Remember that each network interface maintains a table of (IP->MAC) mappings in its ARP cache. The ARP protocol packet has the following structure:
There are two types of ARP packets: request and reply. The type is determined by the Operation Code field. The tabel below shows a scenario of normal operation:
- Host A sends an ARP request looking for the MAC address of Host B
- Host B responds with ARP reply.
| Field | ARP Request | ARP Reply |
|---|---|---|
| Source MAC | MAC of Host A | MAC of Host B |
| Source IP | IP of Host A | IP of Host B |
| Destination MAC | 00:00:00:00:00:00 | MAC of Host A |
| Destination IP | IP of Host B | IP of Host A |
| Operation Code | 1 | 2 |
This ARP packet is encapsulated in an Ethernet frame with the following values:
| Field | Payload: ARP Request | Payload: ARP Reply |
|---|---|---|
| Source MAC | MAC of Host A | Mac of Host B |
| Destination MAC | ff:ff:ff:ff:ff:ff (the broadcast MAC) | Mac of Host A |
Normally an ARP request is sent because the sender wants to talk to a given IP address and needs to find out the associated MAC address. But sometimes the sender generates an ARP packet to inform the receivers about some information, instead of asking for information. This is called gratuitous ARP and is commonly used in the following situations:
- Duplicate address detection
- Change of MAC address
- Virtual IP
Routers and other network hardware may cache routing information gained from multiple gratuitous ARP packets. Read this page for more information. For gratuitous ARP packets, the source IP and destination IP fields are both equal to the sender’s IP. The sender MAC field is equal to the sender’s MAC. The operation code and recipient MAC fields may vary.
The implementation of the ARP protocol is so simple and straightforward that the receipt of an ARP reply at any time, even when there are no ARP requests outstanding, causes the receiving computer to add the newly received information to its ARP cache. This can be both a gratuitous or ‘normal’ ARP reply. Consequently, if the gateway computer were to receive a spoofed (fake) ARP reply from an attacking computer claiming that it was assigned an IP that belonged to some other computer, the gateway would trustingly and blindly replace its current correct entry with the maliciously misleading replacement! This is called ARP cache poisoning.
Another problem occurs if the malicious attacking computer were to send a similar ARP reply to the computer being hijacked, maliciously replacing the ARP cache entry for the gateway computer, then any subsequent traffic bound for the gateway would instead be sent to the attacking computer. If the attacker forwards any of the redirected traffic it receives onto the proper original computer — after inspecting and perhaps even modifying the data — neither of the intercepted computers will detect that all of their communications is now being relayed through an unknown and probably malicious intermediary computer. This is commonly referred to as a man-in-the-middle attack.
Manipulating the ARP Cache in Windows and Linux
Both Windows and Linux have a tool called arp. I tested this with Windows 7 and Linux kernel 2.6.31, but this information should be true for just about every OS version since the dawn of TCP/IP.
| Command | Windows | Linux |
|---|---|---|
| Display entries | arp -a | arp |
| Delete entry | arp -d <ip> | arp -d <ip> arp -d <hostname> |
| Clear all entries | arp -d * | not supported |
| Add an entry | arp -s <ip> <mac> | arp -s <ip> <mac> arp -s <hostname> <mac> |
| Show help | arp /? | arp –help |
Be aware that there is one ARP cache (table) per interface, as opposed to the routing table, which is global for the system.
Open an elevated command prompt (you need administrator rights). Now you can type arp to execute the Windows ARP cache manager.
Display the current ARP entries for each interface with arp -a:
C:\>arp -a Interface: 232.19.232.231 --- 0xb Internet Address Physical Address Type 232.19.232.2 22-22-2c-27-ac-22 dynamic 232.19.232.22 22-21-f3-23-3e-23 dynamic 232.19.232.32 22-29-33-c1-c2-24 dynamic 232.19.232.91 22-2d-29-a9-33-17 dynamic 232.19.232.231 22-22-29-c2-22-b7 dynamic 232.19.232.242 22-cf-32-f2-1e-b2 dynamic 232.19.232.249 22-22-11-2f-2c-7e dynamic
Use arp -d * to clear the ARP cache for all interfaces:
C:\>arp -d *
To add a permanent (static) entry to the arp cache use: arp -s <ip> <mac>.
arp -s 1.2.3.4 00-aa-00-62-c6-09
This command will insert an entry into the ARP table that states: the host with IP address 1.2.3.4 can be found at hardware address 00:aa:00:62:c6:09.
This tool is pretty much the same as the windows version. The main difference is that it cannot clear the entire ARP cache, it can only delete single entries. You can create a script to delete all entries, or simply reboot to clear the cache.
ARP cache entries can be dynamic (based on ARP Replies) or static (manually added). Dynamic ARP cache entries have a time-out value associated with them to remove entries in the cache after a specified period of time.
- Windows
- On Windows, static ARP entries are permanent (until reboot) and are manually added by the user using a TCP/IP utility such as the ARP utility. Every multicast and broadcast IP has a fixed Ethernet address associated with it, so these are also added as static entries.
- From what I could find, dynamic ARP cache entries for Windows are given a maximum time of 10 minutes before being removed.
- Linux
- The ARP cache mechanics are rather complicated in Linux: there are eight different states an entry can be in. Look here and there for more information.
- From the Linux command line, Information on the status of ARP entries can be retrieved with the following command:
$ /sbin/ip -s neigh 234.59.263.247 dev eth4 lladdr 44:4e:a6:f5:f2:2a ref 2 used 44/44/35 STALE 234.59.275.4 dev eth4 lladdr 44:25:27:a2:ed:24 ref 2 used 44/44/27 STALE