1 00:00:00,000 --> 00:00:07,963 2 00:00:07,963 --> 00:00:13,714 Ok, for our next module, we will be talking about capturing IP resolution. 3 00:00:13,714 --> 00:00:18,995 And when we discuss capturing IP resolution, what we're saying is 4 00:00:18,995 --> 00:00:26,689 how does the basics of ARPing work and how does that look in Wireshark, 5 00:00:26,689 --> 00:00:32,245 and what can we do to find out or troubleshoot these types of problems with Wireshark. 6 00:00:32,242 --> 00:00:40,529 And Wireshark will capture the basics and show you, however, some underlying 7 00:00:40,528 --> 00:00:43,376 information about ARP is necessary so that 8 00:00:43,370 --> 00:00:46,266 you understand what you are looking at and why. 9 00:00:46,273 --> 00:00:51,174 So, what is IP resolution and what does ARP do? 10 00:00:51,174 --> 00:00:55,321 Well essentially, computer systems operate on networks. 11 00:00:55,321 --> 00:00:59,779 And for them to communicate, they need to be uniquely identified 12 00:00:59,771 --> 00:01:03,359 and we generally do that with a IP address. 13 00:01:03,359 --> 00:01:11,038 So, how does ARP tie in is that if you're going to request 14 00:01:11,038 --> 00:01:13,630 to go somewhere in a network and you don't know what it is, 15 00:01:13,630 --> 00:01:19,990 ARP or address resolution protocol is the protocol that is going to try to help you 16 00:01:19,990 --> 00:01:21,990 find what that information is. 17 00:01:21,990 --> 00:01:27,498 So when you configure IP on a source host, 18 00:01:27,498 --> 00:01:32,705 an IP on a destination host, ultimately the data would need to be sent 19 00:01:32,705 --> 00:01:36,492 from that one IP to the other and we need to route there. 20 00:01:36,501 --> 00:01:41,862 And if it's a remote segment, it's going to need to traverse the network multiple hops. 21 00:01:41,862 --> 00:01:45,626 This is obviously handled through the routing table and so on. 22 00:01:45,626 --> 00:01:53,090 But locally, these IP packets ultimately resolve to the MAC address configured 23 00:01:53,090 --> 00:01:55,467 on your machine. And this is the unique address. 24 00:01:55,467 --> 00:02:00,768 And if you look at it from an entire source to destination concept, 25 00:02:00,768 --> 00:02:03,910 it's really going from your machine address 26 00:02:03,910 --> 00:02:08,215 all the way through the network using all different types of protocols, 27 00:02:08,215 --> 00:02:12,557 IP addresses, going through route tables, 28 00:02:12,557 --> 00:02:17,845 using ports and so on and so forth to ultimately get to the target - 29 00:02:17,845 --> 00:02:22,365 MAC address and that is also called the burn in address. 30 00:02:22,365 --> 00:02:31,683 So the IP, the IP resolution will take place when the address resolution protocol, 31 00:02:31,676 --> 00:02:35,430 ARP maps that layer to data link layer, 32 00:02:35,452 --> 00:02:38,261 hardware address to the IP address. 33 00:02:38,285 --> 00:02:42,867 So, when we troubleshoot this with 34 00:02:42,867 --> 00:02:44,754 Wireshark, what are we actually seeing? 35 00:02:44,754 --> 00:02:48,501 So, we can capture that resolution process 36 00:02:48,501 --> 00:02:58,624 pretty quickly and easily just by running a simple query, which we'll look at now. 37 00:02:58,624 --> 00:03:03,231 So basically, what we did was we just ran a generic capture. 38 00:03:03,231 --> 00:03:06,796 And now we want to filter for ARP and take a look at what's going on here. 39 00:03:06,796 --> 00:03:09,569 So if we look at the ARP packets, 40 00:03:09,569 --> 00:03:15,097 we see that there's an IP address asking here, for some information. 41 00:03:15,108 --> 00:03:20,580 So we have a sender MAC address and the IP address 42 00:03:20,586 --> 00:03:24,801 looking for a target and it's trying to resolve that information. 43 00:03:24,801 --> 00:03:29,872 So this a simple view of what ARP, ARP is essentially doing 44 00:03:29,861 --> 00:03:34,921 and you can see your source and destination which is your hardware addresses. 45 00:03:34,921 --> 00:03:39,807 And what's in the packet is, it's looking for the IP information 46 00:03:39,807 --> 00:03:41,807 so that it can resolve that information. 47 00:03:41,807 --> 00:03:45,534 So that's essentially what we mean by IP resolution. 48 00:03:45,534 --> 00:03:47,534 What can we find? 49 00:03:47,534 --> 00:03:54,761 With this we can see issues with the, table instability can be an issue. 50 00:03:54,761 --> 00:03:59,792 If you just run a simple ARP on your local machine, 51 00:03:59,789 --> 00:04:03,433 you could see the ARP cache, it may be corrupted. 52 00:04:03,433 --> 00:04:07,734 It may have incorrect entries. You may have, for example, 53 00:04:07,735 --> 00:04:12,426 on a switch's memory, you may have things that have changed on the network. 54 00:04:12,426 --> 00:04:16,268 It hasn't timed out or refreshed in the, in the cache. 55 00:04:16,268 --> 00:04:20,303 So essentially, as network engineers, a lot of times what we can do, 56 00:04:20,303 --> 00:04:23,793 is if we have a high time out on cache, we can come in 57 00:04:23,793 --> 00:04:27,513 and we can log into the device and clear the ARP table. 58 00:04:27,513 --> 00:04:33,557 Or clear the MAC address table. It's a completely kick-off the process again 59 00:04:33,557 --> 00:04:39,245 which will essentially set up the ARP's to go out and try to resolve 60 00:04:39,259 --> 00:04:43,631 the IP addresses again as the queries come in. 61 00:04:43,631 --> 00:04:48,719 You have ARP spoofing to send data from one machine to another. 62 00:04:48,719 --> 00:04:51,971 That was unintended, you can spoof that. 63 00:04:51,971 --> 00:04:54,363 So, there's a lot of reasons why 64 00:04:54,363 --> 00:05:00,422 capturing ARP could benefit you as a network engineer or network analyst because 65 00:05:00,422 --> 00:05:04,349 you could find problems with broadcast storms. 66 00:05:04,349 --> 00:05:06,349 Maybe there's a chattering NIC. 67 00:05:06,367 --> 00:05:11,481 Again, maybe you have some table instability and you see constant requests. 68 00:05:11,481 --> 00:05:16,402 Maybe something hasn't timed out and that's why you can't resolve the IP address 69 00:05:16,402 --> 00:05:21,193 'cause it might have a different one assigned at that moment. 70 00:05:21,192 --> 00:05:27,077 Something may be spoofed so at the, at the layer of security 71 00:05:27,077 --> 00:05:30,827 you may be able to capture that data and see the spoofing attempts. 72 00:05:30,827 --> 00:05:33,746 So as you could see there's, there's quite a few reasons 73 00:05:33,746 --> 00:05:37,754 why you would want to capture this data and review it. 74 00:05:37,754 --> 00:05:39,958 So what's really happening? 75 00:05:39,958 --> 00:05:47,715 When ARP functions, it allows TCP/IP to resolve to hardware addresses, 76 00:05:47,713 --> 00:05:51,103 the IP to resolve to IP addresses. 77 00:05:51,103 --> 00:05:54,059 Reversed ARP or RARP is the opposite. 78 00:05:54,059 --> 00:05:58,505 It's allowing the hardware to resolve the other way. 79 00:05:58,505 --> 00:06:04,328 Adn essentially, when you set up a lag LAN segment for the first time, 80 00:06:04,331 --> 00:06:09,916 nothing is known. The devices are boot up. They boot up and then they want to talk 81 00:06:09,932 --> 00:06:15,697 to other devices on the network so it has to do this resolution process to start 82 00:06:15,697 --> 00:06:18,455 communicating with other devices. 83 00:06:18,455 --> 00:06:21,346 So essentially, what's going to happen there 84 00:06:21,346 --> 00:06:26,851 is that the switch is going to learn this and keep them in the CAM table. 85 00:06:26,851 --> 00:06:30,390 And allow you to go from one port to the other. 86 00:06:30,390 --> 00:06:32,761 If not, it's going to broadcast at all ports. 87 00:06:32,761 --> 00:06:36,656 But essentially, this process starts off with 88 00:06:36,656 --> 00:06:40,515 nobody knowing anything and having to do this process to learn. 89 00:06:40,523 --> 00:06:43,597 So, as you could see on the diagram, 90 00:06:43,597 --> 00:06:45,666 the ARP request is the first function 91 00:06:45,666 --> 00:06:48,731 then the device tries to find the hardware address 92 00:06:48,731 --> 00:06:52,034 for a node based on the IP address it knows. 93 00:06:52,034 --> 00:06:54,034 If you're going to go to a website, 94 00:06:54,034 --> 00:06:58,313 basically that, even if it's a DNS name, it's going to resolve to an IP address 95 00:06:58,300 --> 00:07:02,710 which essentially is going to allow you to go out on the network. 96 00:07:02,710 --> 00:07:04,710 You can communicate with it however, 97 00:07:04,719 --> 00:07:10,353 the request will go out if it doesn't know it, that IP address is. 98 00:07:10,353 --> 00:07:14,186 And then the reply, the correct device will respond, 99 00:07:14,186 --> 00:07:17,690 with the, the needed hardware address. 100 00:07:17,690 --> 00:07:21,586 So essentially, that is what you are seeing when you look at the capture. 101 00:07:21,585 --> 00:07:26,990 You're seeing this process of requests and replies going back and forth. 102 00:07:26,990 --> 00:07:31,877 You know, I need to get to something, I need to know how to get there. 103 00:07:31,877 --> 00:07:35,703 Ok well, this is how you get there. You need to know this address. 104 00:07:35,703 --> 00:07:42,111 So, at it's most fundamental layer, that's what ARP is doing. 105 00:07:42,111 --> 00:07:50,150 So again, ARP fundamental, fundamentally will resolve an IP to a MAC. 106 00:07:50,150 --> 00:07:54,268 Remember, the RARP will do the, the opposite. 107 00:07:54,268 --> 00:07:59,454 It's broadcast based so that's where these storms come into place. 108 00:07:59,454 --> 00:08:03,511 If you have a problem, broken or damaged or 109 00:08:03,511 --> 00:08:06,134 incorrectly working hardware on your network, 110 00:08:06,134 --> 00:08:08,845 it could generate a storm scenario, 111 00:08:08,845 --> 00:08:10,845 where it just constantly sends the data out. 112 00:08:10,845 --> 00:08:16,297 Quickly and easily captured by Wireshark, you span a port, you check it out, 113 00:08:16,291 --> 00:08:21,152 you see all these back and forth storm, storm-like activity with ARP. 114 00:08:21,140 --> 00:08:25,601 Very quickly figure out that you have some kind of problem 115 00:08:25,601 --> 00:08:29,244 and then you could try to map it back down to the MAC address. 116 00:08:29,244 --> 00:08:31,783 Maybe you can get into the switch if it's not overwhelmed 117 00:08:31,783 --> 00:08:36,424 and see what port that MAC address is mapped to. 118 00:08:36,441 --> 00:08:39,131 Maybe shut the port or unplug the cable, 119 00:08:39,137 --> 00:08:42,928 and get that machine off the network, as an example. 120 00:08:42,928 --> 00:08:47,654 Possible issues, stickiness when you're using port security. 121 00:08:47,654 --> 00:08:51,010 That could be something that, that creates an issue. 122 00:08:51,010 --> 00:08:55,255 Storms, chattering NIC cards, spoofing, 123 00:08:55,255 --> 00:08:59,265 proxy ARP could be an issue. 124 00:08:59,265 --> 00:09:05,343 And as we mentioned before, cache issues where something is known, 125 00:09:05,351 --> 00:09:07,680 the time out didn't expire yet, 126 00:09:07,680 --> 00:09:13,796 and you need to either refresh or release that information so that it can broadcast back out 127 00:09:13,795 --> 00:09:15,672 and build that information back up. 128 00:09:15,672 --> 00:09:21,463 This way that you can get your devices functioning on the network again. 129 00:09:21,463 --> 00:09:27,260 And lastly, we showed it on Wireshark just previously. 130 00:09:27,260 --> 00:09:29,683 But as you could see from the diagram, 131 00:09:29,683 --> 00:09:38,009 very simply, this is what a ARP request reply looks like at it's most basic format. 132 00:09:38,009 --> 00:09:44,706