Objective

To see how ARP (Address Resolution Protocol) works.

ARP is an essential glue protocol that is used to join Ethernet and IP.

It is covered in §5.6.4 of your text.

Review the text section before doing this lab.

目的

看看ARP（地址解析协议）是如何工作的。

ARP是连接以太网和IP的一种基本的粘合协议。

您的文本中的§5.6.4包含了这一点。

在做这个实验之前复习课文部分。

Requirements

Wireshark: This lab uses the Wireshark software tool to capture and examine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire.  The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It color-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can download it from www.wireshark.org if it is not already installed on your computer. We highly recommend that you watch the short, 5 minute video “Introduction to Wireshark” that is on the site.  

要求

Wireshark：这个实验室使用Wireshark软件工具来捕获和检查包跟踪。数据包跟踪是网络上某个位置的流量记录，就好像是对通过某条特定线路的所有位进行快照一样。包跟踪记录每个包的时间戳，以及组成包的位，从低层头到高层内容。Wireshark运行在大多数操作系统上，包括Windows、Mac和Linux。它提供了一个图形化的用户界面，当被解释为协议头和数据时，它显示了数据包的序列和位的含义。它根据数据包的类型对其进行颜色编码，并有各种方法来过滤和分析数据包，以便您研究网络协议的行为。Wireshark被广泛用于网络故障排除。你可以从www.wireshark.org如果您的计算机上尚未安装。我们强烈建议您观看网站上的5分钟短片“Wireshark简介”。 

arp: This lab uses the “arp” command-line utility to inspect and clear the cache used by the ARP protocol on your computer.  arp is installed as part of the operating system on Windows, Linux, and Mac computers, but uses different arguments. It requires administrator privileges to clear the cache.

arp：这个实验室使用“arp”命令行实用程序检查并清除计算机上arp协议使用的缓存。arp作为操作系统的一部分安装在Windows、Linux和Mac计算机上，但是使用不同的参数。它需要管理员权限才能清除缓存。

ifconfig / ipconfig: This lab uses the “ipconfig” (Windows) or “ifconfig” (Mac/Linux) command-line utility to inspect the state of your computer’s network interface. ifconfig/ipconfig is installed as part of the operating system on Windows, Linux, and Mac computers.

ifconfig/ipconfig：这个实验室使用“ipconfig”（Windows）或“ifconfig”（Mac/Linux）命令行实用程序来检查计算机网络接口的状态。ifconfig/ipconfig作为操作系统的一部分安装在Windows、Linux和Mac计算机上。

route / netstat: This lab uses the “route” or “netstat” command-line utility to inspect the routes used by your computer. A key route is the default route (or route to prefix 0.0.0.0) that uses the default gateway to reach remote parts of the Internet.  Both “route” and “netstat” are installed as part of the operating system across Windows and Mac/Linux, but there are many variations on the command-line parameters that must be used.

route/netstat：这个实验室使用“route”或“netstat”命令行实用程序来检查计算机使用的路由。密钥路由是默认路由（或前缀为0.0.0.0的路由），它使用默认网关访问Internet的远程部分。“route”和“netstat”都是作为Windows和Mac/Linux操作系统的一部分安装的，但是在命令行参数上有许多不同的地方必须使用。

Browser: This lab uses a web browser to find or fetch pages as a workload. Any web browser will do.

浏览器：这个实验室使用web浏览器作为工作负载来查找或获取页面。任何网络浏览器都会吃多了在你文本的§5.6.4中。在做这个实验之前复习课文部分。

Network Setup

We want to observe the ARP protocol in action. Recall that ARP is used to find the Ethernet address that corresponds to a local IP address to which your computer wants to send a packet. A typical example of a local IP address is that of the local router or default gateway that connects your computer to the rest of the Internet. Your computer caches these translations in an ARP cache so that the ARP protocol need only be used occasionally to do the translation. The setup from the viewpoint of your computer is as shown in the example below.

网络设置

我们要遵守ARP协议。回想一下，ARP用于查找与您的计算机要向其发送数据包的本地IP地址相对应的以太网地址。本地IP地址的典型示例是将计算机连接到Internet其余部分的本地路由器或默认网关。您的计算机将这些翻译缓存在ARP缓存中，这样ARP协议只需要偶尔使用来进行翻译。下面的例子显示了计算机的设置。

Step 1: Capture a Trace

Proceed as follows to capture a trace of ARP traffic; alternatively, you may use a supplied trace. To gather ARP packets, we will cause your computer to send traffic to the local router when it does not know the router’s Ethernet address – your computer will then use ARP to discover the Ethernet address.

步骤1：捕获跟踪

按照以下步骤捕获ARP流量的跟踪；或者，您可以使用提供的跟踪。要收集ARP数据包，我们将使您的计算机在不知道路由器的以太网地址时将流量发送到本地路由器-然后您的计算机将使用ARP来发现以太网地址。

1. Find the Ethernet address of the main network interface of your computer with the ifconfig / ipconfig command. You will want to know this address for later analysis. On Windows, bring up a command-line shell and type “ipconfig /all”. On Mac/Linux, bring up a command-line shell and type “ifconfig”. Among the output will be a section for the main interface of the computer (likely an Ethernet interface) and its Ethernet address. Common names for the interface are “eth0”, “en0”, or “Ethernet adapter”. Two examples are shown below, with our added highlighting.
2. Find the IP address of the local router or default gateway that your computer uses to reach the rest of the Internet using the netstat / route command. You should be able to use the netstat command (“netstat –r” on Windows, Mac and Linux, may require ctrl-C to stop). Alternatively, you can use the route command (“route print” on Windows, “route” on Linux, “route –n get default” on Mac). In either case you are looking for the gateway IP address that corresponds to the destination of default or 0.0.0.0. Two examples are shown below for netstat, with our added highlighting.
3. Launch Wireshark and start a capture with a filter of “arp”.  Your capture window should be similar to the one pictured below, other than our highlighting. Select the interface from which to capture as the main wired or wireless interface used by your computer to connect to the Internet. If unsure, guess and revisit this step later if your capture is not successful. Uncheck “capture packets in promiscuous mode”. This mode is useful to overhear packets sent to/from other computers on broadcast networks. We only want to record packets sent to/from your computer. Leave other options at their default values.  The capture filter, if present, is used to prevent the capture of other traffic your computer may send or receive. On Wireshark 1.8, the capture filter box is present directly on the options screen, but on Wireshark 1.9, you set a capture filter by double-clicking on the interface
4. When the capture is started, use the “arp” command to clear the default gateway from the ARP cache. Using the command “arp –a” will show you the contents of the ARP cache as a check that you can run “arp”. You should see an entry for the IP address of the default gateway. To clear this entry, use the arp command with different arguments (“arp  –d” on Windows, “arp –d –a” on Mac, “arp –d xx.xx.xx.xx” where xx.xx.xx.xx is the IP address of the default gateway on Linux).  This usage of arp will need administrator privileges to run, so you may run as a privileged user on Windows or issue “sudo arp –d xx.xx.xx.xx” on Linux/Mac. Note that the command should run without error but the ARP entry may not appear to be cleared if you check with “arp –a”. This is because your computer will send ARP packets to repopulate this entry as soon as you need to send a packet to a remote IP address, and that can happen very quickly due to background activity on the computer.
5. Now that you have cleared your ARP cache, fetch a remote page with your Web browser. This will cause ARP to find the Ethernet address of the default gateway so that the packets can be sent. These ARP packets will be captured by Wireshark. You might clear the ARP cache and fetch a document a couple of times. Hopefully there will also be other ARP packets sent by other computers on the local network that will be captured. These packets are likely to be present if there are other computers on your local network. In fact, if you have a busy computer and extensive local network then you may capture many ARP packets. The ARP traffic of other computers will be captured when the ARP packets are sent to the broadcast address, since in this case they are destined for all computers including the one on which you are running Wireshark. Because ARP activity happens slowly, you may need to wait up to 30 seconds to observe some of this background ARP traffic.
6. Once you have captured some ARP traffic, stop the capture. You will need the trace, plus the Ethernet address of your computer and the IP address of the default gateway for the next steps.

你会想知道这个地址以便以后分析。在Windows上，打开命令行shell并键入“ipconfig/all”。在Linux命令行上输入ifa/config。在输出中，将有一个部分显示计算机的主接口（可能是以太网接口）及其以太网地址。接口的常用名称是“eth0”、“en0”或“Ethernet adapter”。下面显示了两个示例，并添加了突出显示。

2.使用netstat/route命令查找您的计算机用于访问Internet其余部分的本地路由器或默认网关的IP地址。您应该能够使用netstat命令（在Windows、Mac和Linux上为“netstat–r”，可能需要ctrl-C停止）。或者，您可以使用route命令（在Windows上为“route print”，在Linux上为“route”，在Mac上为“route–n get default”）。在默认情况下，网关与IP地址0.0.0相对应。下面显示了netstat的两个示例，并添加了突出显示。

3.启动Wireshark并使用“arp”过滤器开始捕获。您的捕获窗口应该类似于下图，而不是我们的突出显示。选择要从中捕获的接口作为计算机连接到Internet时使用的主要有线或无线接口。如果不确定，请猜测并在捕获失败后再次访问此步骤。取消选中“以混杂模式捕获数据包”。此模式用于偷听广播网络上发送到/来自其他计算机的数据包。我们只想记录发送到/来自您计算机的数据包。其他值保留默认值。捕获筛选器（如果存在）用于阻止捕获计算机可能发送或接收的其他流量。在Wireshark 1.8上，捕获过滤器框直接出现在选项屏幕上，但是在Wireshark 1.9上，您可以通过双击界面来设置捕获过滤器。

4.当捕获开始时，使用“arp”命令从arp缓存中清除默认网关。使用命令“arp–a”将显示arp缓存的内容，作为是否可以运行“arp”的检查。您应该看到默认网关的IP地址条目。要清除此条目，请使用具有不同参数的arp命令（“Windows上的arp–d”，Mac上的“arp–d”，Mac上的“arp–d”）xx.xx.xx.xx“在哪里xx.xx.xx.xx是Linux上默认网关的IP地址）。arp的这种用法需要管理员权限才能运行，所以您可以在Windows上以特权用户身份运行，或者发出“sudo arp–d”xx.xx.xx在Linux/Mac上。请注意，该命令应该没有错误地运行，但是如果您选择“ARP–a”，ARP条目可能不会被清除。这是因为您的计算机将发送ARP数据包，以便在您需要将数据包发送到远程IP地址时重新填充此条目，并且由于计算机上的后台活动，这可能会很快发生。

5.现在您已经清除了ARP缓存，请使用Web浏览器获取远程页面。这将导致ARP找到默认网关的以太网地址，以便可以发送数据包。这些ARP包将被Wireshark捕获。您可能会清除ARP缓存并多次获取文档。希望本地网络上其他计算机发送的其他ARP包也会被捕获。如果本地网络上有其他计算机，这些数据包可能存在。事实上，如果你有一个繁忙的计算机和广泛的本地网络，那么你可能会捕获许多ARP包。当ARP数据包被发送到广播地址时，其他计算机的ARP流量将被捕获，因为在这种情况下，它们的目的地是所有计算机，包括正在运行Wireshark的计算机。因为ARP活动发生得很慢，您可能需要等待30秒来观察一些这种背景ARP流量。

6.一旦你捕获了一些ARP流量，停止捕获。你将需要跟踪，加上你的计算机的以太网地址和默认网关的IP地址，以便下一步操作。

Step 2: Inspect the Trace

Now we can look at an ARP exchange! Since there may be many ARP packets in your trace, we’ll first narrow our view to only the ARP packets that are sent directly from or to your computer.

第二步：检查痕迹

现在我们可以看看ARP交换了！由于在您的跟踪中可能有许多ARP包，我们首先将视野缩小到直接从计算机发送或直接发送到计算机的ARP包。

Set a display filter for packets with the Ethernet address of your computer.  You can do this by entering an expression in the blank “Filter:” box near the top of the Wireshark window and clicking “Apply”. The filter to enter depends on your Ethernet address. For example, if your Ethernet address is 01:02:03:04:05:06 then enter a filter expression of “eth.addr==01:02:03:04:05:06”. Note the double equal sign.  If you are using the supplied trace, it comes with an additional text file giving the Ethernet address and default gateway IP address. After applying this filter your capture should look something like the figure below, in which we have expanded the ARP protocol details.

用计算机的以太网地址设置数据包的显示过滤器。你可以通过在WiReSurk窗口顶部的空白“过滤器”框中输入一个表达式，点击“Apple”。要输入的筛选器取决于您的以太网地址。例如，如果您的以太网地址是01:02:03:04:05:06，则输入一个筛选器表达式“以太网地址==01：02:03:04:05:06”。注意双等号。如果您正在使用提供的跟踪，它会附带一个额外的文本文件，其中提供以太网地址和默认网关IP地址。在应用这个过滤器之后，你的捕获应该像下图所示，其中我们扩展了ARP协议的细节。

Find and select an ARP request for the default gateway and examine its fields. There are two kinds of ARP packets, a request and a reply, and we will look at each one in turn. The Info line for the request will start with “Who has …”. You want to look for one of these packets that asks for the MAC address of the default gateway, e.g., “Who has xx.xx.xx.xx …” where xx.xx.xx.xx is your default gateway. You can click on the + expander or icon for the Address Resolution Protocol block to view the fields:

找到并选择默认网关的ARP请求并检查其字段。有两种ARP包，请求和应答，我们将依次查看每一种。请求的信息行将以“谁拥有…”开头。您需要查找其中一个请求默认网关的MAC地址的包，例如，“Who has hasxx.xx.xx.xx…“在哪里xx.xx.xx.xx是您的默认网关。您可以单击地址扩展程序上的地址+图标查看地址：

• Hardware and Protocol type are set to constants that tell us the hardware is Ethernet and the protocol is IP. This matches the ARP translation from IP to Ethernet address.
• Hardware and Protocol size are set to 6 and 4, respectively. These are the sizes of Ethernet and IP addresses in bytes.
• The opcode field tells us that this is a request.
• Next come the four key fields, the sender MAC (Ethernet) and IP and the target MAC (Ethernet) and IP. These fields are filled in as much as possible. For a request, the sender knows their MAC and IP address and fills them in. The sender also knows the target IP address – it is the IP address for which an Ethernet address is wanted. But the sender does not know the target MAC address, so it does not fill it in.

• Hardware和Protocol type被设置为常量，告诉我们硬件是以太网，协议是IP。这与从IP到以太网地址的ARP转换相匹配。
• 硬件和协议大小分别设置为6和4。这些是以太网和IP地址的大小（以字节为单位）。
• 操作码字段告诉我们这是一个请求。
• 接下来是四个关键字段，发送方MAC（以太网）和IP以及目标MAC（以太网）和IP。尽可能多地填写这些字段。对于一个请求，发送方知道它们的MAC和IP地址并填写它们。发送方还知道目标IP地址——它是需要以太网地址的IP地址。但是发送方不知道目标MAC地址，所以它不填写它。

Next, select an ARP reply and examine its fields. The reply will answer a request and have an Info line of the form “xx.xx.xx.xx is at yy:yy:yy:yy:yy:yy”:

接下来，选择一个ARP回复并检查其字段。回复将回答请求，并具有表单的信息行“xx.xx.xx.xx在yy:yy:yy:yy:yy:yy:yy：

• The Hardware and Protocol type and sizes are as set as before.
• The opcode field has a different value that tells us that this is a reply.
• Next come the four key fields, the sender MAC (Ethernet) and IP and the target MAC (Ethernet) and IP just as before. These fields are reversed from the corresponding request, since the old target is the new sender (and vice versa). The fields should now be all filled in since both computers have supplied their addresses.

• 硬件和协议类型和大小与之前一样设置。
• 操作码字段有一个不同的值，它告诉我们这是一个回复。
• 接下来是四个关键字段，发送方MAC（以太网）和IP以及目标MAC（以太网）和IP。这些字段与相应的请求相反，因为旧目标是新的发送方（反之亦然）。由于两台计算机都提供了地址，这些字段现在应该全部填写。

Step 3: ARP request and reply

To show your understanding of an ARP exchange, draw a figure that shows the ARP request and reply packets sent between your computer and the default gateway. Make it for the case we examined of your computer doing an ARP for the default gateway. Label one packet the request and the other the reply. Give the sender and target MAC and IP addresses for each packet; you can use Wireshark to inspect the packets to get these values. Finally, circle the sought after Ethernet address on your drawing to show where it comes from in the exchange.

Turn-in: Hand in your drawing of the ARP exchange.

第三步：ARP请求和应答

要显示您对ARP交换的理解，请绘制一个图，显示在您的计算机和默认网关之间发送的ARP请求和应答数据包。让它为我们检查的情况下，你的计算机做一个ARP默认网关。将一个包标记为请求，另一个包标记为应答。给出每个包的发送方和目标MAC和IP地址；可以使用Wireshark检查这些包以获得这些值。最后，在您的图形上圈出受欢迎的以太网地址，以显示它在交换中的来源。

上交：交你的ARP交换图。

Step 4: Details of ARP over Ethernet

To look at further details of ARP, examine an ARP request and ARP reply to answer these questions:

1. What opcode is used to indicate a request? What about a reply?
2. How large is the ARP header for a request? What about for a reply?
3. What value is carried on a request for the unknown target MAC address?

ARP packets are carried in Ethernet frames, and the values of the Ethernet header fields are chosen to support ARP.  For instance, you may wonder how an ARP request packet is delivered to the target computer so that it can reply and tell the requestor its MAC address. The answer is that the ARP request is (normally) broadcast at the Ethernet layer so that it is received by all computers on the local network including the target. Look specifically at the destination Ethernet address of a request: it is set to ff:ff:ff:ff:ff:ff, the broadcast address. So the target receives the request and recognizes that it is the intended recipient of the message; other computers that receive the request know that it is not meant for them. Only the target responds with a reply. However, anyone who receives an ARP packet can learn a mapping from it: the sender MAC and sender IP pair.

 Examine an ARP request and reply to answer these questions:

1. What Ethernet Type value which indicates that ARP is the higher layer protocol?
2. Is the ARP reply broadcast (like the ARP request) or not?

Turn-in: Hand in your answers to the above questions.

步骤4：以太网ARP的详细信息

要查看ARP的更多详细信息，请检查ARP请求和ARP回复，以回答以下问题：

1.什么操作码用于指示请求？回复呢？

2.请求的ARP头有多大？回信怎么样？

3.对未知目标MAC地址的请求携带什么值？

ARP包在以太网帧中传输，并且选择以太网报头字段的值来支持ARP。例如，您可能想知道如何将ARP请求包传递到目标计算机，以便它能够应答并告诉请求者其MAC地址。答案是ARP请求（通常）在以太网层广播，以便本地网络上的所有计算机（包括目标）都能接收到ARP请求。具体看一下请求的目的地以太网地址：它被设置为广播地址ff:ff:ff:ff:ff:ff。因此，目标接收到请求并识别出它是消息的预期接收者；接收请求的其他计算机知道它不是为它们准备的。只有目标回答。然而，任何接收到ARP包的人都可以从中学习映射：发送方MAC和发送方IP对。

检查ARP请求并回答以下问题：

4.哪个以太网类型值表示ARP是更高层的协议？

5.ARP应答是否广播（如ARP请求）？

上交：把你对上述问题的答案交上来。

Explore on your own

We encourage you to explore ARP on your own once you have completed this lab. One suggestion is to look at other ARP packets that may have been recorded in your trace; we only examined an ARP request by your computer and the ARP reply from the default gateway.

独自探索

我们鼓励您在完成本实验后自行探索ARP。其中一个建议是查看可能记录在您的跟踪中的其他ARP数据包；我们只检查了您的计算机发出的ARP请求和来自默认网关的ARP回复。

To see if there is other ARP activity, make sure to clear any Ethernet address filter that is set. Other ARP packets may exhibit any of the following kinds of behavior for you to explore:

要查看是否有其他ARP活动，请确保清除设置的所有以太网地址筛选器。其他ARP数据包可能表现出以下任何一种行为供您探索：

• ARP requests broadcast by other computers. The other computers on the local network are also using ARP. Since requests are broadcast, your computer will receive their requests.
• ARP replies sent by your computer. If another computer happens to ARP for the IP address of your computer, then your computer will send an ARP reply to tell it the answer.
• Gratuitous ARPs in which your computer sends a request or reply about itself. This is helpful when a computer or link comes up to make sure that no-one else is using the same IP address. Gratuitous ARPs have the same sender and target IP address, and they have an Info field in Wireshark that identified them as gratuitous.
• Other ARP requests sent by your computer and the corresponding ARP reply. Your computer may need to ARP for other hosts besides the default gateway after you flush its ARP cache.

其他计算机广播的ARP请求。本地网络上的其他计算机也在使用ARP。由于请求是广播的，您的计算机将接收它们的请求。

计算机发送的ARP回复。如果另一台计算机碰巧对您的计算机的IP地址进行ARP，那么您的计算机将发送一个ARP回复来告诉它答案。

免费的ARP，其中您的计算机发送关于自身的请求或回复。当一台计算机或链接启动以确保没有其他人使用相同的IP地址时，这很有帮助。免费的ARP有相同的发送者和目标IP地址，它们在Wireshark中有一个信息字段，可以识别它们是无偿的。

您的计算机发送的其他ARP请求和相应的ARP回复。您的计算机可能需要在刷新其ARP缓存后为除默认网关之外的其他主机进行ARP。