Article

4.1.7 Lab: Explore Arp In Wireshark

Author fotoperfecta
4 min read
4.1.7 Lab: Explore Arp In Wireshark
4.1.7 Lab: Explore Arp In Wireshark

4.1.7 Lab: Explore ARP in Wireshark

The Address Resolution Protocol (ARP) is a fundamental networking service that maps an IP address to its corresponding MAC (hardware) address on a local Ethernet segment. In this lab you will use Wireshark to capture live traffic, generate ARP requests and replies, and examine the protocol’s inner workings. By the end of the exercise you will be able to identify ARP packet structures, understand why ARP is essential for IP communication, and troubleshoot common ARP‑related issues.

Why Study ARP with Wireshark?

  • Visibility: Wireshark displays every byte that traverses the network interface, letting you see the exact fields that ARP uses.
  • Troubleshooting: Mis‑behaving ARP (duplicate IP addresses, ARP spoofing, stale cache entries) often shows up as abnormal request/reply patterns.
  • Foundational Knowledge: Understanding ARP lays the groundwork for more advanced topics such as VLANs, proxy ARP, and IPv6 Neighbor Discovery.

Lab Overview

Step Action Expected Outcome
1 Prepare two PCs (or a PC and a virtual machine) on the same LAN, assign static IPs in the same subnet. Both hosts can ping each other after ARP resolves.
2 Install and start Wireshark on the sniffing host, select the appropriate interface, and begin a live capture. Wireshark shows a live packet list.
3 Generate traffic by pinging the remote host from the source host. An ARP request followed by an ARP reply appears in the capture.
4 Stop the capture, apply a display filter (arp) to isolate ARP packets, and examine the packet details. You can read the opcode, sender/target MAC and IP fields.
5 (Optional) Introduce a duplicate IP address or change a host’s MAC to observe ARP anomalies. Duplicate ARP replies or gratuitous ARP frames become visible.
6 Document observations, answer the lab questions, and clean up the capture file. Lab report complete.

Detailed Procedure

1. Network Setup

  1. Connect Host A and Host B to the same switch or directly via a crossover cable.
  2. Assign static IP addresses:
    • Host A – 192.168.10.10/24 * Host B – 192.168.10.20/24
  3. Verify connectivity with ping 192.168.10.20 from Host A (should fail initially because ARP cache is empty).

2. Start Wireshark

  1. On Host A, launch Wireshark (run as administrator/root to capture packets).
  2. Choose the Ethernet interface that corresponds to the LAN connection.
  3. Click the blue shark fin to start capturing. You should see a steady stream of broadcast and multicast frames (e.g., LLDP, STP).

3. Generate ARP Traffic

  1. Open a command prompt/terminal on Host A.
  2. Execute ping 192.168.10.20.
  3. The first ICMP Echo Request will trigger an ARP request because Host A does not yet know Host B’s MAC address.

4. Stop Capture and Filter

  1. After receiving a few ping replies, click the red square to stop the capture.
  2. In the display filter bar, type arp and press Enter. The packet list now shows only ARP frames.

5. Examine an ARP Request

Select the first ARP packet (usually labeled “Who has 192.168.10.20? Tell 192.168.10.10”). In the packet details pane you will see:

  • Hardware type: 1 (Ethernet)
  • Protocol type: 0x0800 (IPv4)
  • Hardware size: 6 bytes (MAC)
  • Protocol size: 4 bytes (IPv4)
  • Opcode: 1 (request)
  • Sender MAC address: <MAC of Host A>
  • Sender IP address: 192.168.10.10
  • Target MAC address: 00:00:00:00:00:00 (all zeros)
  • Target IP address: 192.168.10.20

6. Examine an ARP Reply

Select the subsequent ARP packet (“192.168.10.20 is at <MAC of Host B>”). Notable fields:

  • Opcode: 2 (reply)
  • Sender MAC address: <MAC of Host B>
  • Sender IP address: 192.168.10.20
  • Target MAC address: <MAC of Host A> (the original requester)
  • Target IP address: 192.168.10.10

7. Observe ARP Cache Update

On Host A, run arp -a (Windows) or ip neigh show (Linux). You should see an entry for 192.168.10.20 with the MAC address you just observed in the reply. Subsequent pings will no longer generate ARP requests because the cache supplies the MAC address directly.

8. (Optional) Introduce Anomalies

  • Duplicate IP: Assign Host B’s IP (192.168.10.20) to a third host on the same LAN. When Host A pings, you will see two ARP replies with different MAC addresses for the same IP—indicating a conflict.
  • Gratuitous ARP: Change Host A’s MAC address (e.g., via a virtual MAC spoofing tool) and then bring the interface up. Host A will broadcast a gratuitous ARP request (Who has 192.168.10.10? Tell 192.168.10.10) to announce its new MAC.
  • ARP Spoofing: Using a tool like ettercap or scapy, send a forged ARP reply claiming to be the gateway. Observe how Host A’s ARP table is overwritten, which can be used for man‑in‑the‑middle attacks.

9. Save and Document

  1. Export the captured packets (File → Export Specified Packets…) and save as arp_lab.pcapng.
  2. Answer the lab questions (e.g., “What is the purpose of the opcode field?”, “Why does the target MAC address in a request contain all zeros?”).
  3. Clear the ARP cache on both hosts (arp -d * or ip neigh flush all) and stop Wireshark to avoid leaving stray capture files.

Technical Explanation of ARP

ARP operates at the **Link

More to Read

Latest Posts

Latest Posts

You Might Like

Related Posts

Thank you for reading about 4.1.7 Lab: Explore Arp In Wireshark. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home