When data travels across networks, the packets use a logical or Internet Protocol (IP) address to identify the destination host. However, on a local area network (LAN), the packets use a physical or media access control (MAC) address to deliver data to a host. When a packet is transported from a website across the internet to a host on a LAN, the switch only has an IP address to identify the host. How does the device locate the destination host? That is the responsibility of the Address Resolution Protocol (ARP), which resolves an IP address to a MAC address so that the data gets delivered to the correct host.
In this chapter, we'll learn how ARP works, and why it is an important protocol in ensuring the timely delivery of data. We'll then take a closer look at ARP headers and fields in Wireshark. We'll also examine the different types of ARP that you may encounter while doing analysis, including gratuitous, reverse, inverse, and proxy. Finally, so that you are aware that ARP may be used in a malicious way, we'll discuss ARP attacks and possible ways to defend against these types of threats.
This chapter will cover the following:
ARP is one of the three main network layer protocols (ARP, IPv4, and Internet Control Message Protocol (ICMP)), all of which are essential in delivering data.
In the following diagram, we see that ARP is actually in between Layer 3 and Layer 2 of the Open Systems Interconnection (OSI) model, as ARP resolves an IP address (network layer) to a MAC address (data link layer):
Note
Although ARP resides in between Layer 2 and Layer 3 of the OSI model, many consider ARP as a Layer 3 protocol.
In this section, we'll see how ARP resolves a MAC address. We'll then learn how the ARP cache helps provide a speedier response. In addition, we'll discover how an IPv6 network uses the Neighbor Discovery Protocol (NDP) to resolve an IPv6 address to a MAC address.
On a LAN using IPv4, the frame header must use a MAC address to identify the receiving host. To obtain the correct MAC address, the sending device will issue an ARP broadcast on the network. In the next section, let's discuss why this is important.
When data travels through different networks, packets use an IP (or logical) address. However, to deliver the data to its final destination, a MAC (or physical) address is needed to place in the frame header. The device will first check its local ARP cache. If there is no entry, the device issues an ARP request in the form of a broadcast, and will wait for a reply.
Note
A broadcast message is sent from one host to all devices on a network. While every host will receive the frame, only one will respond.
As shown in the following diagram, Host A needs the MAC address for the gateway, which is the router interface for the LAN:
To obtain the MAC address of the gateway, Host A issues an ARP request. The ARP request asks the question, "Who has the IP address 10.40.10.101? Tell 10.40.10.109," and waits for a reply. The gateway then sends an ARP reply to let the host know that 10.40.10.101 is at MAC address BB:20:62:C4:57:23.
Now that we understand the basics of an ARP request and reply, let's step through what we will see while viewing the process in Wireshark.
To see an example of an ARP request and reply so that you can follow along, go to https://crnetpackets.files.wordpress.com/2015/08/arptrace.zip, download the file, extract it, and open it in Wireshark, as shown here:
In the ARP trace file, the first two packets are the ARP request/reply.
In Frame 1, the device sends an ARP request. The source and destination addresses are as follows:
In Frame 2, the device identifies itself with an ARP reply. The source and destination addresses are as follows:
Keep in mind, when doing a capture in Wireshark, it is normal to see several ARP broadcasts before seeing an ARP reply.
We now know that ARP resolves an IP address to a MAC address. This is so the device has a MAC address that can be placed in the frame header in order for the data to be delivered on a LAN. So that the device is able to quickly retrieve the MAC address of a device on the network, it holds the IP address to MAC address pairings in a temporary holding area called the ARP cache. The next section explains an ARP cache, how it's used, and how long the table entries remain.
Network devices, such as routers, switches, and PCs, hold a form of an ARP cache table, which is a storage area to store IP to MAC address pairings. To see your own ARP cache on a Windows machine, open a Command Prompt and enter arp -a to see the entries in the ARP table, as shown here:
In the previous figure, the ARP cache table lists the following:
The dynamic ARP cache values will time out after a period of time. Once the timeout limit is reached, the entry will go away. If the operating system (OS) needs the MAC address and there is no entry in the ARP table, it will need to issue a new ARP request.
Note
The ARP table timeout values are specific to the system. For example, a Cisco switch has a default timeout timer of 4 hours.
In a Windows OS, you can determine the timeout value by going to the command-line interface (CLI) and running the netsh interface ipv4 show interface NNN command.
Note
When using the command, replace NNN with the name of the interface you want to check.
As shown in the screenshot, we see the output of running netsh interface ipv4 show interface Wi-Fi, which provides information on that interface:
Within the output, you will see Base Reachable Time is 30000 ms or 30 seconds, which is how long ARP can live in the cache before going away. After 30 seconds, if a MAC address is needed for a specific IP address, the system must send an ARP request out on the network.
We now understand how ARP works in an IPv4 network, but what happens in an IPv6 network? The following section outlines how NDP takes the place of ARP in an IPv6 network.
ARP is essential in an IPv4 network, however, IPv6 doesn't use ARP. Instead, ARP is replaced with NDP, which resolves an IP address to a MAC address.
To see an example of NDP, go to http://packetlife.net/captures/protocol/icmpv6/ and open the IPv6_NDP.pcap file in Wireshark. As shown in the following screenshot, the first packet in the trace file is a Neighbor Solicitation (NS), followed by a neighbor advertisement:
An NS has the same purpose as an ARP broadcast. However, IPv6 doesn't use broadcasts. It uses Internet Control Message Protocol version 6 (ICMPv6) with a solicited-node multicast address message that is directed to a specific host. As a result, if you are analyzing a network that only uses IPv6, you may only see a few ARP broadcasts, if any.
As we can now understand, ARP is a common protocol that you will most likely see while doing analysis, as IPv4 is still widely used. So that you better understand a standard ARP request and reply, the following section provides an overview of an ARP header and corresponding field values.
While in a trace file, if you enter arp in the display filter, you will most likely see a series of ARP requests and replies. Within each ARP header, there are several field values, such as Operation Code (Opcode), sender, and target IP address, which help ensure that the ARP requests/replies are received. Let's first take a look at a typical ARP transaction.
Open ARPTrace.pcapng, and take a look at the first two packets, which are the ARP request/reply. Expand each ARP request/reply, and you will see that ARP is wrapped in an Ethernet frame. However, there are no network or transport layer headers.
First, let's investigate the components of an ARP request.
To view a standard ARP request, expand Frame 1. Once expanded, you can see that there are several field values, which provide information about the transaction, as shown here:
We see within this ARP request that the host at 172.16.2.3 is requesting the MAC address of the host that has the IP address 172.16.2.27. Key field values include Opcode, which shows that this is a request, along with the IP addresses of both the sender and target.
The ARP reply is similar to the request; however, the target MAC address will be present.
Frame 2 is the ARP reply, where the host at 172.16.2.27 replies with its MAC address, which is d4:be:d9:af:3e:4f, as shown here:
Key field values include the Opcode, which shows that this is a reply, along with the MAC and IP addresses of both the sender and target. Once the ARP reply is received, the MAC address is resolved.
As shown, an ARP header has several field values, which we'll review next.
In this section, we'll review the ARP field values. So that you understand the role and purpose of each field, I will list the following:
To follow along, open ARPTrace.pcapng and select Frame 22. Expand the ARP header as follows:
Within an ARP header, the field values that provide information on the ARP transaction are outlined in the following table:
Some of the parameters, such as the Opcode and hardware type are represented by a number. The values are defined by iana.org, and can be found here: https://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml.
Some of the defined values include the following:
Now that we can see the header and fields in a standard ARP header, let's take a look at some other types of ARP you might encounter during an analysis.
On an IPv4 network, the most common types of ARP messages are requests and replies:
However, as we'll outline in this section, there are a few other types of ARP messages. We'll start with the Reverse Address Resolution Protocol (RARP), which is the reverse of ARP.
The opposite of ARP is RARP, in that with RARP, a client requests its IPv4 address from a computer network by using its MAC address.
Using an example rarp_request.cap found at https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=rarp_request.cap, we can see the host requesting its IP address, as shown in the following screenshot:
The sender's MAC address is 00:00:a1:12:dd:88. The IP address is unknown, so it is listed as 0.0.0.0. The Opcode is reverse request (3).
Note
RARP is an obsolete protocol that has been replaced by more efficient protocols, such as the Dynamic Host Configuration Protocol (DHCP); therefore, you won't see any RARP traffic on a LAN. However, RARP is used in virtualized environments to keep the MAC tables updated.
Next, let's look at a lesser-known type of ARP called the Inverse Address Resolution Protocol (InARP).
InARP is an extension of the ARP protocol. We can see an example of this by going to CloudShark at https://www.cloudshark.org/captures/87be3b4b6625 and opening FrameRelay-101.pcap in Wireshark, as shown here:
On a wide area network (WAN), Frame Relay was a widely used packet-switching method to transmit data between LANs. When communicating with one another, each router's interface uses a data link connection identifier (DLCI) of the desired station, which is the device's hardware address.
InARP is used in the same way as a standard ARP in resolving an IP address. However, it does not use broadcasts, as it already knows the DLCI of the desired station. As shown in the following diagram, the sending router, 99.0.0.2, attempts to resolve the IP address of DLCI 3091 by using InARP:
The use of Frame Relay is being phased out and replaced by a more efficient method of transmitting data on a WAN, Asynchronous Transmission Mode (ATM). As a result, you will rarely, if ever, see InARP in a capture.
While you may not see InARP while conducting an analysis, you most likely will see a more common type of ARP called a gratuitous ARP, as outlined next.
On a LAN, a duplicate IP address can cause conflicts. To prevent this, hosts issue a gratuitous ARP, which is an unsolicited ARP used to prevent duplicate IP addresses. To see an example, go to https://www.cloudshark.org/captures/54af88021aa8, and then download and open the file in Wireshark. Once open, expand the ARP header as shown:
In this frame, we see Opcode: request (1). However, we also see that Sender IP address: 192.168.130.128 is the same as Target IP address: 192.168.130.128, which identifies the frame as a gratuitous ARP.
Note
Wireshark will identify a gratuitous ARP as ARP Announcement.
A gratuitous ARP request is sent as a broadcast; however, no reply is expected. In addition to checking for duplicate IP addresses, this type of ARP can provide a way for a host to share IP and MAC address pairings. For example, if a network device's interface goes down and then is brought back up, a gratuitous ARP is sent so that all hosts can update their ARP tables.
Next, we'll see an example that is not actually an ARP type, but a technique used on the network called a proxy ARP.
A proxy is something that works on behalf of another entity. A proxy ARP is a technique whereby another entity resolves a MAC address. On a network, there are a few instances when a proxy ARP can be used.
One way to use a proxy ARP is when concealing a host behind a firewall.
When a machine with a public IP address is in a private network behind a firewall, it's best to hide its existence.
If you do have a host behind a firewall, a way to resolve the MAC address is by having the firewall use a proxy ARP to and from the hidden device. This will maintain the illusion that the machine is on the public side in front of the firewall.
A proxy ARP can also be used in a LAN when a host in one subnetwork is separated by a proxy router.
On a LAN, it's sometimes necessary to use a proxy ARP. For example, a proxy ARP is necessary when an ARP broadcast is sent to a host on another subnetwork. Because an ARP request is a broadcast, it will stop at the router's interface.
In this case, the router responds with its own MAC address and acts as a proxy to the host on the other subnetwork. The router will encapsulate the ARP request packet with its own MAC address as the source and will then issue a broadcast on the appropriate network, as shown here:
You can now understand that there are many different types of ARP messages and techniques that may be used on a LAN. ARP is an essential protocol but can be a vulnerable target. In the next section, let's take a look at some ARP attacks along with defense methods.
ARP is a widely used protocol that resolves an IP address to a MAC address. In most cases, ARP works well to ensure devices can find one another. However, the protocol was standardized many years ago, and there has never been a way to ensure the authenticity of ARP messages.
As a result, we'll outline a few ARP attacks that can misdirect traffic and interfere with normal network behavior. In response, we'll also take a look at some of the ways to defend against these types of attacks.
Let's begin by covering some of the attacks against ARP.
ARP is used on a LAN, which can be a vulnerable target. Some of the attacks and techniques used to penetrate an ARP framework include spoofing and storming, which can misdirect traffic or cause problems on the network. In this section, we'll compare some of the attacks you or a colleague might encounter.
Let's start with using ARP in a way that can trick or deceive hosts on a network.
On an IPv4 network, ARP is a critical protocol used when delivering data to the correct host. A malicious actor can redirect traffic to their machine by using an ARP cache poison (or ARP spoofing) attack on the LAN. This man-in-the-middle attack is done by tricking hosts on the network into believing the malicious actor's MAC address is some other host, with the intention of intercepting traffic.
Note
For a more in-depth review of an ARP spoofing attack, go to Chapter 1, Appreciating Traffic Analysis, in the Arming hackers with information subsection.
In addition to ARP spoofing, an attacker can launch an ARP storm, as discussed next.
On a LAN, it's normal to see ARP request/reply messages. However, when there is a large number of ARP requests, as shown in the following screenshot, this is an indication of an ARP storm, which is a form of denial of service (DoS) attack:
Let's step through how an ARP storm works:
As you can see, an ARP storm is possible. In Wireshark, you can monitor for ARP storms. To modify this, select an ARP header, right-click, and select Protocol Preferences | Open Address Resolution Protocol Preferences…, which will display the following screenshot:
Once in the Preferences menu, you can modify the following:
Although Wireshark can't prevent an ARP storm, it can help you identify a potential attack.
We now know that there are attacks such as spoofing and storming. How are these attacks launched? The following section outlines some of the tools that are available to launch an ARP attack on a LAN.
ARP attacks can occur on a LAN. Many tools that are available are built into Kali Linux. Kali Linux is a collection of software tools designed to assist the network administrator with conducting ethical hacking on a network. For a complete list, go to https://tools.kali.org/tools-listing.
Some of the tools in Kali Linux that are used to launch an ARP attack include the following:
As shown, there are several ways to launch an ARP attack, and hackers have many tools at their disposal. The following section outlines some of the ways we can defend against ARP attacks.
As discussed, ARP can be a vulnerable target. In addition to the attacks listed, there are others as well. The network administrator should be aware of methods to detect, as well as defend against, these types of attacks.
Some of the tools and techniques to prevent an ARP attack include the following:
While it's possible for a network to fall victim to malicious ARP activity, it's best to activate possible defensive strategies, to prevent a crippling attack.
By now, you have a better understanding of ARP, how it works, and why it is important for delivering data. So that you have an appreciation of what takes place during an ARP request and reply, we stepped through the process, and then reviewed the ARP headers and field values. We also discussed the fact that, in addition to a standard ARP, you may encounter different types of ARP while analyzing traffic in Wireshark, such as a gratuitous ARP or InARP. Finally, so that you are aware that ARP may be used in a malicious way, we covered some of the attacks, along with a few of the tools used to launch an ARP attack. We then summarized some of the methods you should employ to defend against various types of attacks.
The next chapter will look at how Wireshark can help identify and troubleshoot network latency issues. You'll be able to appreciate the importance of time values on a network and discover several ways to display time. In addition, you'll see the value of coloring rules within Wireshark and the Intelligent Scrollbar that helps highlight interesting traffic. Finally, you'll learn how to use the expert information, so that you can zero in on trouble spots during an analysis.
Now, it's time to check your knowledge. Select the best response, and then check your answers with those in the Assessment appendix:
Please refer to the following links for more information: