Chapter2

Who has 10.10.1.48 ?


 

Son : Dad. I started the Wireshark Protocol Analyzer and here you see the screencapture.  Please see the first message. It tells '    Who has 10.10.1.7 ?  Tell 10.10.1.3 '.   What is the purpose of this  ARP BROADCAST message ?

Dad: ARP stands for ADDRESS RESOLUTION PROTOCOL.  In this screenshot have a look at the first line.  10.10.1.3 wants to send an IP packet to  the destination 10.10.1.7. But, for sending a packet, just the Destination IP Address  is not enough. The MAC address of 10.10.1.7 is also needed.

Son: But why this second address?

Dad : See this diagram. You want to send a message to Miss IP. But you cannot DIRECTLY  hand over the message to Miss IP. You should send the message THROUGH PROPER CHANNEL. That means you should send the message to Mr.Mac and,  only HE will deliver the message to Miss.IP. If this is the case, then without knowing the address of Mr.MAC, how you will send a message to Miss IP?

 

Son : MAC stands for?

Dad: MAC stands for MEDIA ACCESS CONTROL.  There are different names for MAC address.Its other names are HARDWARE ADDRESS, LAYER2 ADDRESS, ADAPTER ADDRESS and PHYSICAL ADDRESS.

Son: Whether WE have to configure this MAC address?

Dad : No. Each and every Network Interface Card will be having a unique MAC address written in its ROM during its manufacturing itself.

Son : But Dad, Lot of companies are manufacturing NIC cards. How these address can be unique?

Dad: MAC address is a 48 bit address. The first 24 bits are allotted to the manufacturing company by IEEE. The remaining bits are allotted by the manufacturer serially. So all the MAC addresses are unique.

Son : Still this two-address concept is not clear.

Dad : No problem. Follow me carefully. Suppose  I give the command '    C:> PING 10.10.1.7   ' from DOS Prompt. What will happen? The Ping program will try to send a small message to 10.10.1.7.  But you are already aware that without the MAC address of 10.10.1.7, it is not possible to send the message. Then how the message can be sent?  Here only,  ARP comes into picture. Understanding ARP is vital for learning Network concepts. Let me explain it with a help of a case study. Observe this network diagram. Abc & Co is having its main office at New York. It has a branch at Boston. Both the offices are interconnected by a 2mbps link.  Imagine you are working in Newyork office and you are trying to send a file from Newyork to Boston. But you have not succeeded.  Tell me what can be the  reason for the failure?

 

Son : There are lot of possibilities. i) My computer configuration may  not be OK ii) The Ethernet Link between my PC and the Switch may not be OK. 3) My Router configuration may not be OK. 4)  The WAN link between New York and Boston may not be OK. 5) The  other end Router configuration may not be OK,etc,etc.

Dad : Very good. You can localize the problem using Ping command. Ping your own computer. If you succeed, your PC is ok. Ping another PC which is connected to your own network. If it suceeds, then Your Switch is Ok. Ping the Router of Boston end. If it is OK, then your Router as well as  the New York-Boston Link are ok. In this way, you can locate the problem.

Son : So Ping seems to be a very important troubleshooting tool.  Is that right Dad?

Dad : Yes. More over, if you analyze the messages transacted during this command, you will become expert in Network.

Son: How ping works dad?

Dad : It is program which sends series of echo requests and get the reply from the other computer.See the screenshot. It tells how to how to give the ping command

Son :  Dad, In the screen shot, why  the first reply has taken so much time?

Dad : It is because of ARP. At the end of our discussion, you will know the reason for this delay.

Son : In the above network diagram, what is the function of Switch and Router ?

Dad : The Switch is for interconnecting the devices (such as PCs,Router). The Router is for interconnecting different networks (such as New York Network and Boston Network). OK. Let us capture the messages involved in the above Ping command.

Have a look at the first four messages in the above screenshot. These are the stages involved:

FIRST MESSAGE: THIS pc wants to know the mac address of THAT pc.  It will check its arp cache. If not found then Hence THIS pc sends a broadcast message.

SECND MESSAGE : THAT pc tells its mac address to THIS pc.

THIRD MESSAGE : THIS pc sends the actual test  message  to THAT message.

FOURTH MESSAGE : THAT pc returns the same message to THIS pc.

 

The actual content of the First Message:

Translation of the above message :

1) ff ff ff ff ff ff ........................... Destination MAC address is ff ff ff ff ff ie broadcast address

2) 00 e0 4c c5 64 f4.................. Source MAC address is 00 e0 4c c5 64 f4

3) 08 06....................................ARP

-----------------ARP message starts here---------------

4)  00 01...................................Hardware type is Ethernet (Note : 1=Ethernet, 15=FrameRelay,16=ATM)

5)  08 00...................................Protocal type is IP

6)  06.......................................The MAC address is of 6 bytes ie 48 bits

7)  04...................................... IP address is of 4 bytes ie 32 bits

8)  00 01................................. Opcode is Request

9)  00 e0 4c c5 64 f4................Sender MAC Address

10) 0a 0a 02 1c........................ Sender IP Address (It is the hexa decimal of 10.10.2.28)

11) 00 00 00 00 00 00.............Target MAC address ( not used hence all zeros ) 

12) 0a 0a 01 07........................Destination IP address (It is the hexa decimal of 10.10.1.7)

Let me translate the above data  in layman language :

Hello Everybody,

       This is ARP speaking. If  your IP address is  10.10.1.7 then read further else kindly discard this message. 

       The useless user of my computer wants to send a message to  you.  He is not aware of the fact  that , without  your MAC address, I cannot send the message. Hence kindly  tell me  your MAC address immediately. 

       In this connection, it is further intimated that  I will  keep  your MAC address carefully in my memory (arp cache) and use the same  until its TTL(Time To Live) expires. Kindly note down my ip address and mac address in your arp cache so that if you have any message to me, you  need not waste your time sending this kind of broadcast to know my mac address.

      Do you know one more thing? My  user  is not aware of the fact that  because of  this broadcast, the FIRST message is always delayed when compared to the subsequent messages. He is thinking something is wrong in the network  :)

       Waiting for your Reply,

                                                                                           Thanking you,

                                                                                                                                                                                   Yours Faithfully,

                                                                                                                                                                                    00 e0 4c c5 64 f4

 

 

 

 

The actual content of the Second Message:

Let us translate the above reply message:

00 e0 4c c5 64 f4 ...............Destination MAC address

00 50 ba d9 80 00............. Source MAC address (00 50 ba means dlink company)  

08 06.................................ARP

----------------------ARP message starts here--------------------

00 01.................................Layer 2  is Ethernet  

08 00...............................  Layer 3 is IP

06.......................................The MAC address is of 6 bytes ie 48 bits

04...................................... IP address is of 4 bytes ie 32 bits

00 02................................. Opcode is Reply (00 01= Request                               )

00 50 ba d9 80 00.............. Sender MAC Address

0a 0a 01 07........................ Sender IP Address (It is the hexa decimal of 10.10.1.7)

00 e0 4c c5 64 f4 ...............Target MAC address ( please compare it with the request message ) 

0a 0a 01 1c........................Target IP address (It is the hexa decimal of 10.10.2.28)

20 20 20... 20................... Trailer

 The actual content of the Third Message:

          

 

00 50 ba d9 80 00................ Destination MAC address

00 e0 4c c5 64 f4.................. Source MAC address ( 00e0 4c is Realtek company)

08 00....................................Protocal type is IP

-------------------IP Packet starts here---------------------------

4...........................................IP version 4

5...........................................5 x 4 =20. The IP Header length is 20 bytes

00.........................................Differentiated Services. The default value is 00

00 3c....................................Total number of bites=60

b1d0.................................... Packet ID

0........................................  Flag (x...=Reserved bit,-x--=Dont Fragment,--0-=More Fragments)

000.....................................Fragment Offset

80.......................................Time to live is 80 ( in decimal it is 128)

01.......................................Protocol is ICMP

71 ba ................................ Header checksum

0a 0a 02 1c........................ Source IP Address (It is the hexa decimal of 10.10.2.28)

0a 0a 01 07........................Destination IP address (It is the hexa decimal of 10.10.1.7)

-------------------icmp message starts here--------------------------

08......................................Type of message is 8 = Ping echo request

00......................................code =0

22 5c ................................Checksum

02 00................................Identifier

29 00................................Sequence Number

61 62 63..........68 68........Data (in ascii it is abcdefghijklmnopqrstwabcdefghi)

The actual content of the Fourth Message:

00 e0 4c c5 64 f4................   Destination MAC address

00 50 ba d9 80 00................. Source MAC address ( 00e0 4c is Realtek company)

08 00....................................Protocal type is IP

-------------------IP Packet starts here---------------------------

4...........................................IP version 4

5...........................................5 x 4 =20. The IP Header length is 20 bytes

00.........................................Differentiated Services. The default value is 00

00 3c....................................Total number of bites=60

db90.................................... Packet ID

0........................................  Flag (x...=Reserved bit,-x--=Dont Fragment,--0-=More Fragments)

000.....................................Fragment Offset

80.......................................Time to live is 80 ( in decimal it is 128)

01.......................................Protocol is ICMP

47 fa   ............................... Header checksum

0a 0a 01 07........................ Source IP Address (It is the hexa decimal of 10.10.1.7)

0a 0a 02 1c........................Destination IP address (It is the hexa decimal of 10.10.2.28)

-------------------icmp message starts here--------------------------

00......................................Type of message is 0 =Echo Reply

00......................................code =0

2d 5c ................................Checksum

02 00................................Identifier

26 00................................Sequence Number

61 62 63..........68 68........Data (In ascii it is : abcdefghijklmnopqrstwabcdefghi)

Son: Dad, Is there any general ARP message format?

Dad: Yes, see this image:

 

Son: How much time an entry will be present in the arp cache?

Dad : Normally it will be there for 20 minutes. After that it will be deleted.

Son : Is it possible to view the contents of ARP Cache?

Dad: Yes, See this screenshot :

Son: Dyamic entry means, the arp itself is making this entry. Static entry means, we can manually enter the ip address and the corresponding MAC address. But what is the use of such static entries? Whether static entries are permanent entries?

Dad : Static entries will speed up the access for hosts which are frequently used, because arp broadcast is avoided. But when you restart your computer, the static entries will be gone. If you want these entries to be permanent, then you can write the command in a batch file and run the batch file whenever the computer is started. Anyway I don't advice you use static entries.

 

Son : Dad, Still lot of confusion is there. When there is IP address then why there is a need for another address called as MAC address? Whether we have to configure the MAC address? How to find out the MAC address of my computer?

Dad : Let us discuss about it tomorrow.  Now try to answer these questions and go to sleep.

1. ARP stands for .............................................

2. Why ARP Request is a 'broadcast message' but the ARP reply is a 'unicast message'?

3. ARP can be  used to resolve IP address to the corresponding MAC address. True or False?

4. Normally, entries will reside in the arp cache for 20 minutes. True or False?