ARP解释
地址解析协议,即ARP(Address Resolution Protocol),是根据IP地址获取物理地址的一个TCP/IP协议。主机发送信息时将包含目标IP地址的ARP请求广播到局域网络上的所有主机,并接收返回消息,以此确定目标的物理地址;收到返回消息后将该IP地址和物理地址存入本机ARP缓存中并保留一定时间,下次请求时直接查询ARP缓存以节约资源。地址解析协议是建立在网络中各个主机互相信任的基础上的,局域网络上的主机可以自主发送ARP应答消息,其他主机收到应答报文时不会检测该报文的真实性就会将其记入本机ARP缓存;由此攻击者就可以向某一主机发送伪ARP应答报文,使其发送的信息无法到达预期的主机或到达错误的主机,这就构成了一个ARP欺骗。ARP命令可用于查询本机ARP缓存中IP地址和MAC地址的对应关系、添加或删除静态对应关系等。相关协议有RARP、代理ARP。NDP用于在IPv6中代替地址解析协议。
arp命令语法
arp [-n] [-i interface] hostname
arp [-n] [-i interface] -a
arp -d hostname [pub]
arp -d [-i interface] -a
arp -s hostname ether_addr [temp] [blackhole | reject] [pub [only]]
arp -S hostname ether_addr [temp] [blackhole | reject] [pub [only]]
arp -f filename
参数描述
| Option | Description |
|---|---|
-a | The program displays or deletes all of the current ARP entries. |
-d | A super-user may delete an entry for the host called hostname with the flag. If the pub keyword is specified, only the “published” ARP entry for this host will be deleted.Alternatively, the flag may be combined with the flag to delete all entries. |
-i interface | Limit the operation scope to the ARP entries on interface. Applicable only to the following operations: display one, display all, delete all. |
-n | Show network addresses as numbers (normally arp attempts to display addresses symbolically). |
-s hostname ether_addr | Create an ARP entry for the host called with the Ethernet address ether_addr. The Ethernet address is given as six hex bytes separated by colons. The entry will be permanent unless the word temp is given in the command. If the word is given, the entry will be “published”; i.e., this system will act as an ARP server, responding to requests for hostname even though the host address is not its own. In this case the ether_addr can be given as auto in which case the interfaces on this host will be examined, and if one of them is found to occupy the same subnet, its Ethernet address will be used. If the only keyword is also specified, this will create a “published (proxy only)” entry. This type of entry is created automatically if arp detects that a routing table entry for hostname already exists.If the reject keyword is pecified the entry will be marked so that traffic to the host will be discarded and the sender will be notified the host is unreachable. The blackhole keyword is similar in that traffic is discarded but the sender is not notified. these can be used to block external traffic to a host without using a firewall. |
-S hostname ether_addr | Is just like -s except any existing ARP entry for this host will be deleted first. |
-f filename | Cause the file filename to be read and multiple entries to be set in the ARP tables. Entries in the file should be of the formhostname ether_addr [temp] [blackhole | reject] [pub [only]]with argument meanings as given above. Leading whitespace and empty lines are ignored. A ‘#’ character will mark the rest of the line as a comment. |
工作过程
引用百度百科相关介绍
主机A的IP地址为192.168.1.1,MAC地址为0A-11-22-33-44-01;
主机B的IP地址为192.168.1.2,MAC地址为0A-11-22-33-44-02;
当主机A要与主机B通信时,地址解析协议可以将主机B的IP地址(192.168.1.2)解析成主机B的MAC地址,以下为工作流程:
-
第1步:根据主机A上的路由表内容,IP确定用于访问主机B的转发IP地址是192.168.1.2。然后A主机在自己的本地ARP缓存中检查主机B的匹配MAC地址。
-
第2步:如果主机A在ARP缓存中没有找到映射,它将询问192.168.1.2的硬件地址,从而将ARP请求帧广播到本地网络上的所有主机。源主机A的IP地址和MAC地址都包括在ARP请求中。本地网络上的每台主机都接收到ARP请求并且检查是否与自己的IP地址匹配。如果主机发现请求的IP地址与自己的IP地址不匹配,它将丢弃ARP请求。
-
第3步:主机B确定ARP请求中的IP地址与自己的IP地址匹配,则将主机A的IP地址和MAC地址映射添加到本地ARP缓存中。
-
第4步:主机B将包含其MAC地址的ARP回复消息直接发送回主机A。
-
第5步:当主机A收到从主机B发来的ARP回复消息时,会用主机B的IP和MAC地址映射更新ARP缓存。本机缓存是有生存期的,生存期结束后,将再次重复上面的过程。主机B的MAC地址一旦确定,主机A就能向主机B发送IP通信了。
实战操作
运行 arp -a 命令查看当前的 arp 缓存
─xjh@xjh.local ~
╰─➤ arp -a
? (10.160.3.146) at 98:22:ef:40:39:bb on en0 ifscope [ethernet]
? (10.160.14.121) at 9e:2d:c2:bb:b1:92 on en0 ifscope [ethernet]
? (10.160.37.2) at e4:a7:c5:c5:f3:4 on en0 ifscope [ethernet]
运行sudo arp -ad命令清空计算机的arp缓存,这个命令的运行权限是root用户。
╭─xjh@xjh.local ~
╰─➤ sudo arp -ad
Password:
10.160.22.10 (10.160.22.10) deleted
10.160.37.2 (10.160.37.2) deleted
10.160.90.127 (10.160.90.127) deleted
一般而言,arp 缓存里常常会有网关的缓存,并且是动态类型的。
假设当前网关的 IP 地址是
192.168.0.1,MAC 地址是5c-d9-98-f1-89-64,请使用arp -s 192.168.0.1 5c-d9-98-f1-89-64命令设置其为静态类型的。
相关知识
课外浏览
ARP 协议在制定之初是没有考虑安全性的,导致现在广泛提及的"网络扫描"、“内网渗透”、“中间人拦截”、“局域网流控”、"流量欺骗"等等其实都跟 ARP 欺骗有关。
那么什么是 ARP 欺骗,发生ARP 欺骗后会有什么后果,我们该如何进行防范?这里给出维基百科,需要的可以了解。
2323
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
