# ARP Traffic

{% file src="/files/-MQchCv6UqpHvjr0f\_R7" %}
nb6-startup.pcap
{% endfile %}

ARP Overview

ARP or Address Resolution Protocol is a Layer 2 protocol that is used to connect IP Addresses with MAC Addresses. They will contain REQUEST messages and RESPONSE messages. To identify packets the message header will contain one of two operation codes:

* Request (1)
* Reply (2)

Below you can see a packet capture of multiple ARP requests and replies.

![](https://i.imgur.com/m5v2j3F.png)

It is useful to note that most devices will identify themselves or Wireshark will identify it such as Intel\_78, an example of suspicious traffic would be many requests from an unrecognized source. You need to enable a setting within Wireshark however to resolve physical addresses. To enable this feature, navigate to View > Name Resolution > Ensure that Resolve Physical Addresses is checked.

Looking at the below screenshot we can see that a Cisco device is sending ARP Requests, meaning that we should be able to trust this device, however you should always stay on the side of caution when analyzing packets.

![](https://i.imgur.com/K4hQv3N.png)

ARP Traffic Overview

ARP Request Packets:

We can begin analyzing packets by looking at the first ARP Request packet and looking at the packet details.

![](https://i.imgur.com/2NqTPz1.png)

Looking at the packet details above, the most important details of the packet are outlined in red. The Opcode is short for operation code and will you tell you whether it is an ARP Request or Reply. The second outlined detail is to where the packet is requesting to, in this case, it is broadcasting the request to all.

ARP Reply Packets:

![](https://i.imgur.com/qnZyTVB.png)

Looking at the above packet details we can see from the Opcode that it is an ARP Reply packet. We can also get other useful information like the MAC and IP Address that was sent along with the reply since this is a reply packet we know that this was the information sent along with the message.

ARP is one of the simpler protocols to analyze, all you need to remember is to identify whether it is a request or reply packet and who it is being sent by.&#x20;

Practical ARP Packet Analysis

Now that you know what ARP packets and normal traffic look like download the provided PCAP or nb6-startup.pcap from the [Wireshark website](https://wiki.wireshark.org/SampleCaptures#ADSL_CPE). This capture has multiple protocols so you may need to use your knowledge of filtering from previous tasks; once you're ready, begin analysis of the capture.&#x20;

What is the Opcode for Packet 6?&#x20;

What is the source MAC Address of Packet 19?&#x20;

What 4 packets are Reply packets?&#x20;

What IP Address is at 80:fb:06:f0:45:d7? <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://captmouse.gitbook.io/defense/getting-started/wireshark-101/arp-traffic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.