Diagram
Key Points
- Computers communicate using IP addresses at layer 3
- Computers communicate using MAC addresses at layer 2
- If you pass a hostname, a DNS lookup will be performed to find the IP address of the receiving computer. DNS records are cached for faster lookups. Cached records have an expiration date, after which another lookup must be performed.
- Computers keep an ARP table of MAC address and IP address pairs they have recently communicated with on the LAN. Each record in the ARP table has an expiration date, after which the host will need to be rediscovered.
A fully formed Ethernet frame must be put on the wire and when the recipient computer receives the fully formed Ethernet frame, it will decapsulate each payload and check the source and destination IP address and MAC address.
Address Resolution Protocol (ARP)
ARP is a layer 2 protocol used to identify hosts at layer 3. Hosts communicate at layer 2 using MAC addresses. Hosts communicate at layer 3 using IP addresses. The reason ARP is a layer 2 protocol is due to the fact that a host sends a layer 2 broadcast to FF:FF:FF:FF:FF:FF to discover the MAC address belonging to an IP address.
If you need a quick refresher on network layers, see this post:
0xBEN
Reading the ARP Table
You can print the contents of the ARP table using the following commands:
Linux | Unix
# Using the ip command
ip neighbor# Using the arp command with Linux style output
arp -e# Using the arp command with BSD Unix-style output
arp -aWindows
# PowerShell
Get-NetNeighbor# Using arp.exe in legacy command prompt or PowerShell
arp -aSeeing it in Action
I have some hosts networked together as pictured in this diagram:
I am also going to clear my ARP cache using this command: ip -s -s neigh flush all. Now, that my ARP cache is clear, I can do some tests.
10.0.0.2 to 10.0.0.14
I have a quick test container running python -m http.server 80 at 10.0.0.14. I am going to connect to the web server from my Kali VM.
Analyzing it with Wireshark
- Frame 5058 is Kali asking for the MAC address of the default gateway (because I cleared it from the cache).
Who has 10.0.0.1? Tell 10.0.0.2in which case,10.0.0.1should respond telling10.0.0.2its MAC address - Frame 5360 is Kali asking for the MAC address of 10.0.0.14 using an ARP broadcast.
Who has 10.0.0.14? Tell 10.0.0.2in which case,10.0.0.14should respond telling10.0.0.2its MAC address - Frame 5361 is the test container responding to the request.
10.0.0.14 is at 56:2d:f9:6e:78:b9 - Frames 5362 – 5373 are Kali and the web server establishing a TCP connection and transferring the HTTP data
Taking a Closer Look at Frame 5362
This is the SYN packet going from Kali to the web server. Let's take a deeper look at the layer 2 and layer 3 headers.
Layer 2
Since 10.0.0.14 is on the same LAN, the destination MAC address is that of the web server. It does not go to the default gateway, because it does not need to be routed.
Layer 3
We can see that the destination IP address is that of the web server.
10.0.0.2 to 10.9.9.35
I clear my ARP cache again. I am running a web server on 10.9.9.35 , so the tests will be the same, the IP addresses are different.
Analyzing it with Wireshark
- Frame 450 is Kali asking for the MAC address of the default gateway.
Who has 10.0.0.1? Tell 10.0.0.2in which case,10.0.0.1should respond telling10.0.0.2its MAC address - Frame 451 is the default gateway responding
10.0.0.1 is at 42:67:ea:58:a3:e7 - Frames 606 – 615 are Kali and the web server establishing a TCP connection and transferring the HTTP data
Taking a Deeper Look at Frame 606
This is the SYN packet going from Kali to the web server. Let's take a deeper look at the layer 2 and layer 3 headers.
Layer 2
Since 10.9.9.35 is on a foreign subnet, the destination MAC address is that of the default gateway. This is because the default gateway will receive the packet and route it to its destination.
Layer 3
Finally, we can see the destination address is that of the web server and the source address belongs to Kali.
