Using Wireshark to understand ARP

The Address Resolution Protocol (ARP) was designed to resolve IP addresses to MAC addresses. The importance of ARP is sometimes underestimated among IT professionals. All the communication between devices on a local area network (LAN) or within the same subnet uses the Media Access Control (MAC) address. This means that the devices do not use an IP address unless the communication is going beyond their local subnet, such as to another network (or subnet).

Let's use a simple analogy of a PC that wants to send a document to be printed out to the network printer. If these two devices are on the same subnet, the PC will encapsulate its message (document) within a frame and send it to the network switch. The network switch will read the destination MAC address of the frame and forward it to the network printer for processing.

Let's take a look at the following screenshot. This is a frame that's been captured by Wireshark. Looking at the layer 2 protocol, that is, ARP, we can determine a number of things:

This frame is an Address Resolution Protocol (request) message. The sender of this frame has a MAC address of 00:0c:29:7e:37:58 with an IP address of 10.10.10.16. The 10.10.10.16 machine is sending a broadcast on the local network. This can be determined by observing that the destination MAC address in the frame is ff:ff:ff:ff:ff:ff; however, the Target MAC address is empty, while the Target IP address is 10.10.10.23. To put this simply, the 10.10.10.16 machine is asking everyone on the local network who 10.10.10.23 is and what the device's MAC address is.

The following screenshot shows the Address Resolution Protocol (reply) (response) frame from 10.10.10.16. Please take some time to observe all the fields within the frame:

The device that has the IP address of 10.10.10.23 responded to the sender (10.10.10.16), saying that its MAC address is 00:0c:29:24:be:4f. For all future communication between 10.10.10.16 and 10.10.10.23, both devices have each other's MAC addresses in their ARP cache. These MAC addresses will be used to forward frames on the network.

In this section, you have learned how to use Wireshark to see and interpret ARP messages that are flowing across a network. In the next section, we will cover how to detect an ARP poisoning attack on a network.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.226.105