MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR

(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Networking With TCP/IP-150512

UNIT-2
Address Resolution Protocol (ARP):-

Address Resolution Protocol (ARP) is a network-specific standard protocol. The Address

Resolution Protocol is important for changing the higher-level protocol address (IP addresses)
to physical network addresses. It is described in RFC 826.

ARP relates an IP address with the physical address. On a typical physical network such as
LAN, each device on a link is identified by a physical address, usually printed on the network
interface card (NIC). A physical address can be changed easily when NIC on a particular
machine fails.

The IP Address cannot be changed. ARP can find the physical address of the node when its
internet address is known. ARP provides a dynamic mapping from an IP address to the
corresponding hardware address.

When one host wants to communicate with another host on the network, it needs to resolve the
IP address of each host to the host's hardware address.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

This process is as follows−

• When a host tries to interact with another host, an ARP request is initiated. If the IP
address is for the local network, the source host checks its ARP cache to find out the
hardware address of the destination computer.
• If the correspondence hardware address is not found, ARP broadcasts the request to all
the local hosts.
• All hosts receive the broadcast and check their own IP address. If no match is
discovered, the request is ignored.
• The destination host that finds the matching IP address sends an ARP reply to the source
host along with its hardware address, thus establishing the communication. The ARP
cache is then updated with the hardware address of the destination host.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

ARP Packet Generation

If an application needs to send information to a specific IP destination address, the IP routing
structure first determines the IP address of the next-hop of the packet (it should be the
destination host itself or a router) and the hardware tool on which it should be transmitted.

If it is an IEEE 802.3/4/5 network, the ARP structure should be considered to design the
<protocol type target protocol address> to a physical address.

The ARP module attempts to find the address in this ARP cache. If it is to find the connecting
pair, it provides the equivalent 48-bit physical location back to the caller (the device driver),
which then shares the packet.

If it does not discover the pair in its table, it removes the packet (the assumption is that a higher-
level protocol will resend) and creates a network broadcast of an ARP request.

• Hardware address space: It specifies the type of hardware such as Ethernet or Packet
Radio net.
• Protocol address space: It specifies the type of protocol, same as the Ether type field in
the IEEE 802 header (IP or ARP).

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)
• Hardware Address Length: It determines the length (in bytes) of the hardware addresses
in this packet. For IEEE 802.3 and IEEE 802.5, this is 6.
• Protocol Address Length: It specifies the length (in bytes) of the protocol addresses in
this packet. For IP, this is 4 bytes.
• Operation Code: It specifies whether this is an ARP request (1) or reply (2).
• Source/target hardware address: It contains the physical network hardware addresses.
For IEEE 802.3, these are 48-bit addresses.
• For the ARP request packet, the target hardware address is the only undefined field in
the packet.

Types of ARP: -
There are four types of Address Resolution Protocol, which is given below:

➢ Proxy ARP
➢ Gratuitous ARP
➢ Reverse ARP (RARP)
➢ Inverse ARP

Proxy ARP - Proxy ARP is a method through which a Layer 3 devices may respond to ARP
requests for a target that is in a different network from the sender. The Proxy ARP configured
router responds to the ARP and map the MAC address of the router with the target IP address
and fool the sender that it is reached at its destination.

At the backend, the proxy router sends its packets to the appropriate destination because the
packets contain the necessary information.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Example - If Host A wants to transmit data to Host B, which is on the different network, then
Host A sends an ARP request message to receive a MAC address for Host B. The router
responds to Host A with its own MAC address pretend itself as a destination. When the data is
transmitted to the destination by Host A, it will send to the gateway so that it sends to Host B.
This is known as proxy ARP.

Gratuitous ARP - Gratuitous ARP is an ARP request of the host that helps to identify the
duplicate IP address. It is a broadcast request for the IP address of the router. If an ARP request
is sent by a switch or router to get its IP address and no ARP responses are received, so all
other nodes cannot use the IP address allocated to that switch or router. Yet if a router or switch
sends an ARP request for its IP address and receives an ARP response, another node uses the
IP address allocated to the switch or router.

There are some primary use cases of gratuitous ARP that are given below:
➢ The gratuitous ARP is used to update the ARP table of other devices.
➢ It also checks whether the host is using the original IP address or a duplicate one.

Reverse ARP (RARP) - It is a networking protocol used by the client system in a local area
network (LAN) to request its IPv4 address from the ARP gateway router table. A table is
created by the network administrator in the gateway-router that is used to find out the MAC
address to the corresponding IP address.

When a new system is set up or any machine that has no memory to store the IP address, then
the user has to find the IP address of the device. The device sends a RARP broadcast packet,
including its own MAC address in the address field of both the sender and the receiver
hardware. A host installed inside of the local network called the RARP-server is prepared to
respond to such type of broadcast packet. The RARP server is then trying to locate a mapping
table entry in the IP to MAC address. If any entry matches the item in the table, then the RARP
server sends the response packet along with the IP address to the requesting computer.

Inverse ARP (In ARP) - Inverse ARP is inverse of the ARP, and it is used to find the IP
addresses of the nodes from the data link layer addresses. These are mainly used for the frame
relays, and ATM networks, where Layer 2 virtual circuit addressing are often acquired from

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Layer 2 signaling. When using these virtual circuits, the relevant Layer 3 addresses are
available.

ARP conversions Layer 3 addresses to Layer 2 addresses. However, its opposite address can
be defined by in ARP. The In ARP has a similar packet format as ARP, but operational codes
are different.

Internet Control Message Protocol (ICMP): -

Internet Control Message Protocol (ICMP) is a network layer protocol used to diagnose
communication errors by performing an error control mechanism. Since IP does not have an
inbuilt mechanism for sending error and control messages. It depends on Internet Control
Message Protocol (ICMP) to provide error control.

ICMP is used for reporting errors and management queries. It is a supporting protocol and is
used by network devices like routers for sending error messages and operations information.
For example, the requested service is not available or a host or router could not be reached.

Uses of ICMP: -
ICMP is used for error reporting if two devices connect over the internet and some error occurs,
So, the router sends an ICMP error message to the source informing about the error. For
Example, whenever a device sends any message which is large enough for the receiver, in that
case, the receiver will drop the message and reply back ICMP message to the source.

Another important use of ICMP protocol is used to perform network diagnosis by making use
of traceroute and ping utility. We will discuss them one by one.

Traceroute: Traceroute utility is used to know the route between two devices connected over
the internet. It routes the journey from one router to another, and a traceroute is performed to
check network issues before data transfer.

Ping: Ping is a simple kind of traceroute known as the echo-request message, it is used to
measure the time taken by data to reach the destination and return to the source, these replies
are known as echo-replies messages.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

How Does ICMP Work?

ICMP is the primary and important protocol of the IP suite, but ICMP isn’t associated with any
transport layer protocol (TCP or UDP) as it doesn’t need to establish a connection with the
destination device before sending any message as it is a connectionless protocol.

The working of ICMP is just contrasting with TCP, as TCP is a connection-oriented protocol
whereas ICMP is a connectionless protocol. Whenever a connection is established before the
message sending, both devices must be ready through a TCP Handshake.

ICMP packets are transmitted in the form of datagrams that contain an IP header with ICMP
data. ICMP datagram is similar to a packet, which is an independent data entity.

ICMP Packet Format: -

ICMP header comes after IPv4 and IPv6 packet header.

ICMPv4 Packet Format

In the ICMP packet format, the first 32 bits of the packet contain three fields:

Type (8-bit): The initial 8-bit of the packet is for message type; it provides a brief description
of the message so that receiving network would know what kind of message it is receiving and
how to respond to it. Some common message types are as follows:

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Type 0 – Echo reply

Type 3 – Destination unreachable
Type 5 – Redirect Message
Type 8 – Echo Request
Type 11 – Time Exceeded
Type 12 – Parameter problem

Code (8-bit): Code is the next 8 bits of the ICMP packet format, this field carries some
additional information about the error message and type.

Checksum (16-bit): Last 16 bits are for the checksum field in the ICMP packet header. The
checksum is used to check the number of bits of the complete message and enable the ICMP
tool to ensure that complete data is delivered.

The next 32 bits of the ICMP Header are Extended Header which has the work of pointing out
the problem in IP Message. Byte locations are identified by the pointer which causes the
problem message and receiving device looks here for pointing to the problem.

The last part of the ICMP packet is Data or Payload of variable length. The bytes included in
IPv4 are 576 bytes and in IPv6, 1280 bytes.

ICMP in DDoS Attacks

In Distributed DOS (DDoS) attacks, attackers provide so much extra traffic to the target, so
that it cannot provide service to users. There are so many ways through which an attacker
executes these attacks, which are described below.

Ping of Death Attack

Whenever an attacker sends a ping, whose size is greater than the maximum allowable size,
oversized packets are broken into smaller parts. When the sender re-assembles it, the size
exceeds the limit which causes a buffer overflow and makes the machine freeze. This is simply
called a Ping of Death Attack. Newer devices have protection from this attack, but older devices
did not have protection from this attack.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

 MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

ICMP Flood Attack

Whenever the sender sends so many pings that the device on whom the target is done is unable
to handle the echo request. This type of attack is called an ICMP Flood Attack. This attack is
also called a ping flood attack. It stops the target computer’s resources and causes a denial of
service for the target computer.

Smurf Attack

Smurf Attack is a type of attack in which the attacker sends an ICMP packet with a spoofed
source IP address. This type of attacks generally works on older devices like the ping of death
attack.

Types of ICMP Messages: -

Type Code Description

0 – Echo Reply 0 Echo reply

0 Destination network unreachable

1 Destination host unreachable

2 Destination protocol unreachable

3 – Destination Unreachable
3 Destination port unreachable

4 Fragmentation is needed and the DF flag set

5 Source route failed

0 Redirect the datagram for the network

1 Redirect datagram for the host

5 – Redirect Message
2 Redirect the datagram for the Type of Service and Network

3 Redirect datagram for the Service and Host

Prof. Hemlata Arya Department of CSE Subject Code: -150512

 MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Type Code Description

8 – Echo Request 0 Echo request

9 – Router Advertisement 0
Use to discover the addresses of operational routers
10 – Router Solicitation 0

0 Time to live exceeded in transit

11 – Time Exceeded
1 Fragment reassembly time exceeded.

0 The pointer indicates an error.

12 – Parameter Problem 1 Missing required option

2 Bad length

13 – Timestamp 0 Used for time synchronization

14 – Timestamp Reply 0 Reply to Timestamp message

Source Quench Message: -

A source quench message is a request to decrease the traffic rate for messages sent to the host
destination) or we can say when receiving host detects that the rate of sending packets (traffic
rate) to it is too fast it sends the source quench message to the source to slow the pace down so
that no packet can be lost.

Source Quench Message

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

ICMP will take the source IP from the discarded packet and inform the source by sending a
source quench message. The source will reduce the speed of transmission so that router will be
free from congestion.

Source Quench Message with Reduced Speed

When the congestion router is far away from the source the ICMP will send a hop-by-hop
source quench message so that every router will reduce the speed of transmission.

Parameter Problem: -
Whenever packets come to the router then the calculated header checksum should be equal to
the received header checksum then only the packet is accepted by the router.

Parameter Problem

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

If there is a mismatch packet will be dropped by the router.

ICMP will take the source IP from the discarded packet and inform the source by sending a
parameter problem message.

Time Exceeded Message: -

Time Exceeded Message

When some fragments are lost in a network then the holding fragment by the router will be
dropped then ICMP will take the source IP from the discarded packet and informs the source,
of discarded datagram due to the time to live field reaching zero, by sending the time exceeded
message.

Destination Un-reachable: -
The destination is unreachable and is generated by the host or its inbound gateway to inform
the client that the destination is unreachable for some reason.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Destination Un-reachable

There is no necessary condition that only the router gives the ICMP error message time the
destination host sends an ICMP error message when any type of failure (link failure, hardware
failure, port failure, etc.) happens in the network.

Redirection Message: -
Redirect requests data packets are sent on an alternate route. The message informs a host to
update its routing information (to send packets on an alternate route).

Example: If the host tries to send data through a router R1 and R1 sends data on a router R2
and there is a direct way from the host to R2. Then R1 will send a redirect message to inform
the host that there is the best way to the destination directly through R2 available. The host
then sends data packets for the destination directly to R2.

The router R2 will send the original datagram to the intended destination.

But if the datagram contains routing information, then this message will not be sent even if a
better route is available as redirects should only be sent by gateways and should not be sent by
Internet hosts.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Whenever a packet is forwarded in the wrong direction later it is re-directed in a current

direction then ICMP will send a re-directed message.

IP Datagram- format, options, fragmentations, checksum, IPsec.

Data transmitted over an internet using IP is carried in messages called IP datagrams. Like all
network protocol messages, IP uses a specific format for its datagrams. We are of course
looking here at IP version 4 and so we will examine the IPv4 datagram format, which was
defined in RFC 791 along with the rest of IPv4.

The IPv4 datagram is conceptually divided into two pieces: the header and the payload. The
header contains addressing and control fields, while the payload carries the actual data to be
sent over the internetwork. Unlike some message formats, IP datagrams do not have a footer
following the payload.

Even though IP is a relatively simple, connectionless, “unreliable” protocol, the IPv4 header
carries a fair bit of information, which makes it rather large. At a minimum, it is 20 bytes long,
and with options can be significantly longer. The IP datagram format is described in Table 1
and illustrated in Figure 1.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

 MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Table 1: Internet Protocol Version 4 (IPv4) Datagram Format

Size
Field Name Description
(bytes)
Version: Identifies the version of IP used to generate the datagram.
For IPv4, this is of course the number 4. The purpose of this field is to
ensure compatibility between devices that may be running different
1/2
Version versions of IP. In general, a device running an older version of IP will
(4 bits)
reject datagrams created by newer implementations, under the
assumption that the older version may not be able to interpret the
newer datagram correctly.
Internet Header Length (IHL): Specifies the length of the IP header,
in 32-bit words. This includes the length of any options fields and
1/2
IHL padding. The normal value of this field when no options are used is 5
(4 bits)
(5 32-bit words = 5*4 = 20 bytes). Contrast to the longer Total
Length field below.
Type Of Service (TOS): A field designed to carry information to
provide quality of service features, such as prioritized delivery, for IP
TOS 1 datagrams. It was never widely used as originally defined, and its
meaning has been subsequently redefined for use by a technique
called Differentiated Services (DS). See below for more information.
Total Length (TL): Specifies the total length of the IP datagram, in
TL 2 bytes. Since this field is 16 bits wide, the maximum length of an IP
datagram is 65,535 bytes, though most are much smaller.
Identification: This field contains a 16-bit value that is common to
each of the fragments belonging to a particular message; for
datagrams originally sent unfragmented it is still filled in, so it can be
used if the datagram must be fragmented by a router during delivery.
Identification 2 This field is used by the recipient to reassemble messages without
accidentally mixing fragments from different messages. This is needed
because fragments may arrive from multiple messages mixed together,
since IP datagrams can be received out of order from any device. See
the discussion of IP message fragmentation.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

 MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

3/8
Flags
(3 bits)

Fragment Offset: When fragmentation of a message occurs, this field

specifies the offset, or position, in the overall message where the data
Fragment 1 5/8
in this fragment goes. It is specified in units of 8 bytes (64 bits). The
Offset (13 bits)
first fragment has an offset of 0. Again, see the discussion of
fragmentation for a description of how the field is used.
Time To Live (TTL): Short version: Specifies how long the datagram
is allowed to “live” on the network, in terms of router hops. Each router
decrements the value of the TTL field (reduces it by one) prior to
TTL 1 transmitting it. If the TTL field drops to zero, the datagram is assumed
to have taken too long a route and is discarded.

See below for the longer explanation of TTL.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

 MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Protocol 1

Header Checksum: A checksum computed over the header to provide

basic protection against corruption in transmission. This is not the more
complex CRC code typically used by data link layer technologies such
Header as Ethernet; it's just a 16-bit checksum. It is calculated by dividing the
2
Checksum header bytes into words (a word is two bytes) and then adding them
together. The data is not check summed, only the header. At each hop
the device receiving the datagram does the same checksum
calculation and, on a mismatch, discards the datagram as damaged.
Source Address: The 32-bit IP address of the originator of the
Source datagram. Note that even though intermediate devices such as routers
4
Address may handle the datagram, they do not normally put their address into
this field—it is always the device that originally sent the datagram.
Destination Address: The 32-bit IP address of the intended recipient
Destination of the datagram. Again, even though devices such as routers may be
4
Address the intermediate targets of the datagram, this field is always for the
ultimate destination.
Options: One or more of several types of options may be included
Options Variable after the standard headers in certain IP datagrams. I discuss them
in the topic that follows this one.

Prof. Hemlata Arya Department of CSE Subject Code: -150512

 MADHAV INSTITUTE OF TECHNOLOGY & SCIENCE, GWALIOR
(A Govt. Aided UGC Autonomous & NAAC Accredited Institute Affiliated to RGPV, Bhopal)

Padding: If one or more options are included, and the number of bits
Padding Variable used for them is not a multiple of 32, enough zero bits are added to
“pad out” the header to a multiple of 32 bits (4 bytes).
Data: The data to be transmitted in the datagram, either an entire
Data Variable
higher-layer message or a fragment of one.

Figure 1: Internet Protocol Version 4 (IPv4) Datagram Format

This diagram shows graphically the all-important IPv4 datagram format. The first 20 bytes are
the fixed IP header, followed by an optional Options section, and a variable-length Data area.
Note that the Type of Service field is shown as originally defined in the IPv4 standard.

Prof. Hemlata Arya Department of CSE Subject Code: -150512