ICMP/ARP protocol analysis and ARP spoofing

ICMP

ICMP (Internet Control Message Protocol) is an Internet control message protocol. It is a sub-protocol of the TCP/IP protocol suite, used to transmit control messages between IP hosts and routers. Control messages refer to network messages such as whether the network is connected, whether the host is reachable, and whether the route is available. Although these control messages do not transmit user data, they play an important role in the transmission of user data.

The functions of ICMP protocol are as follows:

• Confirm whether the IP packet reaches the destination address
• Notify the reason why the IP packet was discarded during the sending process

ICMP messages are divided into two categories: one is ICMP query message; the other is ICMP error report message

Common ICMP types

The situation where ICMP error messages are not sent:

• Do not send ICMP error messages for all IP fragment messages after the first IP fragment
• Do not send ICMP messages for datagrams with multicast addresses
• Do not send ICMP error messages to clients with special addresses (127.0.0.0 or 0.0.0.0)

The ICMP protocol is often used in the ping and tracert commands:

• The ping command uses ICMP echo request and reply messages: The packet network detection command ping used in the network reachability test can generate ICMP echo request and reply messages. The destination host immediately sends back a reply message after receiving the ICMP echo request message. If the source host can receive the ICMP echo reply message, it means that the network reaching the host is normal.
• The tracert command is mainly used to display the path that the data packet takes to reach the destination host. By executing a tracert command to the other host, the detailed information of the path that the data packet takes to reach the destination host is returned, and the time consumed by each path is displayed.

For example:

ICMP Destination Unreachable

Look at the echo request and echo response messages

icmp request

icmp reply

ARP Protocol

Address Resolution Protocol (ARP) queries the MAC address of the target device by using the IP address of the target device.

Communication process:

• Host A wants to communicate with host B. First, it needs to know the MAC address of host B, so it will send an ARP broadcast.
• When other hosts receive the message and find that it is not their own, they will discard it.
• After Host B unpacks the packet, it finds that it is the one being addressed, so it responds with a unicast message and records it in its own ARP cache table.

ARP parsing

ARP Table

Proxy ARP

Proxy ARP generally uses a gateway device to respond to another device's ARP request using its own MAC address.

Why do we need proxy ARP?

First, you need to understand that one of the important functions of a router is to isolate broadcast domains and prevent the spread of broadcast packets, otherwise it will cause a network storm.

The ARP request is a broadcast packet. If the target address is in the same LAN, a response will be received. But what if the target address is not in the same LAN? The router provides proxy ARP to solve this problem.

Proxy ARP

There are two hosts, PC1 and PC2. When PC1 sends an ARP request for PC2's MAC address, the ARP request can only reach the router because the router does not forward broadcast packets. If the router has the proxy ARP function enabled and knows that PC2 belongs to the network it is connected to, the router will use its own interface's MAC address instead of PC2's MAC address to make an ARP reply to the host PC1.

RARP Protocol

The Reverse Address Resolution Protocol allows a physical machine on a LAN to request its IP address from the ARP table or cache of a gateway server, i.e. to find an IP address based on its MAC address.

RARP

Free ARP

When obtaining or changing an IP address, an ARP is sent out, but the target IP of the request is local.

A host can use it to determine whether another host has the same IP address. Normally, sending a free ARP request will not receive an ARP reply. If an ARP reply is received, it means that there is a host with the same IP address as the local host in the network, and an address conflict has occurred.

ARP spoofing

A forged gateway MAC address and IP address correspondence table is broadcasted to other hosts in the LAN through broadcasting. After receiving this forged information, other hosts in the LAN will update their ARP tables. In this way, when these hosts send packets outward, although they will send packets according to the correct gateway IP address, they are actually sent to a wrong MAC address, resulting in the inability to send packets out, resulting in the inability to access the Internet, etc.

You can set a static MAC->IP mapping table to stop receiving broadcast ARP information.