Skill Name: ARP Protocol Principle
Categorize Tag: Basics Principle
Skill Content: The most ARP Behavior is to ask the MAC address of an IP address of a particular host normally.
Skill Description: A pair of ARP packets is one APR query packet and one ARP reply packet. The first one APR query packet is a broadcast type packet to ask every host on the same network switch device. Since every host got the ARP broadcast packet to query a specified IP address, only the NIC which contains the IP address would send one reply ARP packet to ARP inquirer theoretically. Therefore, this ARP query-reply behavior will be an ARP pair of packets in the same network segment of switch or VLAN.
Because the broadcast packets might have some side effect to impact network traffic, only the ARP and some UDP (DHCP, SNMP, NBNS, Browse, part of Network Neighborhood functions) uses broadcast type to send packets to every NIC of hosts as well as the broadcast type packets dose not offten appeare on the network. However, the following situations should be cautious:
- (A)In a short time, rapidly a large number of network IP address inquiries by ARP broadcast packets. It is one major symptom of ARP host scanning which is caused by malware infection or APT host scanning behavior.
- (B) A large number of ARP reply packets in a short period of time. It is one major symptom of ARP Spoofing attacks.
- (C) A sequence of a range IP addresses ARP query packets is the hosts scanning behavior which is generated from an IT management host or an internal information gathering behavior.
NSPA suggested display filter of Wireshark:
arp
Online Course: https://youtu.be/Vy3p3V0Q2A4
Analytical Example: https://www.hugediamond.net/shop
------------------------------------------------------------------------
Extent Information:
Español: El comportamiento más ARP es pedir normalmente la dirección MAC de una dirección IP de un host en particular.
Franch: Le comportement le plus ARP consiste à demander normalement l'adresse MAC d'une adresse IP d'un hôte particulier.
German: Das meiste ARP-Verhalten besteht darin, normalerweise die MAC-Adresse einer IP-Adresse eines bestimmten Hosts abzufragen.
Chinese: 最多的ARP行為就是正常詢問特定主機IP地址的MAC地址。
Japanese: 最もARPの動作は、通常、特定のホストのIPアドレスのMACアドレスに問い合わせることです。
Vietnamese: Hành vi ARP nhất là yêu cầu địa chỉ MAC của một địa chỉ IP của một máy chủ lưu trữ cụ thể một cách bình thường.
Thai(Siamese): พฤติกรรม ARP ส่วนใหญ่คือการถามที่อยู่ MAC ของที่อยู่ IP ของโฮสต์โดยปกติ
Indonesian: Perilaku ARP yang paling adalah menanyakan alamat MAC dari alamat IP dari host tertentu secara normal.
Malay: Tingkah Laku ARP yang paling banyak adalah meminta alamat MAC dari alamat IP dari hos tertentu secara normal.
Myanmar: ARP အပြုအမူအများစုသည်အိမ်ရှင်တစ် ဦး ၏ IP address တစ်ခု၏ MAC address ကိုပုံမှန်အားဖြင့်မေးမြန်းရန်ဖြစ်သည်။
