Network Traffic Analysis for IR: Address Resolution Protocol (ARP) with Wireshark

Introduction to the Address Resolution Protocol 

The Address Resolution Protocol (ARP) was first defined in RFC 826. As the name suggests, it is designed to resolve IP addresses into a form usable by other systems within a subnet.

Network addressing works at a couple of different layers of the OSI model. At Layer 2, computers have a hardware or MAC address. At Layer 3, they have an IP address. Most high-level addressing uses IP addresses; however, network hardware needs the MAC address to send a packet to the appropriate machine within a subnet.

ARP is designed to bridge the gap between the two address layers. It is a simple call-and-response protocol. The machine wanting to send a packet to another machine sends out a request packet asking which computer has a certain IP address, and the corresponding computer sends out a reply that provides their MAC address.

One important feature of ARP is that it is a stateless protocol. Once a computer has sent out an ARP request, it forgets about it. As a result, any computer receiving an ARP reply updates their ARP lookup table with the information contained within that packet. No verification is performed to ensure that the information is correct (since there is no way to do so).

This design has its pros and cons. ARP is a bit more efficient, since every system in a network doesn’t have to individually make ARP requests. Instead, everyone along the route of the ARP reply can benefit from a single reply.

However, the stateless nature of ARP and lack of verification leave it open to abuse. A computer will trust an ARP reply and update their cache accordingly, even if they didn’t ask for that information. The lack of verification also means that ARP replies can be spoofed (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: