1

I am studying about arp, and I want to know more about how it works. Right now, I am using Wireshark and this function that returns the mac address from a given ip address ipAddress:

        IPAddress IP = IPAddress.Parse(ipAddress);
        byte[] macAddr = new byte[6];
        uint macAddrLen = (uint)6;
        // Destination, Source, pMacAddr, PhyAddrLen
        if (SendARP((int)IP.Address, 0, macAddr, ref macAddrLen) != 0)
        {
            Console.WriteLine("ARP RESPONSE FAILED");
        }
        string[] str = new string[(int)macAddrLen];
        for (int i = 0; i < macAddrLen; i++)
        {
            str[i] = macAddr[i].ToString("x2");
        }
        return string.Join(":", str).ToUpper();

I set ipAddress to 192.168.1.68 that is an active computer in my network. I successfully capture my Arp Request in Wireshark. Here's what it look like:enter image description hereFrom the picture above, IntelCor is my PC. The line selected in blue is what my program sent. The next line after blue is the mac address I am getting. My question is why myself respond and answer what mac address does 192.168.1.68 owns (I can tell from the destination section). While other Arp Request from the router. like this one: (192.168.1.76 is me)enter image description hereWas answered not by the router, but by myself! Thank you.

Adola
  • 111
  • 3
  • 1
    I'm not sure what you are asking but I have the feeling that you are missing a basic concept of ARP (and this is unrelated to information security, i.e. off-topic). The ARP response is sent by the party which knows the answer (that's why it is broadcasted), which is usually the system itself which has the IP address. But it might also be a more intelligent switch which keeps a mapping of IP to MAC. It might also be that you simple interpret the output of wireshark wrong: there are two different IntelCor_.. which you maybe considered the same. – Steffen Ullrich Jun 21 '17 at 15:45
  • 1
    That client responds to the ARP broadcast whose MAC address is being asked. Someone is making a broadcast request who has 192.168.1.68? You are responding to it that it is your IP and you are at this MAC Address. That's not a router's responsibility to tell others what is your MAC unless it is Gratuitous ARP which is generated by the router itself. – defalt Jun 21 '17 at 21:13
  • There are **two _different_ MAC addresses** in your first trace: `IntelCor_73:2c:65` which is you and `IntelCor_c4:da:9c` which is 192.168.1.68. An 802 MAC address is 6 octets but the vendor name in the MAC decode represents only the first 3 octets; look at the details pane to see the full hex values (or turn off decoding). – dave_thompson_085 Jun 22 '17 at 04:13

0 Answers0