The structure of an ARP session is quite simple. ARP packets can also be filtered from traffic using the arp filter. As shown in the image below, packets that are not actively highlighted have a unique yellow-brown color in a capture. ARP in WiresharkĪRP packets can easily be found in a Wireshark capture. The lack of verification also means that ARP replies can be spoofed by an attacker. A computer will trust an ARP reply and update their cache accordingly, even if they didn’t ask for that information.
However, the stateless nature of ARP and lack of verification leave it open to abuse. Instead, everyone along the route of the ARP reply can benefit from a single reply. ARP is a bit more efficient, since every system in a network doesn’t have to individually make ARP requests. No verification is performed to ensure that the information is correct (since there is no way to do so). As a result, any computer receiving an ARP reply updates their ARP lookup table with the information contained within that packet. Once a computer has sent out an ARP request, it forgets about it. One important feature of ARP is that it is a stateless protocol. The machine wanting to send a packet to another machine sends out a request packet asking which computer has a certain IP address, and the corresponding computer sends out a reply that provides their MAC address. It is a simple call-and-response protocol.
ARP is designed to bridge the gap between the two address layers.
0 kommentar(er)
