send-"explanation: at this time, the computer will send the content, read the data from the software (or it can be understood as: the text box in the software interface), copy the data from memory to the network card cache, during this period the computer software will automatically send to the target host address (where the target host address refers to the IP address) to write.

Note: the destination address sent by the network card is the MAC address (can only be sent to the MAC address, the network card belongs to the network interface layer, that is, the lowest layer, can only contact the MAC address, not IP), but now only know how IP knows MAC?

When the arp protocol is about to be used, the network card sends a broadcast to the entire local area network: who is 192.168.1.2? Give his MAC address to 192.168.1.1. If B is in the local area network, receive the broadcast and compare its IP address with the broadcast IP address, and if the same, send a response packet to A: my IP is 192.168.1.2 and my MAC address is BB-BB-BB-BB-BB-BB. Other hosts ignore the broadcast packet when they are different from the IP,IP. If B is not in the local area network, there is no response after the broadcast, then send a request to the router connected to the local area network, get the MAC address of the router, send the broadcast information to the router, and then forward it to the router (here is no longer within the scope of the local area network, we are not discussing).

Why use arp to forward? A: the local area network consists of a switch (without considering other reasons, this is just to explain the problem). The MAC address stored in the switch, A-> B sends messages. If two hosts are in a local area network and the AB knows each other's IP and MAC, the message is sent from the network card (including address information) to the switch. The switch looks up the MAC of the target host from the MAC table, finds the MAC- > port (the port refers to the port where the host network cable is connected to the switch), and forwards the message to this port. When the B network card receives the message, it compares MAC- > ip- > to the software. (the port of the transport layer is used to represent the software (process), which is not discussed here.) finally, the message sent from An is received by B.

4.arp deception

Suppose: C *

Here we can see that when A sends the broadcast, if C pretends to be B, he can tell A his MAC, saying that I am 192.168.1.2 and my MAC is CC-CC-CC-CC-CC-CC (actually this MAC address is C). How to forge this information? This is going to use kernel programming (I was also curious before, if you do forgery, such as counterfeiting IP, pretending to be a gateway for DNS cheating) in the process of slowly reading and accumulating, "Linux Network programming" (second edition) Song Jingbin P492, wrote that the netfilter framework in the linux kernel (self-information about Baidu), there are five hook points in the framework (hook: the program before the system processing First let the user program deal with it, this user program is the hook program), at the last hook point of the IP layer (arp protocol belongs to the ip layer), that is, the packet is about to go out through the network card, where it is camouflaged to send false information to A.

Here the reader may ask again, how do I know when A will send a message to B. The address resolution protocol ARP has a certain time, that is, it needs to be sent constantly. It is pointed out that in fact, each host has to maintain an ARP table, which is to alleviate the pressure on the network. We first put the MAC corresponding to the newly sent IP in this table. We do not need to send ARP broadcasts every time, but it is not always a fixed ARP message, because there are many situations here, such as An is turned off / the network card is changed, and so on. Although there is an ARP table to record here, it should be updated frequently. So we can actively send false ARP information to host A, and A will think that the corresponding MAC of B-IP is B (in fact, C has deceived A). A-"B sends a message to B, which completes ARP spoofing.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.