Forum learning time

[spidey07]

Forum has been slow, so let's talk about the often forgotten but never missed protocol - ARP.

http://en.wikipedia.org/wiki/A...ss_Resolution_Protocol

This is the glue that holds together datalink layer address, or layer2, and higher protocols like IP. Without it you could never talk to the computer next to you, your default gateway, etc. It is what maps layer3/IP addresses to layer2/MAC addresses.

So your computer wants to talk to another computer on the same LAN, the same IP subnet? The very first thing that computer will do is look at it ARP TABLE to see if it already has a mapping of the IP address to a cooresponding MAC address. You can look at your ARP TABLE on a computer with "arp -g" command.

This is mine:
C:\>arp -g

Interface: 192.168.1.147 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-04-5a-e1-97-4f dynamic

What this tells me is the IP address 192.168.1.1 has a MAC address of 00-04-5a-e1-979-4f. It also tells me that my computer has already sent out an ARP request, a layer2 BROADCAST, of "hey! If you're 192.168.1.1 you must respond to me and tell me your MAC address!" I want to talk to another IP address on my LAN - 192.168.1.250...
C:\>ping 192.168.1.250

Pinging 192.168.1.250 with 32 bytes of data:

Reply from 192.168.1.250: bytes=32 time=2ms TTL=255
Reply from 192.168.1.250: bytes=32 time=2ms TTL=255
Reply from 192.168.1.250: bytes=32 time=1ms TTL=255
Reply from 192.168.1.250: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\>arp -g

Interface: 192.168.1.147 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-04-5a-e1-97-4f dynamic
192.168.1.250 00-15-c6-e8-bf-dd dynamic

See there! My computer's ARP table didn't contain that entry before. But by trying to communicate at the IP layer (PING) I had to send an ARP request of "Who's got 192.168.1.250?" 192.168.1.250 responded to me and told me. But keep in mind this is still operating at the datalink/layer2 - there is NO ip/layer3 going on.

This function can be very important because if layer2 isn't correctly mapped to layer3 then anything above layer2 won't work. This can be very useful in troublshooting as you work your way up the OSI model - layer1 first, then check layer2 (ARP lives here), move up to layer3 and so on.

 

[kevnich2]

This has nothing to do with your post, technically speaking but what cisco device do you have at 192.168.1.250? I also wouldn't think you would actually be running a linksys router as your gateway, thought you'd have a nice cisco firewall or something. Just curious but thanks for the info about the ARP table, gives another area of troubleshooting that I'd actually forgotten about.

 

[boomerang]

spidey, I appreciate your informative post. It's somewhat over my head and I will freely admit that. If you're so inclined, could you help me with the results of an arp -g from my computer? It may help me to understand this better.

Interface: 192.168.11.142 --- 0x8
Internet Address Physical Address Type
192.168.11.1 00-16-01-d6-a6-c4 dynamic
192.168.11.103 00-0b-6a-e8-2b-e5 dynamic
192.168.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

192.168.11.1 is my router. I've got a box stashed in the basement running WHS that's 192.168.11.103. At this point in time, they are the only two computers running.

What's up with the rest of these entries?

 

[n0cmonkey]

Originally posted by: boomerang
spidey, I appreciate your informative post. It's somewhat over my head and I will freely admit that. If you're so inclined, could you help me with the results of an arp -g from my computer? It may help me to understand this better.

Interface: 192.168.11.142 --- 0x8
Internet Address Physical Address Type
192.168.11.1 00-16-01-d6-a6-c4 dynamic
192.168.11.103 00-0b-6a-e8-2b-e5 dynamic
192.168.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

192.168.11.1 is my router. I've got a box stashed in the basement running WHS that's 192.168.11.103. At this point in time, they are the only two computers running.

What's up with the rest of these entries?

192.168.11.255 ff-ff-ff-ff-ff-ff static
255.255.255.255 ff-ff-ff-ff-ff-ff static


All F's for a MAC is a broadcast (or your Sun's PROM(?) battery has died).


224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static


Those look like multicast addresses. Not sure why the MACs show up like that, I haven't really looked into multicast much.

 

[Tarrant64]

If anyone wants, I can put a little bit on ARP cache poisoning and how it works. We've just covered this in my security course and I thought it was pretty interesting how attackers can use ARP against you.

 

[spidey07]

Originally posted by: Tarrant64
If anyone wants, I can put a little bit on ARP cache poisoning and how it works. We've just covered this in my security course and I thought it was pretty interesting how attackers can use ARP against you.

You mean replying to everybody's ARP request for their default gateway with your own MAC? Sure...go right ahead!

 

[spidey07]

Originally posted by: kevnich2
This has nothing to do with your post, technically speaking but what cisco device do you have at 192.168.1.250? I also wouldn't think you would actually be running a linksys router as your gateway, thought you'd have a nice cisco firewall or something. Just curious but thanks for the info about the ARP table, gives another area of troubleshooting that I'd actually forgotten about.

That's my linksys router from 1999 - still going strong. .250 is a 1242 access point.

kevnich2 brings up another point - the first 5 nibbles of a MAC address are registered by the manufacturer of the interface. They are supposed to be globally unique meaning no device in the world should have the same mac.

Mulitcast addressing and how it maps to mac addresses is a whole nutter thread. Boomerang - multicast IPs are 224. to 239, something on your machine is running multicast.

 

[n0cmonkey]

Originally posted by: spidey07

Originally posted by: kevnich2
This has nothing to do with your post, technically speaking but what cisco device do you have at 192.168.1.250? I also wouldn't think you would actually be running a linksys router as your gateway, thought you'd have a nice cisco firewall or something. Just curious but thanks for the info about the ARP table, gives another area of troubleshooting that I'd actually forgotten about.

That's my linksys router from 1999 - still going strong. .250 is a 1242 access point.

kevnich2 brings up another point - the first 5 nibbles of a MAC address are registered by the manufacturer of the interface. They are supposed to be globally unique meaning no device in the world should have the same mac.

Mulitcast addressing and how it maps to mac addresses is a whole nutter thread. Boomerang - multicast IPs are 224. to 239, something on your machine is running multicast.

Ever found two NICs with the same MAC? It's fun to troubleshoot.

I wish a complete list of MAC prefixes -> companies was published, seems silly that some of them are secret.

 

[kevnich2]

Originally posted by: n0cmonkey

Originally posted by: spidey07

Originally posted by: kevnich2
This has nothing to do with your post, technically speaking but what cisco device do you have at 192.168.1.250? I also wouldn't think you would actually be running a linksys router as your gateway, thought you'd have a nice cisco firewall or something. Just curious but thanks for the info about the ARP table, gives another area of troubleshooting that I'd actually forgotten about.

That's my linksys router from 1999 - still going strong. .250 is a 1242 access point.

kevnich2 brings up another point - the first 5 nibbles of a MAC address are registered by the manufacturer of the interface. They are supposed to be globally unique meaning no device in the world should have the same mac.

Mulitcast addressing and how it maps to mac addresses is a whole nutter thread. Boomerang - multicast IPs are 224. to 239, something on your machine is running multicast.

Ever found two NICs with the same MAC? It's fun to troubleshoot.

I wish a complete list of MAC prefixes -> companies was published, seems silly that some of them are secret.

Um, there is a list. IEEE OUI Public database

 

[n0cmonkey]

Originally posted by: kevnich2
Um, there is a list. IEEE OUI Public database

Unfortunately it's incomplete and sometimes wrong.

EDIT: Look at the "confidentiality" fees: ieee.org OUI registration

 

[boomerang]

Originally posted by: spidey07
Boomerang - multicast IPs are 224. to 239, something on your machine is running multicast.

It's 64-bit Vista Business. Any thoughts to get me researching in the right direction? I'm curious now.

 

[spidey07]

Google the multicast addresses. 224.0.0.something is normally network control protocols. 239.255.255.something is a PRIVATE multicast address much like 192.168.something is a private address.

 

[Engineer]

Permanent ARP entries in Gillbot's SOHO router make WOL work and Gillbot happy!

Ok, that's all I know for now!

 

[mcmilljb]

Originally posted by: boomerang
spidey, I appreciate your informative post. It's somewhat over my head and I will freely admit that. If you're so inclined, could you help me with the results of an arp -g from my computer? It may help me to understand this better.

Interface: 192.168.11.142 --- 0x8
Internet Address Physical Address Type
192.168.11.1 00-16-01-d6-a6-c4 dynamic
192.168.11.103 00-0b-6a-e8-2b-e5 dynamic
192.168.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

192.168.11.1 is my router. I've got a box stashed in the basement running WHS that's 192.168.11.103. At this point in time, they are the only two computers running.

What's up with the rest of these entries?

Here are the services running on those multicast addresses.

224.0.0.22 - IGMP v3 (Should look familiar to IGMP V2 users)
224.0.0.252 - Link-local Multicast Name Resolution, RFC 4795 - Link
239.255.255.250 - Simple Service Discovery Protocol - Link

Since there is a good bit of interest in MAC addresses, understanding the basics of Multicast(the IPv4 subset) and Broadcast MAC addresses is important as well.

FF-FF-FF-FF-FF-FF is of course the broadcast. Any device that receives this address in a frame is supposed to process it and pass it up to the next layer. Works basically the same as the broadcast address in IPv4.

01-00-5e-00-00-00 though 01-00-5E-7F-FF-FF are the addresses of the IPv4 Multicast subset of the Multicast MAC Addresses. You get the address by chopping off some of the bits from the Multicast IP Address to inserting the MAC address. You don't need first 4 bits because everyone has the same first 4 bits (1110), so you're left with the 28 bits making up the multicast group identifier. The problem is that when IPv4 Multicast was being assigned its OUI MAC identifier, they could only afford to give them 23 assignable bits. This is why the assignable bits stop at 7F-FF-FF. This means we can only fit 23 of the 28 bits into the MAC address. They overcame this limitation by putting the last 23 bits into the frame. This results in 32 (2^5) groups sharing a MAC address. Luckily they are so spread out that chances are very remote that you'll encounter both groups on same the network.