ARP in Wireshark

Address resolution protocols are used to dynamically discover mappings between layer 3 (protocol) and layer 2 (hardware) addresses. A common usage is to map an IP address (e.g., 192.168.0.10) to an underlying Ethernet address (e.g., 01:02:03:04:05:06). These addresses are determined via his ARP, so you’ll often see his ARP packets at the start of a conversation.

Working of ARP:

When a host has to find the MAC address of the destination (using the destination’s IP address) the ARP program checks its ARP lookup table to see if IP to MAC address translation is already done.

• If it is done, the ARP packet is displayed in the form of an A​RP REPLY​ (which has the MAC address of the destination) using the ARP lookup table.
• If not, it’ll send A​RP REQUEST​ in the form of a broadcast packet in the network to all the devices in the LAN in order to ask who has the destination IP address, and then the destination will send back A​RP REPLY​ (by giving the MAC address of the destination) and after giving this reply, it’ll store the new MAC address in the ARP lookup table.

MAC Address:​ 

MAC Addresses are a unique 48-bit hardware number of a computer, which is embedded into a network card NIC (known as Network Interface Card) during the time of manufacturing. The MAC Address is also known as the Physical Address of a network device.

Note: use arp -d to clear cache in command prompt (run as administrator) and use arp -a to broadcast the ARP packets in the same command prompt.

Sample ARP Capture:

 

Preference Settings:

1. Select ARP/RARP in the Wireshark Preference prompt box
2. Now, Check ‘Detect duplicate IP address configuration’ inside it 
3. Check ‘Register network address mappings’ inside it 
4. Click on ‘OK’

IP Packet:

 

The MAC header will include three fields:

• Destination MAC address
• Source MAC address
• EtherType

>> For IP Packet
Source address is (28:c6:3f:d1:61:b8) 
and destination address is (fa:38:80:2b:a4:64) 
and the EtherType is IPv4 (0x0800) with Protocol ID 6.
>> For ARP Packet
Source address is (28:c6:3f:d1:61:b8) 
and destination address is (ff:ff:ff:ff:ff:ff) 
and the EtherType is ARP (0x0806) and it has no Protocol ID.

• The only change is the EtherType, the Protocol ID, and Destination. 
• The protocol ID for ARP Packet is: TCP (6)

Request Packet : Broadcast:

Since the destination’s MAC address is not known, an ARP Request of the Destination’s IP address is sent in the form of a broadcast to all the devices on the LAN.

 

Reply Packet – unicast:

Since, here, the MAC address is sent to the Router, and we know its IP address and MAC address, and the source is the device, the destination address is unicast.

 

ARP Packet Request-Reply Verification:

• An ARP packet is either a request packet or a reply packet.
• An ARP request packet can be differentiated from an ARP reply packet using the operation field, i.e., opcode in the ARP packet.
• For ARP Request, it is 1.
• For ARP Reply, it is 2.

The Payload for ARP Packet:

The payload of the packet contains the following:

• Sender Hardware Address: Specifies the physical address of the sender.
• Sender Protocol Address: specifies a logical address of the sender, i.e., IPv4 address.
• Receiver Hardware Address: Specifies the physical address of the target.
  For an ARP Request Packet, this field contains all zeros, because the sender doesn’t know MAC or physical address.
• Receiver Protocol address: Specifies the logical address of the target 

It also has the other following attributes :

• Hardware Type and Hardware size
• Protocol Type and Protocol size
• Opcode: Specifies if the packet is an ARP request or ARP reply.

ARP Request Payload:

Hardware (MAC) Source Address: 
 28:c6:3f:d1:61:b8
Hardware (MAC) Destination Address: 
00:00:00:00:00:00 
( Since we don’t know the 
MAC address of destination)
Protocol (IP) Source Address: 
 172.20.10.6
Protocol (IP) Destination Address: 
172.20.10.1 (This is the default 
gateway IP address of the router )
Opcode: 1
Hardware type: Ethernet
Hardware Size: 4
Protocol type: IPv4
Protocol Size: 6

ARP Reply Payload:

Hardware (MAC) Source Address: 
 fa:38:80:2b:a4:64
Hardware (MAC) Destination Address: 
28:c6:3f:d1:61:b8
Protocol (IP) Source Address: 
 172.20.10.1
Protocol (IP) Destination Address: 
 172.20.10.6 (This is the default 
 gateway IP address of the router )
Opcode: 2
Hardware type: Ethernet
Hardware Size: 4
Protocol type: IPv4
Protocol Size: 6

Fields in ARP:

1. arp. probe: 

• The ARP Probe checks the network to make sure an IP address isn’t in use before polling it.
• The Opcode field is set to 1, indicating an ARP Request, when it is transmitted. The idea is that the person who started the ARP Probe will wait for a response from the original owner if the IP address in question is already in use. Consequently, this ARP Probe is a request that may result in a response.

2. arp. announcement:

• The initiating host will consider this IP address unique and will issue an ARP Announcement to formally “claim” the IP address on the network if the ARP Probe receives no response from anybody who could already be using the IP address.
• An ARP Announcement’s Opcode is set to 1, denoting a request.

3. arp. gratuitous:

• An ARP Response that was not initiated by an ARP Request is referred to as a Gratuitous ARP. A node uses the Gratuitous ARP as a broadcast to inform the whole network of changes to its IP to MAC mapping.