ARP Request/Reply ??

[JC724]

I am taking my 1st software security class in college. Right now we are learning about networking working and network security. I am trying to practice some of the commands but I am not really understanding how to do it.

So I am trying to learning how ifconfig works and how to read the results?

Also I am trying to learning how to use arp command. I open up my labtop(using linux ubuntu) and types in "arp -a".

It showed me a couple of IP addresses but I don't know how to send a request/reply? Or how to find other IP addresses.

 

[Cmustang87]

Hi JC724,

ARP is a protocol that is used when a device is seeking the layer 2 address (MAC) of a another device within its subnet. It resolves layer 3 (IP) addresses to layer 2 (MAC) addresses. MAC addresses are actually the addresses computers use to communicate. The command 'arp -a' is displaying your current ARP cache on the device you are accessing. This will display the IP addresses (layer 3) and the MAC addresses (layer 2) that they responded with on previous ARP replies. If you are already confused, that's ok. Please hear me out and continue reading.

The reason this cache is important is that it allows the host to remember remote hosts' MAC addresses and will not have to make new ARP requests each time they communicate with a the same remote host within a defined time period. This is standard 4 hours. Considering how chatty modern networks are, this is incredibly beneficial in switching (layer 2) overhead and network congestion.

With that said, you don't necessarily make ARP requests manually...so to speak. Whenever you ping or try to reach a host that your client device has no knowledge of the MAC address, it will broadcast an ARP request to all hosts on its subnet. Then the remote host will reply with its MAC address in unicast.

Read about broadcast and unicast here: http://www.erg.abdn.ac.uk/users/gorry/course/intro-pages/uni-b-mcast.html

Think of it like walking into a party and yelling: "I NEED SALLY'S PHONE NUMBER": this is a broadcast. When Jim, Sally, Sue, and Steve hear you, only Sally will hand you a piece of paper with her phone number on it: this is called unicast. There's no reason for Sally to yell it back for the whole room to hear... it would be far too noisy and it's extra information no one cares about. While some will argue that this is probably a better analogy suited for DNS, the logic will still apply, and I suggest those readers ignore this analogy and move along.

Now, imagine if this piece of paper was magic, where it will destroy itself after 4 hours. If you call Sally again within 4 hours, it will reset the timer. However, if you need to call her after the 4 hour mark (ARP cache), you will need to yell into the room again for her phone number, because the slip has disappeared.

Regardless, the point is that ARP is automatic - you don't manually make an ARP request/reply...it just happens.

I think the important piece you need to watch for and try to learn is to understand what you are actually looking for, or your end goal with the ifconfig command. Just going at it blindly without context or a goal can be a vapid exercise.

For example: You could use the ifconfig to find out what the default gateway is of your host machine, or what the configured IP address/subnet mask is of a particular interface.

If you are a tad confused at this point, I would suggest reading my post again, and try to fill in the gaps. Please let me know if you have a follow up question.