AntiARP
What's New
Download
Purchase
What is ARP
What is ARP spoof
Types of ARP spoof
What is AntiARP
AntiARP's feature
AntiARP's edition
 What is ARP?
 

ARP is the English abbreviation of Address Resolution Protocol. It is a link layer protocol working on the OSI Layer2 to provide a link between the layer and the hardware interfaces, and meanwhile serve the upper layer (Network Layer).

The Ethernet exchange equipments on the Layer2 can't identify the IP address which has 32 bits. They transmit the Ethernet data packets through 48-bit Ethernet address (we usually call it MAC address), which means that the transmission of IP data packets on the LAN relies on the MAC address, not the IP address, to identify the target. Thus, a corresponding relation must be set up between the IP address and the MAC address, and hence producing the ARP protocol.

In the Windows Operating System, the active ARP cache of localhost can be checked through typing command "arp -a" into the command window. What the ARP cache has saved is the corresponding relation between the IP address and the MAC address, as shown in the following illustration:

In the picture above, the "Internet Address" is IP address, and "Physical Address" is MAC address.

ARP packet can be divided into two types in accordance with different receivers:
1. Broadcast. Its destination's MAC address is FF-FF-FF-FF-FF-FF. The switch will transmit the broadcast packet to all the hosts on the LAN after receiving it.
2. Non-Broadcast. Only specified host can receive the non-broadcast packet.


ARP packet can also be divided into two types according to functions:
1. ARP Request. It's used to access the corresponding MAC address of certain IP address on the LAN.
2. ARP Reply. It's used to inform other host of localhost's IP address and MAC address.

Usually all the Broadcast are ARP Request packets and all the Non-Broadcast are ARP Reply packets.

Suppose there are two host computers on a LAN, the host names, IP addresses and MAC addresses are as follows:
HostName    IP                 MAC
        A        192.168.0.1     AA-AA-AA-AA-AA-AA
        B        192.168.0.2     BB-BB-BB-BB-BB-BB

When the host A needs to communicate with the host B, it will check its ARP cache first to see whether it has recorded the host B's MAC address or not. If the MAC address has been recorded, they can communicate directly; if not, the host A has to access the host B's MAC address through ARP protocol. Its specific way is the same as that the host A asks all the hosts on the LAN: "Hello, who is 192.168.0.2? This is 192.168.0.1. My MAC address is AA-AA-AA-AA-AA-AA. What is yours? Come, tell me." The packet sent by the host A belongs to: Broadcast-Request.

Once the host B receives "the ARP Broadcast:Request packet" from the host A, it will save or update the corresponding relation between the host A's IP address and MAC address to its ARP cache. Then "an ARP Non-Broadcast:Reply packet" is sent to the host A, implicating: "Hey, this is 192.168.0.2, my MAC address is BB-BB-BB -BB-BB-BB". When the host A receives the reply from the host B, it will save or update the corresponding relation between the host B's IP address and MAC address to its ARP cache. Then these two hosts can communicate with each other.

From the process of communication between the hosts on the LAN mentioned above, we can know that the host will save and update the local ARP cache table under following two conditions:
1. Having received "Broadcast:Request" packet
2. Having received "Non-Broadcast:reply" packet


Will this mechanism or the design of the ARP protocol have any problems?
[ Go Back ] [ Close ]