網上講 Address Resolution Protocol(地址解析協議)的文章挺多的,我這里就是用Wireshark軟件抓包看下,重在實踐:
首先貼下 ARP rfc 826地址
下面是ARP協議以太幀格式:
Packet format:
--------------
To communicate mappings from <protocol, address> pairs to 48.bit
Ethernet addresses, a packet format that embodies the Address
Resolution protocol is needed. The format of the packet follows.
Ethernet transmission layer (not necessarily accessible to ## 以太幀頭 固定 14個字節 (用戶不可訪問)
the user):
48.bit: Ethernet address of destination # 6個字節(目的以太網地址)
48.bit: Ethernet address of sender # 6個字節(源以太網地址)
16.bit: Protocol type = ether_type$ADDRESS_RESOLUTION # 2個字節
Ethernet packet data: ## 以太幀數據 總共 28 字節(ip packet,ip包大小為 [46, 1500]個字節)
16.bit: (ar$hrd) Hardware address space (e.g., Ethernet, # 2個字節(硬件類型,以太網為 0001)
Packet Radio Net.)
16.bit: (ar$pro) Protocol address space. For Ethernet # 2個字節(協議類型,ipv4為 0800)
hardware, this is from the set of type
fields ether_typ$<protocol>.
8.bit: (ar$hln) byte length of each hardware address # 1個字節(硬件類型長度,以太網地址長度為 06)
8.bit: (ar$pln) byte length of each protocol address # 1個字節(協議類型長度,ipv4地址為 04)
16.bit: (ar$op) opcode (ares_op$REQUEST | ares_op$REPLY) # 2個字節(1:arp請求,2:arp響應)
nbytes: (ar$sha) Hardware address of sender of this # n的位數由 `ar$hln`(對應下圖硬件mac地址大小,值為06,就是6個字節) 字段決定
packet, n from the ar$hln field.
mbytes: (ar$spa) Protocol address of sender of this # n的位數由 `ar$pln`(對應下圖協議ipv4地址大小,值為04,就是4個字節) 字段決定
packet, m from the ar$pln field.
nbytes: (ar$tha) Hardware address of target of this # 6個字節
packet (if known).
mbytes: (ar$tpa) Protocol address of target. # 4個字節
Crc 循環冗余校驗 ## 總共4個字節(用戶不可訪問)
下圖為ARP報文格式
圖片來源: 一文詳解 ARP 協議
下圖為以太幀報文格式
圖片來源: 數據鏈路層---以太網/MAC幀/ARP協議詳解
Wireshark安裝和使用請自行百度吧,網上一大堆:
打開Wareshark后,按照Protocol(不同的協議顏色是不一樣的,這一點給Wareshark點個贊,我電腦是windows,ARP顏色為橘色吧)進行排序篩選,
找到ARP后
在cmd輸入 ipconfig/all 查看本機ipv4地址和mac地址:
mac地址: 8C-EC-4B-98-B1-49
ipv4地址: 172.16.79.192
在過濾條件里輸入 arp.src.proto_ipv4==172.16.79.165 and arp.dst.proto_ipv4==172.16.79.192 and arp.opcode==1 表示165機器訪問192(本機)mac地址的請求包
在過濾條件里輸入 arp.src.proto_ipv4==172.16.79.192 and arp.dst.proto_ipv4==172.16.79.165 and arp.opcode==2 表示192(本機)響應165機器mac地址的響應包
我們知道ip包最小是 46個字節,加上以太幀固定頭14個字節 + CRC校驗4個字節,ip包里邊還剩應該為46 + 18 = 64字節,也就是說一個ARP報文以太幀應該是64個字節,而我們通過ARP的請求(60個字節被捕獲)和響應(42個字節被捕獲),這對不上啊?到底是那里出了問題???
一通搜索后發現,解釋如下
`No, all ARP packets on Ethernet are 64 bytes, not 42. Wireshark tells you only 42 bytes are sent, but it is lying. The reason for this is because the padding to 60 bytes + 4 byte CRC is done by the Ethernet hardware as the ARP packet is being transmitted. Windows submits only 42 bytes to the NDIS driver, so that's all Wireshark gets to see.
You can observe that all ARP packets are 64 bytes by running Wireshark on two PCs that are connected to the same network. The node that sends the ARP query or response will show 42 bytes sent in Wireshark. The node that receives the ARP packet will show 60 bytes received (4 byte CRC is also something Wireshark cannot normally observe). If you attach an oscilloscope to the Ethernet cable, you will observe a waveform lasting 576 bit times (57.6us). 576 bit times comes about because the frame will consist of 7 bytes of preamble, 1 start of frame delimiter byte, 42 ARP protocol bytes, 18 padding bytes, and 4 CRC bytes for a total of 72 bytes of 576 bits.`
答案來源: Frame with no padding
文中答案就是說:
所有的ARP包都是64個字節,而不是42個。
請求包:60 + 4(CRC)ARP包在通過以太網硬件傳輸時補充到64個字節的
響應包:windows值只提交42個字節到NDIS(網絡驅動程序接口規范)驅動,會填補 18(IP packet包湊夠46個字節,我們上邊分析暫時總共占用28個字節) + 4(CRC),wireshark只能看到42個
參考資料