How to Verify Virtual Network Connectivity by Using the snoop Command The following task observes traffic on the private network configured in Example 11—7.
Gather information about network traffic on the private virtual network. Check the snoop output to verify connectivity among the VNICs of the etherstub.
Using device etherstub0 promiscuous mode Then, vnic0 sends out an ARP request to vnic1 : What we need instead is something like the following:. Suppose A wants to log in to secure server S, using a password.
How can B for Bad impersonate S? First, B makes sure the real S is down, either by waiting until scheduled downtime or by launching a denial-of-service attack against S. There is a trivial way to do this: B simply needs to set its own IP address to that of S. A will connect, and may be convinced to give its password to B.
This works even if the communications channel A uses is encrypted! If A is using the SSH protocol Unfortunately, many users and even some IT departments do not recognize this as a serious problem. There are a number of ways of achieving this, but one of the simplest is known as ARP Failover. As long as B is trafficking in stateless operations eg html , B can pick up right where A left off. Finally, there is an interesting use of ARP to detect Ethernet password sniffers generally not quite the issue it once was, due to encryption and switching.
Address it not to the broadcast Ethernet address, though, but to some nonexistent Ethernet address. However, they do respond to faked Ethernet multicast addresses, such as ff:ff:ff or ff:ff:ff:ff:ff:fe. If host A has two interfaces iface1 and iface2 on the same LAN , with respective IP addresses A 1 and A 2 , then it is common for the two to be used interchangeably.
Traffic addressed to A 1 may be received via iface2 and vice-versa, and traffic from A 1 may be sent via iface2. In support of this model, ARP can usually be configured in fact this is often the default so that ARP requests for either IP address and received by either interface may be answered with either physical address. Usually all requests are answered with the physical address of the preferred ie faster interface.
ARP is built into the IP configuration of every node. This means that developers at Microsoft, Sun, Google, and in the open source community develop their operating systems for operation on an IPv4 network, and code for ARP is included.
This is after the node consults its ARP table and determines that the address is in fact unknown. Figure shows this message exchange. Wireshark interprets this conversation as a question followed by an answer. In the first line, one node The construction of the ARP request message is shown in Figure Consider the details of the two message types, paying special attention to the addressing used in both the frame and the ARP fields.
The terms hardware address and protocol address are used as general descriptions, but operationally these will almost always be Ethernet six-byte hardware addresses and IP four-byte addresses. The OpCode will be either a request or a reply.
This leaves only the destination MAC unknown. The request packet is completed by padding the unknown address field with 0s. The reply will fill in the correct value. Line 2 of Figure shows that the Ethernet frame source MAC is the machine sending the request, but the frame destination MAC is a broadcast address. This ensures all nodes pay attention, thereby guaranteeing that if the destination is connected and powered up, it will respond. While there are IP or protocol addresses used in this message, it does not actually have an IP header.
It also means that the Ethertype in an Ethernet frame carrying an ARP message is different than in standard data traffic. This difference is shown in Figure Frame 17 in Figure has a hexadecimal type value of 0x and lacks an IP header. Frame 12 has a hexadecimal type value of 0x and does have an IP header. This difference can affect packet filtering or the firewall rules in place, depending on the information sought.
The reply is heading in the opposite direction. Thus, the sender and target addresses are now reversed. The code field has also changed to a reply. In the Ethernet frame itself, instead of a broadcast destination, both MAC addresses are now unicast. The reply goes directly to the original sender from the target, and other nodes will ignore the frame. Build the data frame using the newly determined MAC address information in the destination field. Step 1 satisfies the original goal of sending a message to the destination.
The second step populates an ARP table to save time during the next transmission to the same destination. The next time the host must transmit a frame, it will search for the address in local memory and use the address found there instead of issuing another ARP request, if possible. An example of an ARP table is shown in Figure This output was obtained on a Windows machine with the command arp -a issued from the command shell.
Notice the two types of entries—static and dynamic. The normal entry will be a dynamic entry. Static entries are uncommon. The dynamic nature of these entries indicates that they are not permanent.
Regardless of the underlying operating system, all nodes will age out ARP table entries in a matter of minutes. Windows, for example, removes these entries after approximately two minutes. The time that an ARP table entry should be allowed to live has been debated, as there are differing opinions as to the perfect time. If the value is too short, the hosts will be reARPing at an increased rate and generating more network traffic. If the time is too long, bad or erroneous information may stick around longer and prevent hosts from reaching the proper destination.
With an understanding of what takes place under the hood, two examples will help illustrate ARP packet formation for near and far destinations when ARP table information is nonexistent. Packet capture activity of the frame depicted in Figure is shown in Figure The MAC address requested in frame 1 is returned in frame 2. In this case, the destination node is on a remote LAN. Since Layer 2 MAC addressing is restricted to the local network, assistance is required from the designated default gateway that will route the frame to the destination network.
Router ARP behavior is similar to that of hosts. They respond to ARP messages and have to locate locally connected nodes. To summarize, the sender is attempting to determine the target MAC address, but the ICMP echo request is heading for a destination on another network. Then the ARP process takes over. The algorithm the hosts use is discussed in Chapter 7. The conversation shown in Figure illustrates another important facet of ARP—only the host originating the conversation generating the ARP request will place an entry for the destination host in its local ARP table.
That is, other stations hearing the exchange, even if they are receiving the ARP request, will not add these stations to their own ARP tables. However, many hosts especially routers are aggressive when it comes to populating their tables and, upon hearing ARP traffic or being involved in ARP messages, will subsequently generate their own ARP requests to populate their tables. The packet capture sequence shown in Figure shows the original host using ARP to determine its default gateway when attempting to send to an offsite host.
After the conversation has been routed, the router default gateway issues its own ARP request for the original sending host. In this way, it populates its table with what it believes is a valid host address. This improves routing efficiency for future traffic forwarding. But the host must make sure no other network node is using the same address. For this reason, network hosts will often ARP for themselves.
0コメント