computer networking: ARP - point of the ICMP echo packets - networking

I'm studying Address Resolution Protocol and in all my books and slides the diagrams showing an ARP take place (i.e. Host1 sends ARP request, Router checks it, redirects it, eventually gets to Host2 and then Host2 sends back an ARP Reply).
What I'm wondering is why the examples include ICMP echo replies and requests, do they serve any purpose within ARP?
Thanks

I would guess that it is to initiate the ARPs. A machine is not going to send an ARP for no reason. It will only send an ARP if it needs to send something to the IP address (and doesn't know the destination MAC address yet). Maybe the ICMP echo request is that 'something' the authors use in their examples to cause the source machine to send an ARP.
Short answer: There is no special relationship between ICMP and ARP; that's just what the authors of your book decided to use as an example.

Related

Transfer file over ICMP

I'm studying about Networking . I'm want to transfer file over ICMP protocol then capture networking traffic by wireshark to decode raw data . But I dont know how to transfer file by ICMP protocol. So my question is how can I transfer file by ICMP between host.
Thanks a lot .
If you insist on sending data using ICMP (which is reasonable in some use-cases) I suggest you read this article and that one. The first one also contains proof-of-concept C-code for client and server that use ICMP to transfer data. You can find another example written in C++ here.
The idea behind this method is using the data (payload) section of ICMP Echo (ping) requests and responses for transferring data (or files in this case). Most devices reply to ICMP Echo (ping) requests so it's a way to transfer files when other protocols (such as ssh, smb, ftp, etc.) are blocked.
If you study about TCP/IP layers, you will find that ICMP is a Internet layer protocol and its purpose is to:
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, like routers, to send error messages and operational information.
So ICMP is not a data transfer protocol like HTTP or FTP etc. Technically it is not possible in any case to use ICMP as data transfer protocol, Unless you change structure and all coding of ICMP and then it will no longer be ICMP.

Flaw in ICMP holepunching?

How is ICMP NAT traversal supposed to work if the NAT device in question rewrites outbound ICMP packets?
Diagram
=========================================================================================
| CLIENT | <---> | NAT-C | <---> { internet } <---> | NAT-S | <---> | SERVER |
=========================================================================================
19.19.19.19 (external addresses) 72.72.72.72
192.168.0.2 192.168.0.1 (internal addresses) 172.16.0.1 172.16.0.2
Mechanics
A quick overview of ICMP holepunching as described in pwnat:
SERVER sends ICMP Echo Request packets (pings) to some other host (e.g. 3.3.3.3) to open up a hole in NAT-S. When CLIENT wants to connect, it sends an ICMP Time Exceeded packet to NAT-S, which is supposed to get routed to SERVER. For said routing to work, CLIENT constructs the ICMP Time Exceeded packet by embedding within it the same packet (ICMP Echo to 3.3.3.3) it expects SERVER to be sending in the first place.
Problem
If CLIENT needs to embed the same (ICMP Echo Request) packet as it left NAT-S in its ICMP Time Exceeded reply, it must know the packet's query ID. But how does it know this query ID?
According to RFC 3022 Section 2.2, when NAT-S encounters the outbound ICMP Echo Request, it rewrites the packet's query ID field to a unique external query ID so that it can route future ICMP Echo Replies with the same query ID to SERVER.
Given the problem above, it would seem that the premise behind pwnat and ICMP holepunching is invalid and it's never supposed to work. Am I missing something here?
Thanks in advance :)
You're correct about the query ID.
pwnat rarely works nowdays. I happened to know this icmp punching thing years ago, and interested in this idea. I had read the source code of pwnat and re-implemented it in Go by myself. Only basic NAT devices (rfc 1631 describes) which does simple address translation may work with it, any NAPT device which has robust NAPT implementation won't do.
Besides the identifier problem, (by the way, the source code of pwnat use 0 as the identifier of original request) pwnat didn't give the right checksum of original ip header which may lead to the NAT-S dropping the TTL exceeded message(if the packet can reach there).
More serious, according to rfc 5508,
when the NAT device receives the ICMP Error packet from the Private Realm, the NAT device uses the packet embedded within the ICMP Error message (i.e., the IP packet from the client to the server) to look up the NAT Session to which the embedded packet belongs. If the NAT device does not have an active mapping for the embedded packet, the NAT SHOULD silently drop the ICMP Error packet.
It means the ICMP Time Exceeded packet from the client wouldn't pass through the NAT-C. This paper does mention this scenario and recommends other solutions.

Networking - sending and receiving data

This could not be the right place, as it's not about pure programming;
nevertheless, as a simple web developer I find myself quite
ignorant on the subject of networking(Wikipedia usually mix
different subjects on the matter), and I feel as it is a "must" to know.
I sort of have an image of what happens when you write google.com
on your browser, and I don't know the whole process(I have a modem,
a router and a few computers connected to it. let's use my case for an example):
You write characters into chrome ->
there is some character encoding done to translate the address(ASCII or else) ->
DNS does something, not sure ->
your router receives a digital request from a computer's internet cable/WIFI, it saves the internal IPV4 address of
the sender in order to know to which computer to respond back. it sends the digital data to the modem ->
your modem receives digital data, and translates it from digital to analog ->
now your network provider does some work - >
the google server receives a request from an IP address - >
not sure how the google server handles the data, nevertheless it sends back data ->
service provider - > router gets translated digital data from the modem and remembers who sent the request, and sends it to the right person.
in order to optimize a web server or maybe to write a better code which involves networking, perhaps each beginner(such as myself) needs to understand this first? Thank you for your time.
EDIT: I did read wikipedia's OSI model, though it's not quite as helpful as I thought it would.
i will try to explain the idea, although its may be much ,more complicate - it depends on how deep you want to go ...
you write "www.stackoverflow.com"
your OS will try to resolve the www.stackoverflow.com to an IP address
since your OS probably cant, it needs to ask a DNS server
assuming you use an external DNS ( say IP=5.5.5.5 and your IP=10.10.10.10 which is on a different networks ), your OS will check if it knows how to reach 5.5.5.5
a default route 0.0.0.0/0 exists on your PC (this is also known as 'default-gw' which includes ALL internet, it points to your local router
an IP packet will be sent to the router MAC address with the DNS IP address in the destination
your router will probably change your private IP address to its own public IP address and will sends it to the ISP
ISP will route it to the internet until it reaches 5.5.5.5 which is the DNS
DNS will reply back resolving stackoverflow.com to an IP address
your PC now knows how to send packets to stackoverflow.com
packet will be sent to stackoverflow ip address (104.16.36.249) to port 80 (http)
stackoverflow web server listen to requests on port 80
once a packet arrives it will generate a response packet
it will send it back to you exactly in the same way
all that traffic can be seen with a network capture utility like wireshark, u can use those commands (windows) to verify...
ping stackoverflow.com
netstat -rn
ipconfig
nslookup
tracert -d

ARP and RARP Request and Response?o

If i send ARP request sent to a find the MAC address of a machine in a LAN. But among the group of hosts in the LAN, two hosts having the same IP address, then how the ARP reply works.
The same situation with the RARP, if the two machines inside the LAN with same MAC address. If i send RARP request to find IP address, then how the RARP reply works.
If it receives 2 different ARP or RARP responses, it knows something wrong.
Further reading: gratuitous ARP.
Primarily IP address is unique within a network and MAC is unique globally and so there should not be any confusion.
But incase if multiple devices have same IP or MAC then (probably) the first ARP or RARP will be accepted as valid response. Because once a request is obtained the information is written in to kernels ARP cache and so for subsequent needs the cache will be used (till the cache expires).

How to get the IP address of a remote host from its Ethernet address?

I'm looking for some Linux code to find an IP address from an Ethernet address. I suppose I have to do some inverse ARP trickery but I don't find any example...
http://compnetworking.about.com/od/networkprotocolsip/f/convertipmacadd.htm
Try sending an IP broadcast (e.g. ping 192.168.1.255 if your subnet is 192.168.1.0/24) to prime your ARP cache, followed by arp -a to spit it all out.
For computers that you have communicated with, you can look at their arp entry. This is available in text format in /proc/net/arp for example. Finding an IP address for a MAC that you know but haven't communicated with is significantly more difficult. The closest match, protocol-wise, would be RARP but that's hardly ever in use so your are not likely to get a response.
You can always scan your local subnet to make sure you get a full view in your arp table. See for example fping for an efficient way to do this. Note that hosts don't actually need to respond to the pings in question to appear in the ARP table, so this is useful even in the presence of local firewalls etc.
Take a look at Thomas Habet's Arping. I've not tried it, but the basic idea is to send an ICMP Ping network packet to the MAC address in question using a broadcast destination IP address in the IP header. Only the host with the specified MAC address will reply and the reply will (usually) contain its IP address. It won't always work but it might be good enough for you. See the project readme for limitations.

Resources