📔
Defense
  • Defense
  • Getting Started
    • Introductory Networking
      • Introduction
      • The OSI Model: An Overview
        • Answers
      • Encapsulation
        • Answers
      • The TCP/IP Model
        • Answers
      • Wireshark
        • Answers
      • Networking Tools - Ping
        • Answers
      • Networking Tools - Traceroute
        • Answers
      • Networking Tools - WHOIS
        • Answers
      • Networking Tools Dig
        • Answers
      • Further Reading
    • Network Services
      • Understanding SMB
        • Answers
      • Enumerating SMB
        • Answers
        • Untitled
      • Exploiting SMB
        • Answers
        • Untitled
      • Understanding Telnet
        • Answers
      • Enumerating Telnet
        • Answers
        • Untitled
      • Exploiting Telnet
        • Answers
        • Untitled
      • Understanding FTP
        • Answers
      • Enumerating FTP
        • Answers
        • Untitled
      • Exploiting FTP
        • Answers
        • Untitled
      • Expanding Your Knowledge
    • Network Services 2
      • Understanding NFS
        • Answers
      • Enumerating NFS
        • Answers
        • Untitled
      • Exploiting NFS
        • Answers
        • Untitled
      • Understanding SMTP
        • Answers
      • Enumerating SMTP
        • Answers
        • Untitled
      • Exploiting SMTP
        • Answers
        • Untitled
      • Understanding MYSQL
        • Answers
      • Enumerating MYSQL
        • Answers
        • Untitled
      • Exploiting MYSQL
        • Answers
        • Untitled
      • Further Learning
    • Wireshark 101
      • Introduction
      • Installation
      • Wireshark Overview
      • Collection Methods
      • Filtering Packets
      • Packet Dissection
      • ARP Traffic
        • Answers
      • ICMP Overview
        • Answers
      • TCP Traffic
      • DNS Traffic
        • Answers
      • HTTP Traffic
        • Answers
      • HTTPS Traffic
        • Answers
      • Analyzing Exploit PCAPS
      • Conclusion
    • !Intro to Windows
    • Active Directory Basics
      • Introduction
      • Physical Active Directory
        • Answers
      • The Forest
        • Answers
      • Users + Groups
        • Answers
      • Trusts + Policies
        • Answers
      • Active Directory Domain Services + Authentication
        • Answers
      • AD in the Cloud
        • Answers
      • Hands-On Lab
        • Answers
        • Untitled
      • Conclusion
    • !Windows Core Processes
    • !SysInternals
  • Threat and Vulnerability Management
    • !Nessus
      • Introduction
      • Installation
      • !Navigation and Scans
        • Answers
      • !Scanning
      • !Scanning a Web Application
    • MITRE
      • Introduction to Mitre
      • Basic Terminology
      • ATT&CK Framework
        • Answers
      • CAR Knowledge Base
        • Answers
      • Shield Active Defense
        • Answers
      • ATT&CK EmulationPlans
        • Answers
      • ATT&CK® and Threat Intelligence
        • Answers
      • Conclusion
    • Yara
      • Introduction
      • What is Yara?
        • Answers
      • Installing Yara (Ubuntu/Debian & Windows)
      • Deploy
      • Introduction to Yara Rules
      • Expanding on Yara Rules
      • Yara Modules
      • Other Tools and Yara
      • Using LOKI and its Yara rule set
        • Answers
        • Untitled
      • Creating Yara rules with yarGen
        • Answers
        • Untitled
      • Valhalla
        • Answers
      • Conclusion
    • Intro to ISAC
      • Introduction
      • Basic Terminology
      • What is Threat Intelligence?
      • What are ISACs?
      • Using Threat Connect to create a Threat Intel dashboard
      • Introduction to AlienVault OTX
      • Using OTX to gather Threat Intelligence
      • Creating IOCs
      • Investigating IOCs
        • Answers
    • Zero Logon
      • The Zero Day Angle
      • Impacket Installation
      • The Proof of Concept
        • Answers
      • Lab it up!
        • Answers
        • Untitled
    • !OpenVAS
    • !MISP
  • Security Operations and Monitoring
    • Splunk
    • Windows Event Logs
    • Sysmon
    • Suricata
    • Osquery
    • Graylog
    • OpenEDR
  • Threat Emulation
    • Attacktive Directory
    • Attacking Kerberos
    • Atomic Red Team
  • Incident Response and Forensics
    • Volatility
    • Forensics
    • Investigating Windows
    • Windows Forensics
    • Redline
    • Autopsy
  • Malware Analysis and Reverse Engineering
    • History of Malware
    • Malware Introductory
    • Researching
    • Strings
    • Basic Malware RE
    • REMnux: The Redux
    • Reversing .NET Apps
Powered by GitBook
On this page

Was this helpful?

  1. Getting Started
  2. Wireshark 101

ARP Traffic

PreviousPacket DissectionNextAnswers

Last updated 4 years ago

Was this helpful?

ARP Overview

ARP or Address Resolution Protocol is a Layer 2 protocol that is used to connect IP Addresses with MAC Addresses. They will contain REQUEST messages and RESPONSE messages. To identify packets the message header will contain one of two operation codes:

  • Request (1)

  • Reply (2)

Below you can see a packet capture of multiple ARP requests and replies.

It is useful to note that most devices will identify themselves or Wireshark will identify it such as Intel_78, an example of suspicious traffic would be many requests from an unrecognized source. You need to enable a setting within Wireshark however to resolve physical addresses. To enable this feature, navigate to View > Name Resolution > Ensure that Resolve Physical Addresses is checked.

Looking at the below screenshot we can see that a Cisco device is sending ARP Requests, meaning that we should be able to trust this device, however you should always stay on the side of caution when analyzing packets.

ARP Traffic Overview

ARP Request Packets:

We can begin analyzing packets by looking at the first ARP Request packet and looking at the packet details.

Looking at the packet details above, the most important details of the packet are outlined in red. The Opcode is short for operation code and will you tell you whether it is an ARP Request or Reply. The second outlined detail is to where the packet is requesting to, in this case, it is broadcasting the request to all.

ARP Reply Packets:

Looking at the above packet details we can see from the Opcode that it is an ARP Reply packet. We can also get other useful information like the MAC and IP Address that was sent along with the reply since this is a reply packet we know that this was the information sent along with the message.

ARP is one of the simpler protocols to analyze, all you need to remember is to identify whether it is a request or reply packet and who it is being sent by.

Practical ARP Packet Analysis

What is the Opcode for Packet 6?

What is the source MAC Address of Packet 19?

What 4 packets are Reply packets?

What IP Address is at 80:fb:06:f0:45:d7?

Now that you know what ARP packets and normal traffic look like download the provided PCAP or nb6-startup.pcap from the . This capture has multiple protocols so you may need to use your knowledge of filtering from previous tasks; once you're ready, begin analysis of the capture.

Wireshark website
85KB
nb6-startup.pcap
nb6-startup.pcap