One, the introduction

Data frames transmitted over the real network are not transmitted by IP addresses, but by the physical address (MAC address) unique to each network card. Generally, the upper-layer protocol knows only the IP address but not the MAC address. Therefore, you need a method to know the MAC address from the IP address, which is called ARP. Sometimes the physical address of a machine is known, but not the IP address of the machine (for example, when a system boots with a local disk, the IP address is usually read from the configuration file on the disk. But diskless machines/workstations need to use other methods (RARP) to obtain IP address). Usually, a host sends an RARP packet to the network, and another host (the RARP server) responds with the RARP packet and tells the current host its IP address.

ARP and RARP packets

  • Frame type: 2 bytes long, 0x0800-IP packet, 0x0806-ARP request/reply packet, 0x8035-RARP request/reply packet.
  • Hardware Type: indicates the network Hardware type of the ARP packet. The length is 2 bytes, 0x0001- Ethernet.
  • Protocol Type: indicates the Protocol used by the ARP packet. The length is 2 bytes, 0x0800-IP address Protocol. The protocol type and hardware type determine the data storage structure. Ethernet ARP/RARP is used here.
  • Hardware Address Length (Hardware Size) : specifies the length of the Hardware address. The length is 1 byte. 0x06- Ethernet Address length (6 bytes), expressed in bytes.
  • Protocol Size: indicates the length of the Protocol address. The length is 1 byte. 0x04-IP Address Length (4 bytes), expressed in bytes.
  • Opcode: indicates what the packet is for. The length is 2 bytes. 0x0001-ARP request packet, 0x0002-ARP reply packet. 0x0003-RARP Request packet, 0x0004-RARP reply packet.
  • Sender MAC Address: indicates the physical Ethernet Address of the Sender. The length is 6 bytes.
  • Sender IP Address: indicates the IP Address of the Sender. It is 4 bytes long.
  • Target MAC Address: indicates the destination MAC Address. The length is 6 bytes. The ARP send packet is initialized to 0, and the ARP reply packet is a specific MAC address. RARP Initializes the sent packet to the MAC address to be resolved.
  • Target IP Address: indicates the destination IP Address. The value contains 4 bytes. ARP packets are initialized as IP addresses to be resolved. The RARP sent packet is initialized to 0, and the RARP reply packet is filled with the corresponding IP address.

ARP and RARP packets can be unicast (the Ethernet destination address is a MAC address of a specific machine) or broadcast (the Ethernet destination address is a MAC address with all 1s).

ARP and RARP features

1. The ARP feature

  • ARP cacheARP works efficiently because each host has an ARP cache. This cache stores the mapping between the most recent IP address and the hardware. The cache generally has a lifetime of 20 minutes. The start time is calculated from the creation time. From the command line, we can view these caches through the arp command.
  • Proxy ARP: Packets on network A need to be sent to A host on network B. When an ARP request packet is sent on network A, the router between network A and network B responds to the ARP request packet. This causes the sender of the ARP request packet to mistake the router for the destination host.
  • Additional ARP (gratuitous ARP) : Host A sends an ARP request packet to locate the MAC address of host A’s IP address. Sending ARP packets looking up their own weird? No, because you can :(1). Whether there are hosts with the same IP address on the network. (2). If the physical address of host A changes, the ARP cache of other hosts can be updated in this way.

2. The RARP features

  • The RARP response requires that of the RARP server. The server records the mapping between IP addresses and physical addresses. There are usually multiple RARP servers on a network.
  • As the number of servers increases (to provide redundancy), so does network traffic, because each server sends an RARP reply to each RARP request. Diskless systems that send RARP requests generally take the RARP reply that is received first (we never have this situation with ARP, since only one host sends an ARP reply). In addition, it is possible for each RARP server to answer at the same time, which increases the probability of Ethernet collisions.

ARP packet capture

Above, the two figures are a pair. We can see that this is a unicast ARP.

See here, do you want to scan the QR code to follow the wechat public account Linwan Village Dragon cat.