IP Address and ARP Protocol
IP Address
Network Interfaces
lo (Loopback Device)
- Virtual device (no hardware)
- Used for local network services
- Address: 127.0.0.1 (localhost)
eth0
- Primary ethernet interface
IP Analysis
Tools and Commands
Check Your IP
Find IP from Domain Name
nslookup google.com
Note: Some domains may not be found with nslookup. Use Google Network Analysis Tool to check remote address.
Find Domain Name from IP
nslookup 13.234.100.208
Check Domain Registration Information
- Use whois.com to check registrant information
ARP (Address Resolution Protocol)
Protocol used to find which MAC address corresponds to a given IP address within a network.
Key Points
- Devices can only communicate using MAC addresses
- ARP maps IP addresses to MAC addresses
Check ARP Table
arp -a
This shows the stored IP-to-MAC address mappings.
Security Considerations
- ARP is vulnerable to MITM (Man-in-the-Middle) attacks
- ARP spoofing can redirect traffic through an attacker’s machine
How ARP Works
When a device wants to communicate with another device on the same local network, it needs the destination’s MAC address. Here is the step-by-step process:
ARP Request (Broadcast)
- Device A wants to send data to IP address
192.168.1.5 - Device A checks its ARP cache for the MAC address of
192.168.1.5 - If not found, Device A sends an ARP Request as a broadcast to all devices on the network
- The broadcast message says: “Who has IP 192.168.1.5? Tell 192.168.1.1 (my IP)”
ARP Reply (Unicast)
- All devices on the network receive the broadcast
- Only the device with IP
192.168.1.5responds - It sends an ARP Reply (unicast) back to Device A: “192.168.1.5 is at MAC AA:BB:CC:DD:EE:FF”
- Device A stores this mapping in its ARP cache for future use
Viewing and Managing the ARP Cache
# View ARP table
arp -a
# Add a static ARP entry (prevents spoofing for critical hosts)
arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF
# Delete an ARP entry
arp -d 192.168.1.5
# On Linux, view with more detail
ip neigh show
IPv4 vs IPv6
IPv4
- 32-bit address (e.g.,
192.168.1.1) - About 4.3 billion unique addresses
- Addresses are running out, solved temporarily by NAT
IPv6
- 128-bit address (e.g.,
2001:0db8:85a3:0000:0000:8a2e:0370:7334) - Virtually unlimited addresses (3.4 x 10^38)
- Built-in security (IPsec)
- No need for NAT
- Uses NDP (Neighbor Discovery Protocol) instead of ARP
Private vs Public IP Addresses
Not all IP addresses are routable on the public internet. Private IP ranges are reserved for internal networks:
| Range | Class | Number of Addresses |
|---|---|---|
10.0.0.0 - 10.255.255.255 |
Class A | 16,777,216 |
172.16.0.0 - 172.31.255.255 |
Class B | 1,048,576 |
192.168.0.0 - 192.168.255.255 |
Class C | 65,536 |
Your home router assigns private IPs to your devices via DHCP and uses NAT (Network Address Translation) to translate between private and public addresses.
Subnet Masks and CIDR
A subnet mask determines which portion of an IP address identifies the network and which identifies the host.
Common Subnet Masks
| CIDR | Subnet Mask | Usable Hosts |
|---|---|---|
/24 |
255.255.255.0 |
254 |
/16 |
255.255.0.0 |
65,534 |
/8 |
255.0.0.0 |
16,777,214 |
Example
For the address 192.168.1.100/24:
- Network address:
192.168.1.0 - Host range:
192.168.1.1-192.168.1.254 - Broadcast address:
192.168.1.255
ARP Security: Spoofing and Prevention
ARP Spoofing Attacks
ARP has no authentication mechanism, making it vulnerable to spoofing. An attacker can send fake ARP replies to associate their MAC address with another device’s IP address (typically the gateway), allowing them to intercept all traffic.
Prevention Methods
- Static ARP entries: Manually set ARP entries for critical devices like the default gateway
- Dynamic ARP Inspection (DAI): Enterprise switches can validate ARP packets against a DHCP snooping database
- ARP monitoring tools: Tools like
arpwatchdetect ARP changes and alert administrators - VPN: Encrypts traffic so even if intercepted, data remains secure
- 802.1X authentication: Port-based network access control prevents unauthorized devices from joining the network
# Monitor ARP changes on Linux
sudo arpwatch -i eth0
DHCP (Dynamic Host Configuration Protocol)
DHCP is the protocol that automatically assigns IP addresses to devices when they join a network. Without DHCP, every device would need a manually configured static IP address.
How DHCP Works
- DHCP Discover: The new device broadcasts a message asking for an IP address
- DHCP Offer: The DHCP server responds with an available IP address
- DHCP Request: The device accepts the offered IP
- DHCP Acknowledge: The server confirms the assignment
DHCP Lease Time
IP addresses assigned by DHCP are not permanent — they have a lease time. When the lease expires, the device must renew it. Common lease times:
| Environment | Typical Lease Time |
|---|---|
| Home network | 24 hours |
| Office network | 8 hours |
| Public Wi-Fi | 1-2 hours |
| IoT devices | 7 days |
Viewing DHCP Information
# macOS
ipconfig getpacket en0
# Linux
cat /var/lib/dhcp/dhclient.leases
# Windows
ipconfig /all
Network Troubleshooting Guide
When you cannot connect to a server or website, follow these steps to diagnose the issue:
Step 1: Check Local Network
# Check if your network interface is up
ifconfig # macOS/Linux
ipconfig # Windows
# Check if you have an IP address
ip addr show # Linux
Step 2: Check Gateway Connectivity
# Ping your default gateway
ping 192.168.1.1
# If this fails, the problem is with your local network connection
Step 3: Check DNS Resolution
# Try resolving a domain name
nslookup google.com
# If DNS fails, try pinging a known IP directly
ping 8.8.8.8
Step 4: Trace the Route
# See every hop between you and the destination
traceroute google.com # macOS/Linux
tracert google.com # Windows
# This helps identify where packets are being dropped
Step 5: Check Specific Ports
# Test if a specific port is open
nc -zv hostname 443 # Check HTTPS port
telnet hostname 80 # Check HTTP port
# More detailed check with nmap
nmap -p 80,443 hostname
Common Issues and Solutions
| Problem | Likely Cause | Solution |
|---|---|---|
| No IP address | DHCP failure | Restart network interface, check DHCP server |
| Can ping IP but not domain | DNS issue | Change DNS to 8.8.8.8, flush DNS cache |
| High latency | Network congestion | Check bandwidth usage, switch to wired |
| Intermittent connectivity | ARP issues, Wi-Fi interference | Check ARP table, change Wi-Fi channel |
| Connection refused | Service not running | Check if service is listening on the port |
# Flush DNS cache
# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
# Linux
sudo systemd-resolve --flush-caches
# Windows
ipconfig /flushdns
MAC Address Essentials
A MAC (Media Access Control) address is a unique hardware identifier assigned to every network interface card (NIC). Unlike IP addresses, MAC addresses are typically permanent and assigned by the manufacturer.
MAC Address Format
A MAC address is 48 bits long, written as six pairs of hexadecimal digits:
AA:BB:CC:DD:EE:FF
- First 3 bytes (AA:BB:CC): OUI (Organizationally Unique Identifier) — identifies the manufacturer
- Last 3 bytes (DD:EE:FF): NIC (Network Interface Controller) specific
Viewing Your MAC Address
# macOS
ifconfig en0 | grep ether
# Linux
ip link show eth0
# Windows
getmac
MAC Address Spoofing
While MAC addresses are intended to be permanent, they can be changed in software. This is called MAC spoofing and is sometimes used for:
- Privacy (randomizing MAC on public Wi-Fi)
- Bypassing MAC-based access controls
- Network testing
Modern mobile devices already randomize their MAC addresses when scanning for Wi-Fi networks to protect user privacy.
Comments