How ARP works, and how ARP cache poisoning works

One subject beginning networking students invariably struggle with is how Layer 2 maps to Layer 3 (see http://en.wikipedia.org/wiki/Osi_model if you’re not familiar with the OSI model) using the Address Resolution Protocol, ARP. MAC lives at Layer 2, the Data Link layer, while IP addressing happens one layer up, at Layer 3.

Dry facts: every network card (NIC) comes with a Media Access Control (MAC) address burned into firmware at the factory. The vendor’s ID takes up the first 24 bits of a MAC address, and each individual card has a “unique” 24-bit address, for a total MAC address length of 48 bits.

The trick is, these Layer 2 addresses are the “street addresses” of any Ethernet network, but they live invisibly under the Layer 3 IP addresses everyone’s used to using. IP addresses are like airline flight numbers: they’re for much larger-scale travel (as in the Internet).

These numbers, both MAC and IP, are cached by every local computer, and here’s where the games begin. It’s quite easy to “poison” the ARP cache, thus misdirecting traffic through intermediate machines, for instance, or allowing one machine to “hijack” another machine’s network session.

Find out more with this simple, clear article:

http://www.thegeekstuff.com/2012/01/arp-cache-poisoning/

[ CompTIA A+, Hacker Highschool ]

***