HakTip 124 – Wireshark 101: Address Resolution Protocol

Today on HakTip, Shannon Morse breaks down ARP packets – how to distinguish an ARP packet in Wireshark and what each part of the packet means.

Download HD  |   Download MP4

Today we’re checking out Wireshark and Address Resolution Protocol.

Today we’re going to delve into understanding normal traffic patterns with TCP/IP and ARP packets, and being able to find abnormal happenings on your network. First, your computer will send out a thing called an ARP request whenever your first computer (A) is trying to talk to another computer (B). This basically means “your computer has XXX IP address and XXX MAC address, and it’s trying to send something to XXX IP address, but it doesn’t know the MAC address. The Address Resolution Protocol (ARP) will respond with “that’s me! Here’s my MAC address” and then everything is shiny and happy because both parties can see each other and send packets to each other. Now let’s look at an example of what an ARP packet header looks like on Wikipedia!
An ARP header will have a Hardware type (like type 1 for Ethernet), Protocol Type (IPV4 would be listed as 0x0800). And a step down will be the Hardware address length (such as 6 for Ethernet), and a Protocol Address length (IPV4 is 4). Below this will be the Operation that the sender is doing – 1 for request, or 2 for reply. Then you’ll have the Sender’s Hardware Address and Protocol Address. And lastly is the Target’s Hardware and Protocol Address. These last few would be ex. the MAC address for hardware, and the IP address for protocol.

If I run a packet capture in Wireshark and look for ARP, I can find one that has an Address Resolution Protocol packet header for a request and reply. You’ll notice the MAC address is listed under Wireshark as 00:00:00:00:00 because it’s currently not known. But if we find the reply packet, you’ll notice that the MAC is now filled in.

If devices on your network tend to change IP addresses, which is common, then Wireshark will send out something called a Gratuitous ARP, which basically means it’ll keep the destination open so when it receives replies, it’ll collect all the new IP addresses of the other machines on the network. The Destination will be set to something like ff:ff:ff:ff:ff:ff:ff and the target and sender IP addresses are the same.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

1 Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>