|Deletions are marked like this.||Additions are marked like this.|
|Line 49:||Line 49:|
|* ["Detect duplicate IP address configuration."] Default TRUE|
Address Resolution Protocol (ARP)
The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3 (protocol) and a layer 2 (hardware) address. A typical use is the mapping of an ["IP"] address (e.g. 192.168.0.10) to the underlying ["Ethernet"] address (e.g. 01:02:03:04:05:06). You will often see ARP packets at the beginning of a conversation, as ARP is the way these addresses are discovered.
ARP can be used for Ethernet and other LANs, ATM, and a lot of other underlying physical addresses (the list of hardware types in the [http://www.iana.org/assignments/arp-parameters ADDRESS RESOLUTION PROTOCOL PARAMETERS] document at the ["IANA"] Web site includes at least 33 hardware types).
ARP is used to dynamically build and maintain a mapping database between link local layer 2 addresses and layer 3 addresses. In the common case this table is for mapping Ethernet to IP addresses. This database is called the ["ARP Table"]. Dynamic entries in this table are often cached with a timeout of up to 15 minutes, which means that once a host has ARPed for an IP address it will remember this for the next 15 minutes before it gets time to ARP for that address again.
A peculiarity of ARP is that since it tries to reduce/limit the amount of network traffic used for ARP a host MUST use all available information in any ARP packet that is received to update its ["ARP Table"] with. Sometimes a host thus sends out ARP packets, NOT in order to discover a mapping but to use this side effect of ARP and preload the ARP table of a different host with an entry. These special ARP packets are refered to as ["Gratuitous ARP"]s and Wireshark will detect and flag the most common versions of such ARPs in the packet summary pane.
["Gratuitous ARP"]s are more important than one would normally suspect when analyzing captures. So dont just ingore them or filter out ARP from your capture immediately. Consider that a normal host will always send out a ["Gratuitous ARP"] the first thing it does after the link goes up or the interface gets enabled, which means that almost everytime we see a ["Gratuitous ARP"] on the network, that host that sent it has just had a link bounce or had its interface disabled/enabled. This is very useful information when troubleshooting networks. Remember though that you can only see these ["Gratuitous ARP"]s or any other ARPs for that matter if your capture device is in the same ["Broadcast Domain"] as the host that originates the ARP packet.
Several viruses send a lot of ARP traffic in an attempt to discover hosts to infect; see the ArpFlooding page.
[http://www.ietf.org/rfc/rfc826.txt RFC 826] "An Ethernet Address Resolution Protocol" was released in November 1982.
Layer 2 protocols:
- ["ATM"]: ARP can use ["ATM"] as its transport mechanism.
- ["Ethernet"]: ARP can use ["Ethernet"] as its transport mechanism. The assigned Ethernet type for ARP traffic is 0x0806.
- Other LANs: ARP can also be used on Token Ring, FDDI, and IEEE 802.11; the same assigned type is used.
- ... and a lot more!
Layer 3 protocols:
- ["IP"]: ARP can map ["IP"] addresses to layer 2 addresses.
XXX - Add example traffic here (as plain text or Wireshark screenshot).
The ARP dissector is fully functional.
- ["Detect ARP request storms."] Default OFF
- ["Number of requests to detect during period."] Default 30
- ["Detection period (in ms)."] Default 100
- ["Detect duplicate IP address configuration."] Default TRUE
Example capture file
- attachment:SampleCaptures/arp-storm.pcap Problem with example capture file. No responses were included.
A complete list of ARP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/a/arp.html display filter reference]
Show only the ARP based traffic:
Filtering only on ARP packets is rarely used, as you won't see any IP or other packets. However, it can be useful as part of a larger filter string.
You can filter ARP protocols while capturing.
Capture only the ARP based traffic:
ether proto \arp
Capturing only ARP packets is rarely used, as you won't capture any IP or other packets. However, it can be useful as part of a larger filter string.
[http://www.ietf.org/rfc/rfc826.txt RFC 826] "An Ethernet Address Resolution Protocol"
At which event is an entry in the ARP table removed/replaced, if the host detects problems sending packets to the entries host? I would think it doesn't take 15 minutes in that case. - Ulf Lamping
Could someone explain ARP flooding and other attack's to the ARP layer to capture packets not dedicated to the capturing host? - Ulf Lamping