Every IP packet that travels on a local network gets wrapped in an Ethernet frame. Every Ethernet frame needs a MAC address to reach its destination. ARP is the protocol that turns IP addresses into MAC addresses. This week you see the link layer in its byte-level detail.
Theme
Your laptop has an IP address (say, 192.168.1.100) and a MAC address (a 48-bit hardware address burned into the network card). When your laptop wants to send a packet to your router, it needs to know the router's MAC address -- IP addresses alone are not enough to reach a device on the local network. It finds the MAC address by broadcasting an ARP request: "Who has 192.168.1.1? Tell me your MAC." The router replies with its MAC. Your laptop records that answer in its ARP cache and sends the Ethernet frame to the correct destination. This week you watch that exchange happen at the byte level.
Reading (~45 minutes)
- Stevens TCP/IP Illustrated Ch 4 ("ARP: Address Resolution Protocol"): ARP request, ARP reply, the ARP cache
- Kurose & Ross Ch 6 §6.1-6.2 ("Introduction to the Link Layer", "Error-Detection and Correction Techniques"): what the link layer is and what Ethernet does at the physical level
- Optional: Wireshark wiki, "Ethernet" (
https://wiki.wireshark.org/Ethernet): the Ethernet frame format field by field
Lecture outline (~2 hours)
Section 1: The Ethernet frame
- Ethernet is the dominant link-layer protocol for wired LANs and the underlying layer for most Wi-Fi frames at the logical level
- An Ethernet frame contains:
| Field | Size | Contents |
|---|---|---|
| Destination MAC | 6 bytes | MAC address of the next-hop recipient |
| Source MAC | 6 bytes | MAC address of the sender's NIC |
| EtherType | 2 bytes | Protocol of the payload (0x0800 = IPv4; 0x0806 = ARP; 0x86DD = IPv6) |
| Payload | 46-1500 bytes | The IP packet (or ARP message, or other payload) |
| FCS (CRC) | 4 bytes | Frame Check Sequence: error detection; usually stripped before Wireshark sees it |
- MAC addresses: 48 bits, written as 6 hex pairs separated by colons (e.g.,
02:00:00:aa:bb:cc) - The first 24 bits (3 bytes) are the OUI (Organizationally Unique Identifier) assigned to the manufacturer. Wireshark resolves OUIs to vendor names by default.
- Locally administered vs globally administered: the second-least-significant bit of the first byte indicates local (1) vs global (0). Academy fixture captures use locally administered MACs (
02:*).
Section 2: MAC addressing and switching
- A switch operates at layer 2: it reads the destination MAC of each frame and forwards the frame to the correct port
- The switch builds a MAC address table by noting which port each source MAC address arrives on
- Unicast, broadcast, multicast:
- Unicast: specific destination MAC (
02:00:00:aa:bb:cc) - Broadcast:
ff:ff:ff:ff:ff:ff-- delivered to every device on the local segment - Multicast: first byte has bit 0 set; delivered to a group of devices subscribed to that multicast address
- Unicast: specific destination MAC (
- Before a switch knows where a destination MAC lives, it floods the frame to all ports. After the first exchange, it forwards only to the correct port.
Section 3: ARP -- Address Resolution Protocol
- ARP answers: "I have an IP address. What is the MAC address of the device with this IP?"
- ARP request: broadcast frame (destination
ff:ff:ff:ff:ff:ff); asks "Who hasX.X.X.X?" - ARP reply: unicast frame back to the requester; says "I have
X.X.X.X; my MAC isAA:BB:CC:DD:EE:FF" - ARP cache: each device keeps a table of IP-to-MAC mappings it has learned; entries expire after a timeout (typically 2-20 minutes)
- Gratuitous ARP: a device sends an ARP reply without being asked, announcing its own IP-to-MAC mapping. Used when a device joins the network or after failover.
Section 4: ARP fields in a capture
| Field | Size | Contents |
|---|---|---|
| Hardware type | 2 bytes | 0x0001 = Ethernet |
| Protocol type | 2 bytes | 0x0800 = IPv4 |
| Hardware address length | 1 byte | 6 (MAC address size) |
| Protocol address length | 1 byte | 4 (IPv4 address size) |
| Operation | 2 bytes | 1 = request; 2 = reply |
| Sender hardware address | 6 bytes | Sender's MAC |
| Sender protocol address | 4 bytes | Sender's IP |
| Target hardware address | 6 bytes | 00:00:00:00:00:00 in a request (unknown); filled in a reply |
| Target protocol address | 4 bytes | The IP being queried |
Display filter: arp.opcode == 1 for requests; arp.opcode == 2 for replies.
Section 5: ARP anomalies -- the storm
- Normal ARP: a device asks for a MAC once; the answer is cached; subsequent traffic uses the cached MAC
- ARP storm: many ARP requests in a short time; can indicate a misconfigured device, a broadcast loop, or a scanning tool
- In
arp-storm.pcap: 622 packets; rapid ARP requests from a single source. This looks abnormal because the request rate is far higher than any normal host needs. - An analyst who knows what a normal ARP exchange looks like (two packets, then silence) can immediately recognize the storm as anomalous.
Labs (~90 minutes)
Lab 2-1: Ethernet and ARP (labs/lab-2-1-ethernet-arp.md)
Independent practice (~7 hours)
- Read Stevens Ch 4 in full; work through the ARP cache examples
- On your own machine: run
arp -n(Linux/macOS) orarp -a(Windows) to see your ARP cache. Which IP addresses are listed? Which MAC addresses correspond to which devices on your network? - Load
fundamentals-arp-request-reply.pcapin pcap-tools. Expand the ARP header. Verify every field matches the table above. What is the EtherType in the Ethernet header? - Load
arp-storm.pcap. Apply the display filterarp.opcode == 1. How many requests are there? Applyarp.opcode == 2. How many replies? What does the ratio tell you? - Look up "Proxy ARP" and explain in one paragraph why it exists and when it is used.
Reflection prompts (~30 minutes)
- ARP replies are not authenticated. Any device on the network can reply to any ARP request with any MAC address. What is the attack that this enables? (Look up "ARP spoofing.")
- The ARP cache has a timeout. Why does the cache expire? What would go wrong if ARP entries never expired?
- A switch learns MAC addresses by watching traffic. What happens when the switch's MAC address table is full? (Look up "MAC flooding attack.")
- The Ethernet frame has a minimum payload size of 46 bytes. Why does a minimum size exist? What happens to a payload smaller than 46 bytes?
- Wi-Fi uses a different frame format at the physical layer but your operating system presents it to software as if it were Ethernet. Why does that abstraction matter?
What comes next
Week 3 moves to the network layer: the IPv4 header, IP addressing, subnets, and how a packet gets routed from your laptop to a server in another country.