Using the TCP/IP protocol, Wireshark can trace the communication process of network protocols. In this section, we will revisit the communication process of the ARP protocol while understanding how to use Wireshark.
ARP (Address Resolution Protocol) is a TCP/IP protocol used to obtain a physical address based on an IP address.
When a host sends information, it broadcasts an ARP request containing the target IP address to all hosts on the local network and receives a return message to determine the target’s physical address. Upon receiving the return message, it stores the IP address and physical address into the local ARP cache and retains it for a certain period, querying the ARP cache directly next time to save resources.
In the Wireshark interface, we can see packets numbered 19 and 20, which are a pair of standard ARP request and response packets.
/>
Open the ARP request packet message,
/>
Ethernet II part:
The value of the Destination (target physical address) field is: ff:ff:ff:ff:ff:ff, indicating that this Ethernet frame is a broadcast frame, which is consistent with the ARP request packet being sent as a broadcast.
The value of the Source (source physical address) field is: 00:0c:29:7f:da:7b, which is the physical address of the sending host and matches the value of the ARP protocol’s Sender MAC address field.
The Type field is: ARP (0x0806), indicating that this Ethernet frame encapsulates an ARP protocol packet.
ARP protocol part:
The first four fields indicate the type and length of physical and logical addresses.
The value of the fifth field, Opcode, is 1, indicating an ARP request message.
The next four fields are the source’s physical and IP addresses, and the target’s physical and IP addresses.
It is worth noting that the target physical address is completely filled with 0s, as previously mentioned. This is because this field is what the ARP request message needs to obtain; currently unknown, it is entirely filled with 0s.
Open the ARP response packet message,
In the Ethernet II part:
The value of the Destination (target physical address) field is precisely the value of the Source field in the ARP request message. In other words, this ARP response message is used to respond to the previous ARP request packet. This value also matches the value of the Target MAC address.
The value of the Source (source physical address) field is the destination’s physical address, and it matches the value of the Sender MAC address.
Padding is a fill field, used to pad the Ethernet frame to the minimum frame length.
In the ARP protocol part:
The first four fields are not noteworthy.
The fifth field Opcode is 2, indicating this is an ARP response packet.
The last four fields, the source MAC address, is exactly the physical address that the ARP request message was looking for. The source IP address is precisely the destination IP address of the ARP request packet. The destination physical address and destination IP address precisely match the source physical address and source IP address of the ARP request packet.
This communication process enhances our understanding of ARP protocol requests while also strengthening our understanding of Wireshark’s support for packets.