Sunday, March 9, 2014

Looking at Address Resolution Protocol (ARP) Traffic using wireshark

ARP messages are used to find the hardware address of an IP address, and the reverse ARP is used to find the IP address of a hardware address. ARP spoofing one of the techniques used to exploit networks is a pretty simple protocol. Since ARP does not have TCP, UDP headers it is not routable outside local networks. The protocol structure of ARP traffic is pretty simple and consistent. If you see deviation from the protocol structure in ARP you know something is amiss.

Given below we see an ARP request

Address Resolution Protocol (request)
Hardware Type: Ethernet (1) 
Protocol Type: IP (0x0800) (Indicates an IPv4 packet)
Hardware Size: 6 (Should match hardware type as  Ethernet address is 6 bytes long)
Protocol Size: 4    (Should match protocol type as IP address is 4 bytes long)
Opcode request (1) (There are 4 ARP messages seen 1 for request, 2 for response, and 3 for RARP request and 4 for RARP response)
Sender MAC address: Cisco_68:xx:xx (xx:xx:xx:xx:xx:xx) (Sender's hardware address shown here)
Sender IP address: ( (Sender's IP address shown here)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) (Target's HW address we are trying find)
Target IP address: ( (This is the target's IP address we know)

No comments:

Post a Comment