1 00:00:00,000 --> 00:00:07,000 So that being said, how would traffic flow if device A sends traffic to device C? 2 00:00:07,000 --> 00:00:12,000 So let’s say for example that device A pings device C. 3 00:00:12,000 --> 00:00:19,000 So on host A or device A the command ping 10.1.1.2 is used. 4 00:00:19,000 --> 00:00:22,000 How would traffic flow, now it’s important to remember 5 00:00:22,000 --> 00:00:25,000 that IP is a layer 3 technology. 6 00:00:25,000 --> 00:00:27,000 Mac address are used at layer 2 7 00:00:27,000 --> 00:00:32,000 so PC A needs to have a mapping between the layer 3 IP address 8 00:00:32,000 --> 00:00:34,000 and the layer 2 MAC address 9 00:00:34,000 --> 00:00:38,000 that’s because Ethernet is used in this environment 10 00:00:38,000 --> 00:00:44,000 and the packet needs to be encapsulated at layer 2 and sent unto the wire. 11 00:00:44,000 --> 00:00:49,000 So in Ethernet a MAC address needs to be added at layer 2. 12 00:00:49,000 --> 00:00:52,000 So this point PC A doesn’t know the MAC addresses 13 00:00:52,000 --> 00:00:55,000 associated with IP address 10.1.1.2. 14 00:00:55,000 --> 00:00:58,000 Ethernet once again is a layer 2 technology 15 00:00:58,000 --> 00:01:03,000 and requires the use of MAC addresses when traffic is sent unto Ethernet segment 16 00:01:03,000 --> 00:01:08,000 so before A can send the traffic onto the network segment 17 00:01:08,000 --> 00:01:13,000 it needs to know the MAC address associated with IP address 10.1.1.2 18 00:01:13,000 --> 00:01:19,000 I remember that in the OSI model, each layer is independent of other layers 19 00:01:19,000 --> 00:01:22,000 and lower layers encapsulate higher layers. 20 00:01:22,000 --> 00:01:27,000 So how is PC A going to learn the MAC address of PC C? 21 00:01:27,000 --> 00:01:34,000 it does this by using a protocol called Address Resolution Protocol or ARP, 22 00:01:34,000 --> 00:01:38,000 the first thing PC A does is check its local ARP cache 23 00:01:38,000 --> 00:01:42,000 to see if there is already an existing entry mapping 24 00:01:42,000 --> 00:01:45,000 IP address 10.1.1.2 to a MAC address. 25 00:01:45,000 --> 00:01:49,000 If there isn't an existing entry on the local machines cache 26 00:01:49,000 --> 00:01:52,000 it will send out a broadcast to try and find out 27 00:01:52,000 --> 00:01:59,000 who has IP address 10.1.1.2 and that message is called an ARP request message. 28 00:01:59,000 --> 00:02:05,000 In this example PC A and PC C are in the same subnet 29 00:02:05,000 --> 00:02:11,000 so PC A will send a broadcast unto the local subnet 30 00:02:11,000 --> 00:02:16,000 asking for the MAC address of PC C using an ARP request. 31 00:02:16,000 --> 00:02:18,000 An ARP request looks as follows 32 00:02:18,000 --> 00:02:21,000 The source MAC address in this example is A 33 00:02:21,000 --> 00:02:22,000 because the frame was sent by A 34 00:02:22,000 --> 00:02:26,000 the destination Mac address is a broadcast. 35 00:02:26,000 --> 00:02:31,000 This is because A doesn’t know who has IP address 10.1.1.2 36 00:02:31,000 --> 00:02:38,000 So an ARP request is essentially a message asking who has this IP address? 37 00:02:38,000 --> 00:02:44,000 so the IP address that's being referenced in the packet is 10.1.1.2 38 00:02:44,000 --> 00:02:49,000 the source IP address is 10.1.1.1 the source MAC address is A 39 00:02:49,000 --> 00:02:53,000 and the destination MAC address is a broadcast at the layer 2. 40 00:02:53,000 --> 00:02:57,000 Just to reiterate, this is the layer 2 portion of the message 41 00:02:57,000 --> 00:03:03,000 and this is the layer 3 portion of the message as per the OSI model. 42 00:03:03,000 --> 00:03:06,000 Now before continuing with our example 43 00:03:06,000 --> 00:03:12,000 I wanna show you a real world example of ARP or Address Resolution Protocol. 44 00:03:12,000 --> 00:03:18,000 so on my PC, I can type the command arp-a and I'll see my local ARP cache 45 00:03:18,000 --> 00:03:23,000 my IP address is 10.0.0.3 and as you can see here 46 00:03:23,000 --> 00:03:28,000 I’ve learnt an IP address of 10.0.0.254 dynamically. 47 00:03:28,000 --> 00:03:31,000 there are also some static entries in the ARP cache 48 00:03:31,000 --> 00:03:34,000 as an example this is the broadcast address at layer 3 49 00:03:34,000 --> 00:03:42,000 which is 255.255.255.255 and the layer 2 address is 8Fs 50 00:03:42,000 --> 00:03:47,000 so for a layer 3 broadcast of 255.255.255.255 51 00:03:47,000 --> 00:03:51,000 the equivalent layer 2 address is 8Fs 52 00:03:51,000 --> 00:03:55,000 in this example we only have 1 dynamic MAC address 53 00:03:55,000 --> 00:03:57,000 in the local ARP cache of my pc 54 00:03:57,000 --> 00:04:02,000 so the command ip config shows me my IP addresses. 55 00:04:02,000 --> 00:04:10,000 In this example we can see my IPv6 address which is 2001:20::2 56 00:04:10,000 --> 00:04:14,000 and my IPv4 address of 10.0.0.3 57 00:04:14,000 --> 00:04:18,000 at the moment we're only concentrating on IPv4 addresses. 58 00:04:18,000 --> 00:04:24,000 So you can also see my default gateway, which will set to 10.0.0.254 59 00:04:24,000 --> 00:04:29,000 so my ARP cache is showing the mapping of my default gateways IP address 60 00:04:29,000 --> 00:04:32,000 to the relevant MAC address. 61 00:04:32,000 --> 00:04:39,000 So the command arp - d will allow me to delete the ARP entries in my local ARP cache. 62 00:04:39,000 --> 00:04:46,000 arp - a shows that single dynamic entry, so I'll delete the ARP cache again. 63 00:04:46,000 --> 00:04:50,000 And now you can see that there are no entries in the ARP cache. 64 00:04:50,000 --> 00:04:53,000 I’ll do that again and notice the entry has appeared once again 65 00:04:53,000 --> 00:04:58,000 and that’s because I'm sending traffic from my local PC to my default gateway. 66 00:04:58,000 --> 00:05:05,000 I’ll do that again, so arp - a, shows the directed broadcast address 67 00:05:05,000 --> 00:05:08,000 for this subnet which is 10.0.0.255 68 00:05:08,000 --> 00:05:13,000 I'll now ping another IP address of 10.0.0.123 69 00:05:13,000 --> 00:05:18,000 so there was no ARP entry for this IP address. 70 00:05:18,000 --> 00:05:21,000 But notice when I ping, the ping succeed 71 00:05:21,000 --> 00:05:23,000 and if I look at the ARP cache again, 72 00:05:23,000 --> 00:05:30,000 you’ll notice that an ARP entry has been added for IP added 10.0.0.123 73 00:05:30,000 --> 00:05:34,000 Now this is another IP address configured on my local router. 74 00:05:34,000 --> 00:05:38,000 So the MAC address resolved is the same MAC address 75 00:05:38,000 --> 00:05:42,000 as for IP address 10.0.0.254 76 00:05:42,000 --> 00:05:46,000 If I delete the ARP cache again, so arp - d 77 00:05:46,000 --> 00:05:50,000 notice no entries are found in the ARP cache, still no entry. 78 00:05:50,000 --> 00:05:55,000 Let’s ping 10.0.0.123 the ping succeeds 79 00:05:55,000 --> 00:05:58,000 and if we look at the ARP cache again notice there’s an entry 80 00:05:58,000 --> 00:06:03,000 and the ARP cache now for IP address 10.0.0.123 81 00:06:03,000 --> 00:06:07,000 if I now ping my default gateway of 10.0.0.254 82 00:06:07,000 --> 00:06:12,000 which previously didn’t have entry in the ARP cache 83 00:06:12,000 --> 00:06:16,000 I can now see by using the command arp - a 84 00:06:16,000 --> 00:06:19,000 that an IP address to MAC address entry has been created. 85 00:06:19,000 --> 00:06:22,000 So what's the moral of the story? 86 00:06:22,000 --> 00:06:27,000 Before traffic can be sent to an IP address on the local segment 87 00:06:27,000 --> 00:06:31,000 ARP is required to create a mapping between the layer 3 IP address 88 00:06:31,000 --> 00:06:34,000 and the layer 2 MAC address. 89 00:06:34,000 --> 00:06:38,000 Wireshark is a sniffing tool that allows you to capture traffic 90 00:06:38,000 --> 00:06:41,000 of the local wire to see what’s going on. 91 00:06:41,000 --> 00:06:45,000 It's invaluable tool for Network Engineer 92 00:06:45,000 --> 00:06:50,000 Let's use Wireshark to see what's taking place in this example 93 00:06:50,000 --> 00:06:54,000 So what I'll do firstly is start to capture in Wireshark 94 00:06:54,000 --> 00:06:58,000 So on my Ethernet interface, I'll start capturing frames 95 00:06:58,000 --> 00:07:00,000 I'll now delete the ARP cache 96 00:07:00,000 --> 00:07:00,000 so now no entries are found in the ARP cache 97 00:07:00,000 --> 00:07:06,000 I'll ping 10.0.0.254 98 00:07:06,000 --> 00:07:09,000 and let's look at the ARP cache again 99 00:07:09,000 --> 00:07:11,000 after looking at the ARP cache 100 00:07:11,000 --> 00:07:15,000 we can see that an entry has been added for that address 101 00:07:15,000 --> 00:07:18,000 and I'll now ping 10.0.0.123 102 00:07:18,000 --> 00:07:23,000 so now arp - a shows those 2 entries in the ARP cache 103 00:07:23,000 --> 00:07:27,000 Let's stop the capture and let's look for the ARP entries 104 00:07:27,000 --> 00:07:33,000 So as you can see here is a broadcast that’s been sent from my local device 105 00:07:33,000 --> 00:07:41,000 the protocol used is ARP and I’m asking who has IP address 10.0.0.254 106 00:07:41,000 --> 00:07:45,000 tell 10.0.0.3 my local PC 107 00:07:45,000 --> 00:07:50,000 So at layer 2 you can see that the destination address is a broadcast 108 00:07:50,000 --> 00:07:54,000 the source address is my local machine it’s an ARP request. 109 00:07:54,000 --> 00:08:00,000 This is the Ether type for ARP 0x0806 110 00:08:00,000 --> 00:08:05,000 and looking at the address resolution protocol for ARP information. 111 00:08:05,000 --> 00:08:09,000 Notice we're looking for an IP address 10.0.0.254 112 00:08:09,000 --> 00:08:12,000 the sender MAC address is my local machine 113 00:08:12,000 --> 00:08:15,000 the target MAC address is unknown 114 00:08:15,000 --> 00:08:19,000 and we're looking for IP address 10.0.0.254 115 00:08:19,000 --> 00:08:24,000 Once the device has replied back using an ARP reply message 116 00:08:24,000 --> 00:08:27,000 I'll be able to ping that device. 117 00:08:27,000 --> 00:08:32,000 So in the Wireshark capture you can see I'm sending an echo 118 00:08:32,000 --> 00:08:35,000 so you can see the ICMP echo ping request 119 00:08:35,000 --> 00:08:37,000 and here are I got the response or reply. 120 00:08:37,000 --> 00:08:42,000 Going further down I'll be able to see the ARP request 121 00:08:42,000 --> 00:08:45,000 for IP address 10.0.0.123 122 00:08:45,000 --> 00:08:50,000 the layer 2 destination is a broadcast, the source is a local MAC address 123 00:08:50,000 --> 00:08:54,000 and we're requesting the target MAC address in other words 124 00:08:54,000 --> 00:08:59,000 who has IP address 10.0.0.123 125 00:08:59,000 --> 00:09:03,000 the reply is a unicast because the device are sent 126 00:09:03,000 --> 00:09:06,000 the arp request to knows who the arp request came from. 127 00:09:06,000 --> 00:09:10,000 So the destination at layer 2 is my local machine. 128 00:09:10,000 --> 00:09:13,000 The source is my local router sender the Mac address 129 00:09:13,000 --> 00:09:17,000 sender IP address, target MAC address, target IP address. 130 00:09:17,000 --> 00:09:21,000 In this case I’m communicating directly with my local router 131 00:09:21,000 --> 00:09:24,000 rather than sending traffic through the router 132 00:09:24,000 --> 00:09:28,000 So the MAC address and the IP address used in this example 133 00:09:28,000 --> 00:09:31,000 is my local machine and local router. 134 00:09:31,000 --> 00:09:35,000 You can see in the output here that the sender MAC address is a Cisco router. 135 00:09:35,000 --> 00:09:38,000 IP address is 10.0.0.123 136 00:09:38,000 --> 00:09:41,000 target MAC address is my local laptop 137 00:09:41,000 --> 00:09:46,000 with the target IP address of 10.0.0.3