How to Capture ARP Packets: A Step-by-Step Guide to Analyzing ARP Data

“`html

This section explores how to capture ARP protocol packets and analyze ARP data.

Before analyzing, let’s first look at the ARP packet format.

 capture ARP packets

The image above shows the format of an ARP request and response packet, which will be explained in detail below.

For the Ethernet header:

If it is an ARP request packet, the Ethernet destination address is all ones (broadcast address), aiming for all hosts on the local network to receive the ARP request packet.

The Ethernet source address is the sender’s address.

Frame type: If it is an ARP packet, the value is 0x0806.

Hardware type: Indicates what type of network the ARP protocol is implemented on; its value is 1, representing Ethernet.

Protocol type: Indicates the protocol to resolve (upper layer protocol), generally 0800 here, which is IP.

Hardware address length is the MAC address length, which is 6 bytes.

Protocol address length is the IP address length, which is 4 bytes.

Operation type: Indicates the ARP protocol datagram type. 1 indicates a request packet, and 2 indicates a response packet.

Sender’s Ethernet address is the source MAC address.

Sender’s IP address is the source IP address.

Target Ethernet address is the destination MAC address (all zeros if it is a request packet).

Target IP address is the destination IP address.

Now that we understand the detailed ARP format, let’s attempt to capture ARP packets.

Example:

 capture ARP packets

As shown above, pc1 sends an ARP request to pc2. At this time, use Wireshark to capture ARP packet data.

Since the ARP data is captured, let’s analyze ARP data.

First, analyze the ARP request datagram:

Select frame 57 to view detailed information in Wireshark:

When the ARP request packet sent by PC1 is broadcast to the local network, if pc2 detects that the IP address matches its own, it will send a response packet to PC1, which is frame 58.

For ARP response packets, the source IP, destination IP, source MAC, and destination MAC are known.

The analysis of the ARP response packet ends here.