ARP Discover Understanding Outgoing & Incoming Packets

Introduction

Discovering devices on a network is a critical task for network administrators and security experts. In this article, we will learn how to perform ARP (Address Resolution Protocol) discovery using the Python Scapy library and explore how we can use it to find devices on the network.

Learning Objectives

• Gain basic knowledge about the operation of the ARP protocol
• Understand outgoing and incoming ARP packets
• Learn the process of detecting devices on the network

A Brief Introduction to ARP

ARP (Address Resolution Protocol) is a network protocol used to translate IP addresses into MAC addresses. ARP discovery is commonly used to find devices on a network. For more, you can check here.

Outgoing ARP Packet (ARP Request):

First, our program sends ARP requests to devices in a specific IP range. This request is sent to learn the MAC addresses of devices with the target IP address. Let’s now examine the outgoing ARP request(Mac Changer):

###[ Ethernet ]###
  dst       = ff:ff:ff:ff:ff:ff
  src       = **:5d:**:7c:**:12
  type      = ARP
###[ ARP ]###
     hwtype    = Ethernet (10Mb)
     ptype     = IPv4
     hwlen     = None
     plen      = None
     op        = who-has
     hwsrc     = **:5d:**:7c:**:12
     psrc      = 192.168.1.104
     hwdst     = 00:00:00:00:00:00
     pdst      = Net("192.168.1.0/24")
     load      = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

The above packet represents an ARP request. It contains an Ethernet frame with the destination MAC address ff:ff:ff:ff:ff:ff. The ARP packet is sent with the who-has operation code, meaning it queries the MAC address of the target. The MAC address of the sender device is set to **:5d:**:7c:**:12, and the IP address is 192.168.1.104. hwtype specifies the Ethernet (10Mb) hardware type, ptype specifies the IPv4 protocol type, hwlen and plen specify the lengths of hardware and protocol addresses. The load part represents the padding payload.

Incoming ARP Packet (ARP Reply):

In response to the ARP request sent, devices with the target IP address send ARP replies. These replies contain the information of the target MAC address. Here is the content of an ARP reply:

###[ Ethernet ]###
  dst       = **:5d:**:7c:**:12
  src       = **:fa:**:51:**:50
  type      = ARP
###[ ARP ]###
     hwtype    = Ethernet (10Mb)
     ptype     = IPv4
     hwlen     = 6
     plen      = 4
     op        = is-at
     hwsrc     = **:fa:**:51:**:50
     psrc      = 192.168.1.1
     hwdst     = **:5d:**:7c:**:12
     pdst      = 192.168.1.104
     load      = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

The above packet represents an ARP reply. This packet is sent with the is-at operation code, meaning it is a response to the MAC address of the target. The MAC address of the responding device is **:fa:**:51:**:50, and the IP address is 192.168.1.1. The packet is carried by an Ethernet frame with the MAC address of the sender device set to **:5d:**:7c:**:12.

Conclusion:

Performing ARP discovery with Python provides a powerful tool for network administrators and security experts to detect devices on the network and enhance network security. In this article, we discussed the basics of the ARP protocol, the importance of understanding outgoing and incoming ARP packets, and the process of detecting devices on the network using Python Scapy. With this knowledge, you can effectively manage your network.