ARP and IPv4 Protocol Fundamentals

lecture 5 pcap analysis part ii arp and ipv4 n.w
1 / 30
Embed
Share

Explore the Address Resolution Protocol (ARP) and IPv4 in computer network security. Learn about ARP messages, caching, and how ARP resolves IP addresses to MAC addresses at the data link layer. Understand the structure of Ethernet data frames and the significance of hardware and protocol sizes. Dive into the nuances of ARP requests, hardware and protocol types, and sender identification. Gain insights into how Wireshark handles MAC addresses and sender IP addresses in network communications.

  • Protocol Fundamentals
  • Network Security
  • ARP
  • IPv4
  • Ethernet
rayaanacharya
myeat Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Lecture 5: PCAP Analysis Part II, ARP and IPv4 SI430 Computer Network Security

  2. SANS TCP/IP Cheat Sheet CLICK HERE Contains breakdown of: ARP, IPv4, IPv6, ICMP, TCP, and UDP headers by line All common associated codes Common port numbers tcpdump usage and options Acronym guide

  3. Address Resolution Protocol (ARP) Resolves network (IP) addresses to physical (MAC) addresses Operates at the data link layer (Layer 2) and interacts with the network layer (Layer 3) of the OSI model. Types of Messages: ARP Request: Broadcasted to find the MAC address of an IP address. ARP Reply: Sent as a unicast response with the requested MAC address. Caching: ARP stores resolved IP-to-MAC mappings in a cache to reduce future lookup times. Works primarily with IPv4; for IPv6, the equivalent is Neighbor Discovery Protocol (NDP). A gratuitous ARP message is a broadcast updating all other hosts on the network of an address change

  4. ARP Request

  5. Ethernet data frame data

  6. First ARP bytes Hardware type by code (01 is ethernet)

  7. Protocol type same as protocol codes in Ethernet frame, 0800 is IPv4

  8. Hardware and protocol sizes 6 bytes for MAC address (hardware), 4 bytes for IP address (protocol)

  9. Opcode indicates request (1), reply (2), or one of several less common codes listed in the documentation

  10. Sender MAC wireshark will sometimes give MFR bytes in plaintext In this case the first three bytes are in the ranges assigned to Universal Global, a Taiwanese electronics company

  11. Sender IP address the IP address requesting the MAC 0a 0a 0a 02 is 10.10.10.2

  12. Target MAC address the requested MAC will be zeroed out since that s what we re trying to find out

  13. Target IP address the IP address whose MAC were looking for The sender and target sections are shown in the wireshark info box as well, as Who has 10.10.10.1? Tell 10.10.10.2

  14. ARP Reply Same structure as request what are we looking at?

  15. ARP Security Risks ARP Spoofing (Poisoning): Attackers send falsified ARP responses to associate their MAC address with a legitimate IP address, intercepting or manipulating traffic. Can lead to man-in-the-middle (MITM) attacks, data interception, or session hijacking. Man-in-the-middle attacks: By poisoning ARP caches, attackers can silently intercept and modify communication between two parties. Denial of Service (DoS) Attacks: Attackers flood the network with fake ARP requests or replies, overwhelming network resources and causing legitimate communications to fail. Session Hijacking: By redirecting ARP traffic, attackers can take over active sessions, gaining unauthorized access to sensitive systems and data.

  16. Internet Protocol (IPv4) Defines and enables interworking at the network layer (3) Connectionless protocol, does not guarantee delivery (addressed by TCP at layer 4) 32-bit address, written in dotted decimal notation (e.g., 192.168.1.1). Divided into four octets (8-bit segments), each ranging from 0 to 255. Limited to about 4.3 billion unique IP addresses. Limitation led to adoption of IPv6 (2128 unique addresses, formatted 2001:0db8:85a3:0000:0000:8a2e:0370:7334)

  17. IPv4 Header

  18. IPv4 Header

  19. Version and header length 4 = IPv4, length is in double words so 5*4 = 20 bytes. That s standard header length, which means no options included

  20. Type of Service/Differentiated service variable use

  21. IP identification packet identifier

  22. Flags and offset See flag table, offset is position of payload in packet

  23. Time to Live (TTL) Number decremented by each router it passes. When it hits 0 the packet is dropped and a ICMP time exceeded message is sent instead. Commonly 64 in linux and mac, 128 in windows. Prevents endlessly looping packets

  24. Protocol - UDP

  25. Checksum

  26. Source address (green) and destination address (red)

  27. IP Masks Definition: An IP mask (subnet mask) defines the network and host portions of an IP address. Common IPv4 Masks: 255.0.0.0 (Class A, /8) 255.255.0.0 (Class B, /16) 255.255.255.0 (Class C, /24) CIDR Notation represents subnet masks using a prefix length (e.g., /24 for 255.255.255.0). /24 gives us 28 (256) addresses with 254 usable This helps divide IP networks into smaller subnets, enhances security, and optimizes network performance

  28. Other headers ICMP (error messaging)

  29. Other headers- UDP

  30. Other headers- TCP

Related


No related presentations.

More Related Content