-/ ARP Packet Dissection Goodness ============================================================== by s0ttle (pacman[0x40]sawbox.net) Action is the foundational key to all success -Pablo Picasso The purpose of this tutorial is not to solidify the reader in all aspects of ARP (Address Resolution Protocol), but to dissect and identify the parts of an ARP packet and to show where to reference the information it contains. The reader is assumed to be familiar with the fundamentals of ARP and linux. root@tovah:(/tmp)# tar -zxvf arpview.tar.bz && cd arpview && make root@tovah:(/tmp/arpview)# ./arpview ---[arpview]--------------------------------------------] **** ETHERNET Header **** eth_dst: FFFFFFFFFFFF eth_src: 080046A76E35 eth_proto: 0806 **** ARP Data **** arp_hrd: 0001 arp_proto: 0800 arp_hln: 06 arp_pln: 04 arp_op: 0001 arp_sha: 080046A76E35 arp_dha: 000000000000 arp_sip: 0A0A0A17 (10.10.10.23) arp_dip: 0A0A0A16 (10.10.10.22) **** Hex Dump **** 0000: FF FF FF FF FF FF 08 00 46 A7 6E 35 08 06 00 01 0010: 08 00 06 04 00 01 08 00 46 A7 6E 35 0A 0A 0A 17 0020: 00 00 00 00 00 00 0A 0A 0A 16 Bytes: 42 (0x2A) ---------------------------------------------------------- =============================================================================== What you see above is a ethernet encapsulated ARP REQUEST packet nicely formatted for your viewing pleasure. The fields from top to bottom are: ethernet destination [48 bits] ethernet source [48 bits] ethernet protocol [16 bits] arp hardware [16 bits] arp protocol [16 bits] arp header length [ 8 bits] arp protocol length [ 8 bits] arp opcode [16 bits] arp source address [48 bits] arp destination address [48 bits] arp source ip [32 bits] arp destination ip [32 bits] (hex dump of the packet) The total packet size is 42 bytes -- shown in decimal and hexadecimal. =============================================================================== ++ ETHERNET HEADER The ethernet header consists of a destination MAC address, source MAC address, and the protocol type being encapsulated. In this case we have: eth_dst: FF:FF:FF:FF:FF:FF (48 bit MAC destination address) The MAC address of the host the packet is destined for is stored here. This particular address is special and is characterized as the ethernet broadcast address. The broadcast address is used when the packet should be sent to all hosts on the network. eth_src: 08:00:46:A7:6E:35 (48 bit MAC source address) The MAC address of the host that sent or is sending the packet is stored here. This address will be stored in eth_dst in the pending reply packet. eth_proto: 0806 (ADDRESS_RESOLUTION) Here is the protocol type that is being encapsulated which in this case is ARP. If you take a look at the header file `ethernet.h' you will find the structure definition and the protocol types listed. ++ ARP DATA The ARP data follows the ethernet header and consists of: arp_hrd: 0001 (10/100Mbit Ethernet) The ARP hardware type is the first field identified in the ARP header this particular value signifies we are using Ethernet hardware if you want to see what the other possible values are take a look at `if_arp.h' which can also be referenced for the remainder of this tutorial. arp_proto: 0800 (IP: same values as eth_proto) Here we have the ARP protocol type. The values are the same as for the ethernet header and as a result you can reference `ethernet.h' to find out what particular protocol we are working with. In this case the protocol is IP. arp_hln: 06 (MAC address is 6 bytes (48 bits)) This field identifies the length of the hardware address. The value here is six because a 48 bit MAC address is six bytes long. arp_pln: 04 (IP address is 4 bytes (32 bits)) The length of the protocol address, which we have already identified from arp_proto above as IP and an IP address is 32 bits or you guessed it 4 bytes. arp_op: 0001 (ARP REQUEST) This is the ARP OPCODE field and a value of 1 here identifies this as a REQUEST packet. A value of 2 would signify a REPLY. You can reference `if_arp.h' for the other values. According to the request for comment (RFC), 16 bits are used so there is room to set flags. arp_sha: 08:00:46:A7:6E:35 (48 bit MAC source address) Source hardware address. This is the hardware (MAC) address of the requestor or the machine sending the request. arp_dha: 00:00:00:00:00:00 (unfilled MAC destination address) Depending on the type of packet being sent (REPLY/REQUEST) this will either be empty or filled. In this case we are trying to find out the MAC address of a remote host whose IP address is 10.10.10.22 so this field is not filled. arp_sip: 0A0A0A17 (10.10.10.23) This is the source IP address of the requestor and will be stored in the ARP table of the intended recipient. arp_dip: 0A0A0A16 (10.10.10.22) Here we have the destination IP address. This is the broadcast question that every host on the network is asked. example diagram: Host five starts by sending a ARP request packet. Which is dropped by all the hosts which are not a match. Only the host whose MAC address corresponds to the requested IP address responds. In the example below it is host two. (ARP REQUEST PACKET) -----------> (HOST 5) ------> [ who has 10.10.10.20 ? ] --------------| | | | | | No Reply; Packet Dropped <------------- (HOST 3) <-----| | | | No Reply; Packet Dropped <------------- (HOST 1) <-----| | | | (ARP REPLY PACKET) | |----- [ AA:CC:12:34:DD:55 ] <------------------ (HOST 2) <-----| | No Reply Packet Dropped <------------- (HOST 4) <-----| All hosts receive the packet, but it is dropped by the receiver unless the IP belongs to the recipient. Notice there is no sequential order to this process. Packets are dropped or responded to in a random order. References: /*** * RFC 826 * /usr/include/* * http://www.google.com * http://www.rfc-editor.com * http://www.wikipedia.org * http://www.s0ttle.net/txt/tuts/arptut.txt * http://www.s0ttle.net/txt/tuts/src/arpview.tar.bz2 *** */