Appendix - Mitigating Arp Spoofing Attacks Using Packet Content Acl - D-Link DGS-3200 SERIES Cli Manual

Appendix - Mitigating ARP Spoofing Attacks Using
Packet Content ACL
How Address Resolution Protocol works
In the process of ARP, PC A will first issue an ARP request to query PC B's MAC address. The network structure is
shown in Figure-1.
Figure-1
In the meantime, PC A's MAC address will be written into the "Sender H/W Address" and its IP address will be written
into the "Sender Protocol Address" in the ARP payload. As PC B's MAC address is unknown, the "Target H/W
Address" will be "00-00-00-00-00-00," while PC B's IP address will be written into the "Target Protocol Address,"
shown in Table-1.
Table-1 (ARP Payload)
H/W Protocol H/W
type type address
length
The ARP request will be encapsulated into an Ethernet frame and sent out. As can be seen in Table-2, the "Source
Address" in the Ethernet frame will be PC A's MAC address. Since an ARP request is sent via broadcast, the
"Destination address" is in a format of Ethernet broadcast (FF-FF-FF-FF-FF-FF).
Table-2 (Ethernet frame format)
Destination address
FF-FF-FF-FF-FF-FF
When the switch receives the frame, it will check the "Source Address" in the Ethernet frame's header. If the address
is not in its Forwarding Table, the switch will learn PC A's MAC and the associated port into its Forwarding Table.
DGS-3200 Series Layer 2 Gigabit Managed Switch CLI Manual
Protocol Operation
address
length
ARP request
Source address
00-20-5C-01-11-11
Sender
H/W address
00-20-5C-01-11-11
Ether-type
436
Sender Target
protocol H/W address
address
10.10.10.1 00-00-00-00-00-00
ARP
Target
protocol
address
10.10.10.2
FCS