xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch CLI Manual
Appendix B
ARP Packet Content ACL
Address Resolution Protocol (ARP) is the standard method for finding a host's hardware address (MAC address) when only its IP
address is known. This protocol is vulnerable that crackers can spoof the IP and MAC information in the ARP packets to attack a
LAN (known as ARP spoofing). This document is intended to introduce ARP protocol, ARP spoofing attacks, and the
countermeasure brought by D-Link's switches to throttle the ARP spoofing attack.
How Address Resolution Protocol works
In the process of ARP, PC A will, firstly, issue an ARP request to query PC B’s MAC address. The network structure is shown in
Figure-1.
441
Figure-1
At the mean time, PC A’s MAC address will be written into the “Sender H/W Address” and its IP address will be written into the
“Sender Protocol Address” in ARP payload. As PC B’s MAC address is unknown, the “Target H/W Address” will be “00-00-00-00-
00-00” while PC B’s IP address will be written into the “Target Protocol Address”, shown in Table-1.
H/W
type
Protocol
type
H/W
address
length
Protocol
address
length
Operation
ARP request
Sender
H/W address
00-20-5C-01-11-11
Sender
protocol
address
10.10.10.1
Target
H/W address
00-00-00-00-00-00
Target
protocol
address
10.10.10.2
Table -1 (ARP Payload)
The ARP request will be encapsulated into Ethernet frame and sent out. As can be seen in Table-2, the “Source Address” in the
Ethernet frame will be PC A’s MAC address. Since ARP request is sent via broadcast, the “Destination address” is in a format of
Ethernet broadcast (FF-FF-FF-FF-FF-FF).
Table-2 (Ethernet frame format)
Destination
address
FF-FF-FF-FF-FF-FF
Source address
00-20-5C-01-11-11
Ether-type ARP
FCS
Port 4
Sender
Port 2
Port 1
Port 3
D
C
00-20-5C-01-33-33
10.10.10.3
00-20-5C-01-44-44
10.10.10.4
A
00-20-5C-01-11-11
10.10.10.1
B
Target
00-20-5C-01-22-22
10.10.10.2