ARP: Difference between revisions
ARP |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Address Resolution Protocol. It's part of [[Ethernet]] and translates a 48 bit MAC address to a 32 bit [[IP]] address. | Address Resolution Protocol. It's part of [[Ethernet]] and translates a 48 bit MAC address to a 32 bit [[IP]] address. | ||
== ARP who-has == | |||
In [[tcpdump]] one may have seen arp messages that say "arp who-has 192.168.1.1 tell 192.168.1.2" or similar. | |||
This is an ARP request. It is usually [[broadcast]]ed to MAC address FF:FF:FF:FF:FF:FF on the local LAN. | |||
== ARP is-at == | |||
Like above the answer or ARP reply to the above request is "arp reply 192.168.1.1 is-at 00:11:22:33:44:55". This message is usually [[unicast]]ed. | |||
== Self ARP'ing == | |||
Some network devices ARP themselves such as "arp who-has 192.168.1.1 tell 192.168.1.1" and this is also broadcasted. This usually occurs when an interface is turned up with a certain IP. If they get a reply they will log this locally somewhere. | |||
== ARP Poisoning == | == ARP Poisoning == | ||
[[ARP | [[ARP poisoning]] is an attack that rewrites the destination MAC address of another host and "poisons" the ARP cache of the attacked host. | ||
== Looking from the outside in == | |||
If someone is looking at frames from a [[Wifi]] connection they will only see encrypted frames. However a weakness of all Wifi protocols is that all frames are not the same size. This lets one identify with some certainty what an ARP packet is by judging a frames size. This was to the detriment of the [[WEP]] encryption method on wireless links because these frames could be replayed. Replaying was important for gathering IV's. | |||
Latest revision as of 14:44, 8 August 2013
Address Resolution Protocol. It's part of Ethernet and translates a 48 bit MAC address to a 32 bit IP address.
ARP who-has
In tcpdump one may have seen arp messages that say "arp who-has 192.168.1.1 tell 192.168.1.2" or similar. This is an ARP request. It is usually broadcasted to MAC address FF:FF:FF:FF:FF:FF on the local LAN.
ARP is-at
Like above the answer or ARP reply to the above request is "arp reply 192.168.1.1 is-at 00:11:22:33:44:55". This message is usually unicasted.
Self ARP'ing
Some network devices ARP themselves such as "arp who-has 192.168.1.1 tell 192.168.1.1" and this is also broadcasted. This usually occurs when an interface is turned up with a certain IP. If they get a reply they will log this locally somewhere.
ARP Poisoning
ARP poisoning is an attack that rewrites the destination MAC address of another host and "poisons" the ARP cache of the attacked host.
Looking from the outside in
If someone is looking at frames from a Wifi connection they will only see encrypted frames. However a weakness of all Wifi protocols is that all frames are not the same size. This lets one identify with some certainty what an ARP packet is by judging a frames size. This was to the detriment of the WEP encryption method on wireless links because these frames could be replayed. Replaying was important for gathering IV's.
