IP Routing & ARP

By donchen
in Smart Home, Network & Security

 Share

Recommended Posts

Mentor

donchen

Posted
Posted

Hi guys,

I don't quite understand how IP routing and ARP works. Hope you can help me. Thanks.

post-37289-1196763480_thumb.jpg

From the example in the diagram, if PC-1 (192.168.1.2) wants to sent to PC-3 (192.168.3.2)

1) PC-1 will create a IP packet destined for 192.168.3.2

2) PC-1 will check the network address of PC-3 (192.168.3.0) by using the subnet mask and the IP.

3) PC-1 realise that PC-3 is not in the same network as PC-1

4) PC-1 direct the packet to the router A.

5) Router A recieves the packet and check the destination IP which is 192.168.3.2.

6) Router A check its routing table and forwards to packet to router B.

7) Router B check the destination IP and knows that it does not belong to his network.

8) Router B checks its routing table and forwards to router C

9) Router C checks the destination IP and confirm its for its network and forwards to PC-3 (192.168.3.2)

Is my steps correct? At what point does ARP comes in ? Thats the thing I don't understand. I know ARP is to resolve a IP address to a MAC address.

Regards

Don

Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

the mac is used at layer 2, ie datalink layer.. It is used for machine 1 to talk its router. Then the mac of the interface connected to router 2.1 from 1.1 would be use to talk to the 2.1 router, then the macs between 2.1 and 3.1 would be used, etc.

When the 1.2 machine gets its reponse back -- it will have the mac address of the router it is directly connected to in it... not the mac address of the 3.2 interface.

IP is layer 3.

mac address do not contain network.host info -- an can only be used at the datalink layer, local network. At the datalink layer when machine 1.2 figures out that it needs to send the data it wants to send to 3.2 to 1.1, it does not really send it to 1.1, it sends it to the mac address that 1.1 is on.

ARP is a way to resolve what the mac address is of a 1.1, so the software knows it needs to send info to 1.1 to get to 3.2 -- to find out what mac to send to, there is arp. It will send out an arp request asking enery interface on the local network if its IP address 1.1

Once it gets a response it will know what mac address to send the data to to get to 1.1

What might be a great help is fire up a sniffer, wireshark for example -- an look at some of the traffic on your on network.. You will see that all the src an dst mac addresses are for interfaces all on the same network. When I ping google.com for example you can see that the request is dst for IP of google, but the mac is my gateway

--sniff--
No.	 Time		Source				Destination		   Protocol Info
	 10 6.864487	192.168.1.100		 64.233.167.104		ICMP	 Echo (ping) request

Ethernet II, Src: Netgear_e0:fb:ad (00:09:5b:e0:fb:ad), Dst: 3com_d8:e8:be (00:50:04:d8:e8:be)
	Destination: 3com_d8:e8:be (00:50:04:d8:e8:be)
		Address: 3com_d8:e8:be (00:50:04:d8:e8:be)

	Source: Netgear_e0:fb:ad (00:09:5b:e0:fb:ad)
		Address: Netgear_e0:fb:ad (00:09:5b:e0:fb:ad)

Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 64.233.167.104 (64.233.167.104)


No.	 Time		Source				Destination		   Protocol Info
	 11 6.878559	64.233.167.104		192.168.1.100		 ICMP	 Echo (ping) reply

Ethernet II, Src: 3com_d8:e8:be (00:50:04:d8:e8:be), Dst: Netgear_e0:fb:ad (00:09:5b:e0:fb:ad)
	Destination: Netgear_e0:fb:ad (00:09:5b:e0:fb:ad)
		Address: Netgear_e0:fb:ad (00:09:5b:e0:fb:ad)

	Source: 3com_d8:e8:be (00:50:04:d8:e8:be)
		Address: 3com_d8:e8:be (00:50:04:d8:e8:be)

Internet Protocol, Src: 64.233.167.104 (64.233.167.104), Dst: 192.168.1.100 (192.168.1.100)
--sniff--

Now if you look at my local arp table.

C:\>arp -a

Interface: 192.168.1.100 --- 0x2

Internet Address Physical Address Type

192.168.1.2 00-09-5b-e0-f8-31 dynamic

192.168.1.3 00-08-02-09-6b-bc dynamic

192.168.1.4 00-0d-56-f0-f0-09 dynamic

192.168.1.101 00-13-20-14-b0-34 dynamic

192.168.1.253 00-50-04-d8-e8-be dynamic

the mac of my gateway is the dst mac in the ping sent to google, an the src of the reply back from google.

Hope that helps!

edit: BTW -- I wish all questions where articulated as good as yours! What we normally see around here is "hey peeps what's a mac?".. You clearly pointed out what you already understood, an gave a clear description of how you were understanding the concept of how traffic moves between segments, you stated that you know what arp is etc..

Great ? More people should follow your example, an vast amounts of info could be exchanged -- an everyone would be better for it!!

Edited by BudMan
Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/#findComment-589035449
Share on other sites
Mentor

donchen

Posted
  • Author
Posted (edited)

Haha, thanks for the compliment. I just thought that I should show what I understand so that we won't be wasting time explaining something that i already knew.

Anyway back to topic.

When machine 1 wants to talk to its router, doesn't machine 1 just use the IP of the router (in this case 192.168.1.1)? Why do we need to use ARP to get the MAC address when we know the IP of the router via the routing table.

And when router 1.1 wants to talk to router 2.1, doesn't it just use the IP that is associated with the interface that is connected to?

EDIT --------------

I did some thinking and read ya post over and over again. Let me try to check back with ya about my understanding.

Although machine 1 has the IP of router by checking the route table, it will still request an ARP to wait for the router to respond with its MAC address. Once recieved it will encapsulate the MAC address (at layer 2) and the IP of the destination (192.168.3.2) at layer 3 on the packet.

Once router 1.1 recieves the packet, it will de capsulate and when its at layer 2, it will check that it is for my MAC address then it will proceed to layer 3. But at layer 3, the destination IP is not for him but it checks its router table to know where it should send to. In this case will be router 2.1. So it issue a ARP question and wait for router 2.1 to respond with its MAC Address. Once gotten it, it will encapsulate the packet with the destination IP at layer 3 and the MAC address of the router 2.1 at layer 2.

This process will go on until it reaches 3.2.

Please correct me if i am wrong.

don

Edited by donchen
Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/#findComment-589035589
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Yeah pretty much you have it -- but Layer 2 does not know what a IP address is ;) your interface really has no IDEA what its IP address is, etc.. at the data layer it is done with mac not IP. IP is layer 3 remember.

You have to have gone over the OSI layers already?

But your router/machine will most likely not have to arp for the mac -- unless its not already cached. Quite often the arp table will already contain the info that is needed -- so no reason to arp.

Look at your machines arp table with the arp -a command.. Is your router listed? If so then there would be no need to arp for the mac when it already has it cached.

If you want to see a huge arp table -- look at a core switch ;) Do you have access to a managed switch?

For example.

Here is a tiny fraction of the table;

>sho mac-address-table

Legend: * - primary entry

vlan mac address type learn ports

------+----------------+--------+-----+--------------------------

* 402 0050.da08.ae56 dynamic Yes Gi6/15

* 401 0050.0469.c1d2 dynamic Yes Gi6/6

* 402 0002.a543.ab9b dynamic Yes Gi3/26

* 401 000d.5603.a8ac dynamic Yes Gi6/5

* 401 0050.04d0.8500 dynamic Yes Gi6/2

* 402 0015.c5c2.96b1 dynamic Yes Gi5/35

* 401 000f.1f43.98b0 dynamic Yes Gi6/13

* 402 0008.02a2.3e30 dynamic Yes Gi3/14

* 400 0010.5a83.9c9e dynamic Yes Gi6/11

* 401 0010.5aa0.95c3 dynamic Yes Gi6/6

* 401 000b.db63.545e dynamic Yes Gi6/5

* 1 0012.808f.6171 dynamic Yes Gi6/11

* 401 0010.5a1e.f766 dynamic Yes Gi6/6

* 400 0008.7412.e4f7 dynamic Yes Gi6/11

* 400 0002.a57c.da68 dynamic Yes Gi6/9

* 401 0010.4b33.686f dynamic Yes Gi6/6

* 400 000a.e43b.1c18 dynamic Yes Gi6/1

* 402 0008.02a2.3e32 dynamic Yes Gi3/13

* 401 0050.8bd3.60f6 dynamic Yes Gi5/8

* 402 0008.020e.96db dynamic Yes Gi5/35

* 401 0050.dad6.0159 dynamic Yes Gi6/6

* 400 0050.8bda.9eef dynamic Yes Gi6/8

* 400 0010.5a27.6206 dynamic Yes Gi6/8

* 400 0008.0237.f66c dynamic Yes Gi6/1

* 400 0100.5e7f.fffe static Yes Gi4/4,Gi4/5

* 401 0002.a5e9.6a6a dynamic Yes Gi5/12

* 400 0020.6b51.9700 dynamic Yes Gi6/9

* 199 0007.0e56.7263 dynamic Yes Gi6/16

* 401 0011.4314.bbbd dynamic Yes Gi6/2

* 402 000d.56e1.2a27 dynamic Yes Gi6/3

* 400 0000.748c.ffb6 dynamic Yes Gi6/1

* 401 000f.1fc0.147d dynamic Yes Gi6/5

* 199 0007.0e56.7260 dynamic Yes Gi6/16

* 401 0010.4b33.6751 dynamic Yes Gi6/2

* 400 0011.43bf.624f dynamic Yes Gi6/11

* 402 0019.b92f.b161 dynamic Yes Gi6/3

* 400 0002.a5aa.1989 dynamic Yes Gi6/9

* 402 0050.049a.cbd7 dynamic Yes Gi6/4

* 400 0012.3f13.1342 dynamic Yes Gi6/9

* 400 0100.5e7f.fffd static Yes Gi4/4,Gi6/9

* 401 0002.a5e9.6a69 dynamic Yes Gi5/11

* 1 0012.8067.8231 dynamic Yes Gi6/15

* 400 0012.3f38.33c0 dynamic Yes Gi6/9

* 401 000f.1fd8.e19d dynamic Yes Gi6/5

* 400 0012.3f06.976d dynamic Yes Gi6/1

Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/#findComment-589036041
Share on other sites
  • 3 weeks later...
Neowinian

jnik

Posted
Posted
So simply putting it, it means the IP at layer 3 will always be the destination IP as for the mac at layer 2 will be the device's MAC address of the next hop ?

OSI:

A_____B

7..........7

6..........6

5..........5

4..........4

3..........3

2..........2

1--------1

(dotted lines show logical connections, dashed lines show physical connections)

While layer 3 on device A logically talks to layer 3 on device B it can't do it directly.

In fact layer 3 on device A can only talk directly to layers 2 and 4 on device A ... for the logical connection between A & B the two layer 3s use the services of the two layer 2s.

When a router is between A & B it looks more like this:

A_____R_____B

7.....................7

6.....................6

5.....................5

4.....................4

3..........3.........3

2..........2.........2

1--------1-------1

So, what is actually happening in your example is A4 (layer 4 on device A) wanting to send a message to B4 (layer 4 on device B). While A4 logically talks directly with B4 it actually does this by asking A3 to talk to B3.

A3 knows (by doing the subnet mask analysis you mentioned) that a router is involved. Rather than asking A2 to talk to B2 (which A2 can't do as it doesn't know about routing) A3 asks A2 to talk to R2 (layer 2 on the router).

As A2 doesn't know what an IP address is, A3 uses ARP to work out the destination MAC address of the router.

A2 then passes the info on to R2 (via layer 1). R2 passes it up to R3. R3 says "ah, this is headed for B3".

Another use of ARP determines B's MAC address and R3 asks R2 to forward the message.

The flow is as follows:

A4

A3

A2

A1

R1

R2

R3

R2

R1

B1

B2

B3

B4

The key point here is that layer 3 knows about routing and IP addresses and layer 2 doesn't. Layer 3 needs to use layer 2, but it has to turn IP addresses into MAC addresses and tell layer 2 to talk to the router rather than the final destination.

Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/#findComment-589088063
Share on other sites
Experienced

Raffye.Memon

Posted
Posted

sorry for interrupting I've been searching for ARP articles few days back ...

Is there something like AntiARP or something ... my local lan provider wanted to install something AntiARP_1.0.exe or something when DHCP was not able to give me IP address ... but i get IP-address by changing Physical-Address.. soo i declined and said my computer is fine check your dhcp server and stay away :p

Since then i dont get ip from dhcp .. :( with my default physical address :(

Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/#findComment-589106244
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

its not to stop you from spoofing -- its to make sure that your gateway is not spoofed - so you end up sending your info to someone else who is saying they are the gateway off you network, etc.

As to if you should install it? That would be up to you, an where it came from. If you got it from the admins of your network, it would seem like they are trying to protect you.

Link to comment
https://www.neowin.net/forum/topic/604721-ip-routing-arp/#findComment-589107290
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.