Understanding Catch ARP Poisioning

Address Resolution Protocol (ARP)

The Address Resolution Protocol (ARP) is defined in RFC 826 “An Ethernet Address Resolution Protocol” (See https://tools.ietf.org/html/rfc826) and has three purposes. The first is to associate a hardware address with an IP address on a local area network by using a broadcast request and response process. The second is to test for duplicate IPv4 addresses by using a broadcasts gratuitous ARP process. The third is to maintain a cache table of media access addresses (MAC) to IP addresses. ARP relies on broadcasts, so it operates at layer 2 (The Data-Link Layer).

Note: Since IPv6 does not support/use broadcasts, it does not use ARP. Instead, IPv6 hosts use “Neighbor Discovery,” which runs over ICMPv6 on a network outlined in RFC 4861, a full discussion of which is outside the scope of this post (See https://tools.ietf.org/

Normal ARP Request/Response

Network security, assessment, and audit begins with understanding “baseline” or “normal” traffic. Standard ARP request and response starts when a host wants to communicate with another host but does not know the other host’s MAC address, which is needed as part of ISO/OSI Model’s encapsulation process. Using an ARP broadcast message, a host sends an ARP broadcast that includes the target IP address but no target hardware address:

Normal ARP Request:

IP address wanting to communicate with IP address but not knowing’s MAC address sends an ARP broadcast request asking “Who has Tell”

Normal ARP Reply:

IP address replies to’s request with its MAC address:

Have to go. To be continued…


Leave a Reply

Your email address will not be published. Required fields are marked *