3607 Arp Lab STEP 1 Ran IPconfig results: IP address: 192.168.5.100 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.5.

.1 Typed arp a This command gave me a list of all the devices with a NIC, their IP address, and their MAC address. I also see a broadcast IP, and other IP address that begin with 239 and another one beginning with 224. 1.1 What entries if any are in the ARP table? C:\windows\system32>arp -a Interface: 192.168.5.100 --- 0xe Internet Address Physical Address Type 192.168.5.1 00-18-f8-43-85-66 dynamic 192.168.5.105 e8-92-a4-ed-9e-2f dynamic 192.168.5.109 bc-3b-af-21-b4-18 dynamic 192.168.5.110 58-b0-35-03-32-52 dynamic 192.168.5.111 4c-b1-99-60-2c-a4 dynamic 192.168.5.114 30-f7-c5-1a-37-b3 dynamic 192.168.5.116 28-37-37-a0-21-f3 dynamic 192.168.5.118 a8-e3-ee-0c-c0-c8 dynamic 192.168.5.119 00-22-43-4e-f4-21 dynamic 192.168.5.255 ff-ff-ff-ff-ff-ff static 224.0.0.2 01-00-5e-00-00-02 static 224.0.0.252 01-00-5e-00-00-fc static 224.0.0.253 01-00-5e-00-00-fd static 239.192.83.80 01-00-5e-40-53-50 static 239.192.152.143 01-00-5e-40-98-8f static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static 1.2 Why are there entries or no entries? There are entries because the ARP, or Address Resolution Protocol, is used to convert IP addresses into a physical address. It resolves network layer addresses into link layer addresses. What ARP -a does is it displays current ARP entries by interrogating the current protocol data. If more than one network interface uses ARP, entries for each ARP table are displayed. STEP 2:

Running Wireshark Capture Interface Atheros On my Arp a table, there is no 192.168.5.111 so I pinged it. C:\windows\system32>ping 192.168.5.111 Pinging 192.168.5.111 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.5.111: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), On my Wireshark capture, there was a ARP request for who has 19.168.5.111 and a reply came back with a MAC address.

Upon giving the command ARP a again, at a glance right under 192.168.5.110 was 192.168.5.111 and with the same MAC address from the Wireshark capture.

2.1 Why might the first ping take longer than the rest? The first ping might take longer than the rest because it has to find the path first by asking around. Once a path has been found, the rest follow.

Step 3:

1ARP Ethernet & ARP Request

2. ARP Ethernet & ARP Reply

3.1 For both the ARP request and ARP reply explain each field in the Ethernet frame and in the ARP packet. The Ethernet frame in the request displays a broadcast message that was sent to all the devices in the network to see who has the IP address 192.168.5.111. It carries the source MAC address of the sender. The destination field has Broadcast (ff:ff:ff:ff:ff:ff) and it is the MAC address to the 255.255.255.255 IP address which is the broadcast for my network. The address: Broadcast (ff:ff:ff:ff:ff:ff) is the source or destination hardware address. The source field has the information of the sending device. It has the MAC address of the machine I used to make the ARP request. And underneath that, it informs what type it is. The Address Resolution Protocol packet header has a hardware type: field which describes the layer 2 type used. In this case its Ethernet. The protocol type is the higher-layer protocol for

which the ARP request is being used (IP). The Hardware size tells the length of the hardware address in use. It is 6 bytes for Ethernet. The protocol size tells the length of the logical address of the specified protocol type. It is 4 for Ethernet. But these two fields are one byte each. The OpCode is the operation code which tells the function of the ARP packet which would be request (1) or reply (2). The sender MAC address and IP address belong to the senders machine and the target MAC address is left blank because this value is unknown. The target IP address is known since it is the address I pinged. In the ARP reply, the Ethernet header has fields Destination & Address, both values are the MAC address of my machine (initially the sender, now the receiver). The source field tells the MAC address of the sender of the ARP reply. The Address Resolution Protocol packet will have the same information from Hardware type to Protocol Size. The Opcode is different this time as this is a reply to my request. This ARP reply came from the 4c:b1:99:60:2c:a4 MAC address with the IP address that I asked about. The target MAC and IP address are both the machine I am using. 3.2 Explain why the ARP process needed to take place. The ARP processes need to take place because MAC addresses are used for communication on a single network at layer 2. 3.3 Explain the reason why the ARP request is a broadcast and the ARP reply is a unicast. The ARP requests are broadcast because the sender doesnt know the MAC address that belongs to the IP address pinged. Therefore, it sends a message to broadcast ff:ff:ff:ff:ff:ff asking every device its IP address and MAC address. The reply comes from the machine whose IP matches the one requested and sends a reply message to the source machine. This is considered a unicast because it is sent to only one device. STEP 4: C:\windows\system32>arp -d C:\windows\system32>arp -a Interface: 192.168.5.100 --- 0xe Internet Address Physical Address 192.168.5.1 00-18-f8-43-85-66

Type dynamic

After deleting my ARP table, I verified an empty table and then pinged www.google.com

STEP 5:
1. Img of wireshark capture after pinging www.google.com

5.1 Explain why the ARP request was for the default gateway and not the IP address of the ping. How did the host decide this? The ARP request was for the default gateway and not the IP address of the ping because when an address that is not in my network is pinged, it automatically sends the request to the default gateway which is my router because it will have another table that connects the outer networks to my network. 6.1 What is the command to create a static ARP entry? Create a static ARP entry to another device on the local network. Show the commands and the outputs. What is the advantage of a static ARP entry? The command to create a static ARP entry is: ARP s [IP address] [MAC address] The advantage of a static ARP entry is that it will never change. This should be used for commonly-used devices so that there is no need to create a map to the desired device over and over again. 6.2 How long does ARP entries stay in the ARP table? Is this dependent upon the Operating System? It is dependent on whether the device is statically or dynamically stored. Static ARP entries remain in the cache permanently, whereas dynamic ARP entries are only kept for a period of time.

6.3 Do routers have ARP tables? Do routers need to do ARP requests or ARP replies? Explain. Yes they do. The routers need to ARP request and reply for routing internetworking traffic across gateways. 6.4 What are the advantages and disadvantages of ARP? Advantages of ARP are that it helps extend networks. It also does not disturb the routing tables of other routers on the network. Disadvantages of ARP are that it increases traffic, hosts need larger ARP tables, security can be averted by form of spoofing, can a blackhole traffic, does not work for networks that do not use ARP for address resolution. 6.5 Explain why two hosts connected to the same switch or hub must have IP addresses that belong to the same subnet in order to communicate without using a router. Hosts with different subnets mean they belong to two different networks. With no router that can allow communication between two different networks, these hosts will not be able to communicate with each other. 6.6 Does the host that issues the ARP reply store the other hosts IP address and MAC address (the sender of the ARP request) in its ARP table? How can you determine this using the protocol analyzer? Yes because it replies with the target IP address and MAC address as the destination in the ARP packet header.

Identify the first two packets that are ARP packets.

For packets that are ARP packets fill in the following information. Convert the IP numbers to dotted decimal. Arp operation names are request and reply.

Packet ___ARP_______ Layer 2 Dest address e8:40:f2:e0:26:69___ Layer 2 Src Address __4c:b1:99:60:2c:a4__ Layer 2 code for encapsulated data ___Frame________________ Hardware Type ___Ethernet__ Layer 3 Protocol Type _____IP______ Hardware Addr Length __6____ Layer 3 Addr Length ____4____________ Arp Operation Code and Name _Code:2__________ _______Reply________ Sender Hardware address ______4c:b1:99:60:2c:a4____________ Sender IP address ___11000000(192)__. _10101000(168)_. _00000101(5)__._01101111(111)_ Target Hardware Address ____ e8:40:f2:e0:26:69_______________ Target IP Address 11000000(192)__. _10101000(168)._00000101(5)._ 01100100_(100)

Packet ___ARP_______ Layer 2 Dest address _ff:ff:ff:ff:ff:ff__ Layer 2 Src Address e8:40:f2:e0:26:69__ Layer 2 code for encapsulated data FRAME__ Hardware Type __Ethernet (1)_ Layer 3 Protocol Type ____IP______ Hardware Addr Length __6________ Layer 3 Addr Length ___4_____________ Arp Operation Code and Name _Code:1____________ ___Request_________ Sender Hardware address __ e8:40:f2:e0:26:69______________________________________ Sender IP address 11000000(192)__. _10101000(168)._00000101(5)._ 01100100_(100) Target Hardware Address ____ ff:ff:ff:ff:ff:ff _ Target IP Address 11000000(192)__. _10101000(168)_. _00000101(5)__._00000001(1)