Using WireShark to Analyze ARP

For the safety reasons, I will hide all the MAC addresses.

ARP Cache

On my Mac, using arp -a to show the ARP caches.

YuqiaoZengs-MacBook-Air:~ yuqiaozeng$ arp -a
? (192.168.199.1) at MY_ROUTER_ADDRESS on en0 ifscope [ethernet]
? (224.0.0.251) at HIDE_MAC_ADDRESS on en0 ifscope permanent [ethernet]

In the above codes, 192.168.199.1 is the IP address of my router, and MY_ROUTER_ADDRESS is its MAC address. 224.0.0.251 is about Bonjour / mDNS requests which we will not talk about here. Since I use a router, all of my network requests have my route as the next hop.

Using WireShark to Sniff the ARP Request

Since the ARP cache will be valid for 20 minutes and on BSD systems they will be reset to 20 minutes every time they are accessed, we need to manually delete the record using arp -d hostname command, which needs the super user permission.

YuqiaoZengs-MacBook-Air:~ yuqiaozeng$ sudo arp -d 192.168.199.1
Password:
192.168.199.1 (192.168.199.1) deleted

Since there is a lot of background process needs to access the Internet, the record for 192.168.199.1 will reappear nearly immediately after the deletion. And now we can go to WireShark to analyze the packets.

WireShark ARP Packets Analyze

The struct of the ARP packet:

ARP packet

The first two ARP packets are:

4261    201.230420    Apple_ae:72:54    Broadcast    ARP    42    Who has 192.168.199.1? Tell 192.168.199.240
4262    201.240078    Hiwifi_41:9c:48    Apple_ae:72:54    ARP    42    192.168.199.1 is at MY_ROUTER_ADDRESS

The total length of the first packet is 42 Bytes. The exact content of the first packet is:

ff ff ff ff ff ff XX XX XX XX XX XX 08 06 00 01  
08 00 06 04 00 01 XX XX XX XX XX XX c0 a8 c7 f0  
00 00 00 00 00 00 c0 a8 c7 01

The first 6 Bytes are the address of broadcast which means tell all others that I need to get the MAC of the 192.168.199.1. Then XX XX XX XX XX XX is the MAC address of my Mac. Then the 08 06 means this frame is an ARP request. The 00 01 after is my hardware type, which is Hardware type: Ethernet (1). Then 08 00 means this is of IP type. Then 06 if the length of the hardware address, 04 is the length of the protocol. The 00 01 after means this is an ARP request, which is an opcode. Then again is my Mac's MAC address. Then c0 a8 c7 f0 is the IP address of my Mac. Then 00 00 00 00 00 00 c0 a8 c7 01 are the MAC and IP addresses of the router. Note that the 00 00 00 00 00 00 will be filled by the router and send back.

The exact content of the second packet is:

XX XX XX XX XX XX YY YY YY YY YY YY 08 06 00 01  
08 00 06 04 00 02 YY YY YY YY YY YY c0 a8 c7 01  
XX XX XX XX XX XX c0 a8 c7 f0

For the second packet, much of the meanings are obvious. But the opcode is 00 02, which means this is an ARP reply. And YY YY YY YY YY YY is the MAC address of my router.