ARP module

From Allegro Packets Product Wiki
Jump to navigation Jump to search

The Address Resolution Protocol (ARP) is used on layer 2 to track which hardware (MAC address) uses which IP address. The ARP module monitors requests and replies and builds a database of all known MAC and IP addresses and their correlation. It also accounts possible spoofing alerts, when some computer send or reply with wrong MAC addresses, or multiple computers answer with the same IP. Those events may indicate some problem within the network, due to misconfiguration or an attack.


Web interface

ARP.png

Overview

The overview tab shows the number of all ARP requests seen, and the number of replies. The history graph shows the number over time. As usual, zooming can be applied to view a larger time window.


MAC addresses

The MAC address tables shows for each MAC address the last assigned IP address, that is the IP address that have announced by the corresponding MAC address. The time when this IP address has been announced is shown as well. The table includes the alternative names from other sources (such as DHCP, DNS, SSL, HTTP, etc) of the last IP. The column Different IPs seen lists all IPs that have been announced by the MAC address at some point in time. Many devices will just have a single IP, but when dynamic IP assignment is done (via DHCP or other methods), multiple IP addresses happen as well. The column # mismatching MACs contains a counter about the number of possible conflicts in requests or replies. The counter increases when there is a mismatch of MAC addresses used in requests or replies, that is a different MAC address has been announced as sender than the actual packet was sent by. The value should always be zero.

Otherwise it indicates that a devices sends ARP request with a forged sender address.


IP addresses

The IP addresses tab views the reverse direction, showing the MAC addresses used for each IP address. The table includes the alternative names from other sources (such as DHCP, DNS, SSL, HTTP, etc). The column Latest MAC and Time of latest MAC shows the latest MAC address that have announced to own the corresponding IP address, and the time of that announcement. The Different MACs seen column lists all MAC addresses that have announced to own the IP address at some point in time. Often an IP address is used by a device exclusively, but when dynamic IP assignment is used (via DHCP or other methods), multiple hardware devices may use the same IP address. This does not indicate a problem within the network. The multiple MAC collisions column shows a counter of possible conflicts in IP usage. The counter is increased when multiple hardware devices announce to own the same IP address within a short amount of time. This may indicate some problem if those devices really use the same IP address. It may happen due to misconfiguration if two devices has the same fixed IP. It may also happen to due an attack happening, if an attacking devices wants to mimic another device.