4.8 Interpret the fields in protocol headers as related to intrusion analysis
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
ARP (Address Resolution Protocol) Overview
ARP is a protocol used in IPv4 networks to map a logical IP address to a physical MAC address.
- IP address: Logical address used to identify a device on a network (Layer 3 – Network Layer).
- MAC address: Physical address of a network interface card (NIC) used for actual data delivery on a LAN (Layer 2 – Data Link Layer).
Why ARP matters for intrusion analysis:
Cybersecurity analysts often inspect ARP traffic to detect attacks such as:
- ARP spoofing/poisoning – an attacker sends fake ARP messages to redirect traffic.
- Man-in-the-Middle (MITM) attacks – using ARP spoofing, attackers can intercept network traffic.
ARP Packet Structure (Header Fields)
An ARP message is a protocol header that contains specific fields. Each field is important for network analysis. Here’s a breakdown:
| Field | Description | Notes for Intrusion Analysis |
|---|---|---|
| Hardware Type (HTYPE) | Identifies the type of hardware (usually Ethernet = 1) | Helps determine if unusual hardware is on the network |
| Protocol Type (PTYPE) | Type of protocol being mapped (IPv4 = 0x0800) | Detects mismatches or unknown protocol types |
| Hardware Address Length (HLEN) | Length of MAC address (usually 6 bytes for Ethernet) | Check for abnormal lengths (could indicate malformed packet) |
| Protocol Address Length (PLEN) | Length of protocol address (usually 4 bytes for IPv4) | Important for validating packet integrity |
| Operation (OPER) | ARP message type: 1 = Request, 2 = Reply | Analysts can spot unusual ARP replies (could indicate spoofing) |
| Sender Hardware Address (SHA) | MAC address of the sender | Cross-check with known devices to detect unknown devices |
| Sender Protocol Address (SPA) | IP address of the sender | Compare with network inventory; spoofed IP may appear here |
| Target Hardware Address (THA) | MAC address of the intended recipient | Usually empty in requests; filled in replies |
| Target Protocol Address (TPA) | IP address of the target device | Helps analysts see which devices are being queried |
How ARP Works in a Network
- A device wants to communicate with another device in the same LAN.
- It knows the IP but not the MAC.
- It sends an ARP Request: “Who has IP 192.168.1.10? Tell me your MAC.”
- The device with that IP responds with an ARP Reply, providing its MAC address.
- The sender updates its ARP table (a cache of IP-to-MAC mappings).
Intrusion relevance:
- Attackers can send fake ARP replies to poison the ARP cache of devices.
- Monitoring ARP traffic helps detect suspicious activity like duplicate MAC addresses or unexpected replies.
ARP in Intrusion Analysis
When analyzing ARP traffic:
- Check for duplicate IPs: Two different MAC addresses claiming the same IP could indicate spoofing.
- Watch unsolicited ARP replies: A reply sent without a request may indicate an attack.
- Inspect ARP header fields: Verify HTYPE, PTYPE, HLEN, PLEN to ensure packets are valid.
- Track unusual MAC addresses: Unknown hardware may indicate rogue devices.
Example IT scenario:
- A security analyst sees a device claiming the gateway IP (192.168.1.1) but with a different MAC.
- This is an ARP spoofing attempt, which could allow traffic interception.
Key Points for the Exam
- Know what ARP does: maps IP addresses to MAC addresses.
- Understand ARP packet fields and their meanings (HTYPE, PTYPE, OPER, SHA, SPA, THA, TPA).
- Recognize how ARP is abused in attacks (spoofing, MITM).
- Know how to analyze ARP headers to detect suspicious activity.
Quick Tip to Remember
- ARP Request = Who has IP? → Target MAC empty
- ARP Reply = Here is my MAC → Target MAC filled
- Always compare Sender IP/MAC vs Target IP/MAC for anomalies.
