MAC Addressing and ARP Functionality

posted onOctober 9, 2002
by hitbsecnews

By: Resolution
Note: This article first appeared over at our affiliates site Security-Protocols. The original article can be found here.

The Media Access Control (MAC) address, also known as an Ethernet address, is
the physical/hardware address for devices that are connected to a network,
usually a LAN. Each node connected to the network has it’s own unique MAC
address hard coded (burned) into its Network Interface Card (NIC) by the
manufacturer and uses this address to find and communicate with other devices on
the same network domain or wire.

The MAC address is stored in the Serial EEPROM of the Ethernet card. In addition
to holding the MAC address, the EEPROM stores a backup copy of the MAC address
and ID information, user configurable parameters, serial numbers for devices,
checksums, type of interphase, and other bits of backed up information.

The MAC address is part of the Data-Link layer of the Open Systems
Interconnection (OSI) model, which is a telecommunications standard issued by
the Institute of Electrical and Electronics Engineers (IEEE). The Data-Link
layer is part of layer 2 of the OSI model and serves the purpose of error
detection and notification, dividing data into frames, adding headers to the
frames, and ensuring that incoming data has been received successfully.
The format for a MAC address is a 6-byte (octet) hardware address consisting of
12 hexadecimal numbers, which also consist of units of 4 bits separated by a
semicolon, period, or hyphen (on some occasions none). An example would be
00:04:9B:E9:C4:A8 or 00.04.9B.E9.C4.A8, or 00-04-9B-E9-C4-A8. The numbers may
range from 0-9 and the letters may range from A-F (letter casing does not
matter). The first 3 bytes (00:04:9B) of the MAC address are called the (OUI) or
Organizationally Unique Identifier. The OUI identifies the name of the
manufacturer and the last 3 bytes (E9:C4:A8) is a unique ID serial number
provided by the manufacturer, which are assigned and administered by the IEEE.
For this example MAC address, the vendor is Cisco Systems, Inc. You can find out
the vendor for any MAC address by visiting http://standards.ieee.org/regauth/oui/index.shtml.
Here you will find that the IEEE has set up a publicly accessible vendor search
form for MAC OUIs. If you add the OUI of the example MAC address (00049B without
the semicolons) in the search field on that link, the output should be…

00-04-9B (hex) Cisco Systems, Inc.
00049B (base 16) Cisco Systems,Inc.
170 West Tasman Dr.
San Jose CA 95134
UNITED STATES

There are many ways to find out the MAC address of your system if you are
connected to an Ethernet card. The address is normally printed on the card
itself somewhere but an easier way to find out is right from your computer’s GUI
or shell prompt. On some systems there is more than one command to do this.
Commands to look up your MAC address, however, vary from system to system so a
number of different operating systems and their commands will be provided.

Operating System Commands To Enter At The Command/Shell Prompt

1. Windows 95 Start, Run, then type WINIPCFG. In the pull-down
box do not choose PPP Adapter. Choose your Ethernet
adapter and your MAC address will be your Adapter
Address.

2. Windows (all) ipconfig /all (located next to Physical Address)

3. Linux ifconfig –a (located next to Hwaddr)

4. SunOS/Solaris ifconfig –a (leading zeros on MAC are not printed)

5. HP-UX lanscan (located under Address without semicolons)

6. Free/Open/NetBSD netstat –i (located under Address)

Remember, if these commands do not work for your system for whatever reason, you
can always look on the Ethernet card itself for the MAC address.

As stated earlier, one of the main uses for the MAC address is to uniquely
identify a device that is connected to a local area network. When one computer
wishes to connect to another computer on the same network, a protocol called the
Address Resolution Protocol (ARP) is used to map network IP addresses to MAC
addresses.

If a source computer wishes to send an IP packet to another computer on the same
LAN, already knowing the destination computer’s IP address, it must first find
out the destination computer’s MAC address. To do this, the source computer will
check and see if it already has a mapping of the destination computer’s MAC
address already located within its ARP cache. The ARP cache holds mappings of IP
addresses and MAC addresses of computers on the source computer’s subnet. The
command to find the subnet on Windows and *nix computers is “arp –a”. Here is an
example of an arp cache when viewed from a DOS Prompt…

C:WINDOWS>arp -a

Interface: 68.11.226.140 on Interface 0x2000003
Internet Address Physical Address Type
68.11.226.129 00-04-9b-e9-c4-a8 dynamic

To add to this cache we would have to attempt to send a packet to a computer on
the same subnet as the source computer. The subnet for this computer would be
68.11.226.255. So any computer with the last octets being 1-254 on the subnet
68.11.226 would be temporarily added to the source computer’s ARP cache. To test
this we can ping a computer on the subnet to see if its IP and MAC address get
added to the ARP cache. So if we ping, for instance, 68.11.226.145, it will add
a mapping of that computer’s IP and MAC address to the ARP cache. Now that we
have pinged the address we can now check the ARP cache again.

C:WINDOWS>arp -a

Interface: 68.11.226.140 on Interface 0x2000003
Internet Address Physical Address Type
68.11.226.129 00-04-9b-e9-c4-a8 dynamic
68.11.226.145 00-04-5a-f5-d3-f7 dynamic

As you can see, since both computers are on the same subnet, the source computer
added the destination computer’s IP and MAC address to its ARP cache. Pinging
68.11.226.150 then pinging 68.11.226.151 will add their entries to the ARP cache
as well. To check and see issue the arp –a command again…

C:WINDOWS>arp -a

Interface: 68.11.226.140 on Interface 0x2000003
Internet Address Physical Address Type
68.11.226.129 00-04-9b-e9-c4-a8 dynamic
68.11.226.145 00-04-5a-f5-d3-f7 dynamic
68.11.226.150 00-10-60-c1-4a-ff dynamic
68.11.226.151 00-e0-29-9f-37-3e dynamic

Again, the IP and MAC addresses of the two pinged addresses were added to the
ARP cache. These dynamic entries are only temporary and have a set “time to
live” (TTL) period before they are erased (timeout). The TTL period varies from
system to system, usually from 2 to 20 minutes, and will increase to a greater
number of minutes if more data from these temporary entries is requested within
the allotted TTL period. The TTL period for Windows NT has a default of two
minutes, Windows 2000 has a default of 10 minutes, and Solaris has a default of
5 minutes. ARP caches of routers can be much longer which is the case with the
Cisco IOS router having a cache time of 4 hours. For some computers, entries
that are static usually remain on the cache table permanently or until the
computer is rebooted. The TTL periods can be adjusted on most systems as well.

For security consciousness on networks, it would be best to set your ARP caches
on your switches to hold static entries. However, not all that convenient for a
LAN administrator, this will prevent ARP spoofing, (an intruder sending spoofed
ARP packets to Host A and Host B so that the two hosts will think the intruder’s
computer is the intended host/router and send their data traffic through the
intruder’s host to allow sniffing and packet manipulation/editing) also called
man-in-the-middle attacks, since static ARP tables cannot be updated, hence,
making the use of spoofed arp packets useless.

The usefulness of the ARP cache comes into play when it is shown how two hosts
send packets back and forth to one another on a LAN. If a source computer, on a
LAN, with the IP address of 10.23.34.5 wishes to send data to the destination
computer with an IP of 10.23.34.99 on the same local network, the source
computer will first check its ARP cache to see if it has a mapping of the
destination computer’s MAC address. If no mapping of the address is found in the
computer’s cache, the source computer will then attempt to send a broadcast ARP
request, with the destination IP attached to it, to all hosts on the local
network. This ARP request is seen by all the hosts on the LAN and allows them to
cross-reference the destination IP with entries found in their ARP cache. If the
IP address of the destination computer does not match the IP address located in
the ARP cache of the intended remote host, then the ARP request is discarded. If
the IP matches the IP of a host on the network, then the destination host has
been found and it will add the IP and MAC address of the source computer to its
ARP cache and send the source computer back an ARP reply containing the MAC
address of the destination computer. Once the source computer receives the ARP
reply, it will then add the destination computer’s IP and MAC address to its ARP
cache. Now that the source computer knows the IP and the MAC address of the
destination computer and vice versa, the two hosts will now be able to
participate using the IP protocol method of transfer. Since both hosts have one
another’s IP and MAC addresses in their ARP caches, the next time one of these
systems need to send data, it will simply search its own ARP cache for the
necessary information on the other host (if no time-out has occurred), which
will eliminate the need for broadcasting another ARP request throughout the
network. This process can be explained better with a step-by-step diagram…

+--------------------+
+3)Des. Found. +
+4)Adds source IP, +
|->->->->-+ MAC to Cache. +
/| +5)Send ARP Reply to +
/| + source. +
Source Computer /| +--------------------+
+--------------------+ /|
+1)Checks Cache. + /| +--------------------+
+2)Broadcasts ARP + /| +3)Des. IP not found.+
+ req. to all hosts.+->->->->->->->->->|->->->->-+ Discard request. +
+6)Add Des. IP, Mac + |/ + +
+ to Arp cache. + |/ +--------------------+
+--------------------+ |/
|/ +--------------------+
|/ +3)Des. IP not found.+
|->->->->-+ Discard request. +
+ +
+--------------------+

When taking an even closer look into this protocol transaction of ARP requests
and replies, one will notice that the Address Resolution Protocol does not use
an IP header. Instead, it has its own packet format that is encapsulated within
an Ethernet frame. To further understand as to what an ARP packet is composed of
and what exactly is being sent and received when a packet travels along the
wire, here is a diagram of an Ethernet frame (as defined by IEEE 802.3) with an
enlarged view of the encapsulated ARP request packet…

ETHERNET FRAME

+--------+------+-------+-------+-----+--------------+-----+--------+
|Preamble|Start | Des. |Source |Frame| | | |
|7 bytes |Frame | MAC | MAC |Type | Encapsulated | Pad |Ethernet|
| |Del. |6 bytes|6 bytes| 2B | ARP Packet | 18B | CRC |
| | 1B | | |0x806| 28 bytes | |4 bytes |
+--------+------+-------+-------+-----+-||-----------+-----+--------+
_||_
/
/

ARP REQUEST PACKET

0 8 16 31
+------------------------+------------------------+
| Hardware Type | Protocol Type |
+ 1 | 0x806 +
| | |
+-----------+------------+------------------------+
|Hardware |Protocol | |
+Address =6 |Address = 4 | Operation Code = 1 +
|Length |Length | |
+-----------+------------+------------------------+
| Source Hardware Address |
+-------------------------------------------------+
| Source Protocol Address |
+-------------------------------------------------+
| Destination Hardware Address |
+-------------------------------------------------+
| Destination Protocol Address |
+-------------------------------------------------+

The diagrams show that ARP request/reply packets are encapsulated within the
Ethernet frame. The frame itself begins with a Preamble for synchronization, a
Start of Frame Delimiter to signify the start of the frame, the destination and
source MAC addresses, the frame type (ARP), the encapsulated ARP packet, padding
incase extra data bytes need to be appended to bring the Ethernet frame to a
minimized size, and a CRC (cyclical redundancy check) to provide error checking.
The diagram of the ARP packet is shown to have a Hardware/MAC address type as 1
for Ethernet. The Protocol Type is 0x806, which is the value for an ARP request.
If it were 0x835 then it would be for an ARP reply and if it were 0x800 it would
be for an IP address. The Hardware Address Length is 6 bytes for Ethernet while
the Protocol Address Length is 4 bytes for TCP/IP. The Operation code value is 1
for ARP reply and if the value was 2, then it would be for an ARP request (ARP
request and ARP reply use the same packet format). The rest is self-explanatory.

There is also the Reverse Address Resolution Protocol (RARP), as outlined in RFC
903, which does the opposite of ARP in that it will allow a host to find its IP
address if only its MAC address is known. This protocol uses the same packet
format as the Address Resolution Protocol (except now the MAC address is the
known parameter/frame instead of the IP address and the Protocol Type is 0x8036
for RARP), but is a completely different protocol all together. RARP works by
allowing diskless nodes, that are connected to an Ethernet network and do not
know their own IP addresses when booting up, to request their protocol addresses
by broadcasting a RARP request (in the Operation Code parameter of the ARP
packet diagram, a RARP request would be a value of 3) packet to special RARP
servers on the network that contain databases that store mappings of MAC address
to IP addresses. The RARP servers will cross-reference the MAC address found in
the RARP request packet with mappings found in its database. If a match is found
the RARP server will then send the IP address back to the host by using a RARP
reply (in the Operation Code parameter of the ARP packet diagram, a RARP reply
would be a value of 4) packet. RARP has been since superseded by the Bootstrap
Protocol (BOOTP), as defined in RFC 951, where by a host would connect to a
BOOTP server in the same manner it would with a RARP server, and BOOTP and RARP
have both been superseded by the Dynamic Host Configuration Protocol (DHCP),
which allows a device to have a different protocol address each time it connects
to the network.

In closing, I would hope, by having read this, you now have a better
understanding of the MAC address and the utilization of the Address Resolution
Protocol. The purpose of putting this paper together was purely along the lines
of a learning aspect for the reader, as well as myself, and I hope that this
paper and I have succeeded in my goal of doing just that.

References and Related Documents:

(RFC 826) An Ethernet Address Resolution Protocol or Converting Network Protocol
Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware
ftp://ftp.isi.edu/in-notes/rfc826.txt

(RFC 903) Reverse Address Resolution Protocol
ftp://ftp.isi.edu/in-notes/rfc903.txt

Address Resolution Protocol (ARP)
http://www.microsoft.com/windows2000/en/datacenter/help/sag_tcpip_und_arp.htm

1.) MAC Address & ARP Functionality - Resolution
2.) SOTHA #8 - madsaxon
3.) Spyware: The Evolution - JesterS
4.) Demystifying Remote Host - Abhisek Datta
5.) Wireless Security & Hacking - Dr. T
6.) When Code Goes Wrong - DangerDuo
7.) Phone lines, wardialing, laptops & the like - zaxil
8.) The Dangers of SetUID - zaxil
9.) Introduction to Buffer Overflows - Ghost_Rider

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088