Understanding IP Packet Structure, ICMP & ARP: From Basics to Attack Techniques

Network Fundamentals: IP Packet, ICMP, and ARP

1. IP Packet Format

Network layer functions: define routing paths, logical IP addresses, select optimal routes, and interconnect different media types.

IP packet consists of a 20‑byte fixed header and optional variable‑length options. Key header fields include:

Version (4 bits): IP protocol version, e.g., IPv4 = 0100.

Header Length (4 bits): Length of the IP header.

Type of Service / Priority (8 bits): Used for QoS.

Total Length (16 bits): Entire packet size, up to 65535 bytes.

Identification (16 bits): Identifier for fragment reassembly.

Flags (3 bits): Control fragmentation.

Fragment Offset (13 bits): Position of a fragment.

TTL (8 bits): Decrements at each hop; packet discarded at zero.

Protocol (8 bits): Indicates encapsulated upper‑layer protocol (ICMP=1, TCP=6, UDP=17).

Header Checksum (16 bits): Validates header integrity.

Source IP (32 bits) and Destination IP (32 bits): Sender and receiver addresses.

Options (variable): Optional fields such as timestamps.

2. ICMP Protocol Introduction

2.1 Overview

ICMP provides error detection and feedback for IP packets, delivering error and control messages.

ICMP message types include error reports and query messages, allowing hosts to learn network status.

2.2 Encapsulation

ICMP data is encapsulated as:

ICMP header + ICMP payload.

IP header + ICMP payload (network layer).

Ethernet frame: source MAC + IP packet + destination MAC.

Typical ping command syntax:

ping [-t] IP_ADDRESS|target_name

-t

– continuous ping. -a – resolve host name. -l – set packet size. -n – number of packets. -S – specify source IP.

tracert command traces the route to a destination IP.

Common ping issues: “Destination host unreachable” (misconfigured gateway or TTL) and “Request timed out” (no reply within timeout).

3. ARP Protocol Introduction

3.1 What is ARP?

Address Resolution Protocol maps a known IP address to a MAC address using an ARP cache that stores pairs with a TTL.

3.2 Operation

When a host needs a MAC address:

Check local ARP cache.

If missing, broadcast an ARP request containing the sender’s IP and MAC.

All hosts receive the request; the target host replies with its MAC address directly to the requester.

The requester stores the MAC in its cache for future communication.

ARP commands on Windows: arp -a – display ARP cache. arp -d – delete ARP cache entries.

4. ARP Attack Principle

Attackers send forged ARP replies with counterfeit MAC addresses, causing victims to send traffic to the attacker’s MAC, leading to interception or denial of service.

Example: a malicious host pretends to be the gateway’s MAC, capturing all traffic from a victim.

Summary

IP packet format.

ICMP protocol and encapsulation.

ARP protocol and operation.

ARP spoofing attack mechanics.