Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

Practical – 9
AIM: Analyze the headers and working of ICMP and ARP protocols using Wireshark.

ANSWER:

ICMP in Wireshark

As an error messaging protocol, the structure of an ICMP packet is designed to provide the
necessary information to the recipient. Error data in ICMP is carried in two values: the type
and the code.

Shantilal Shah Engineering College, Bhavnagar. Page 1 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

As shown above, the type of an ICMP packet contains the overall message that the message
is intended to convey. For example, a type value of 3 means that the intended destination is
unreachable.

For some types, there are multiple code values intended to provide additional information.
For example, a type 3 ICMP message with a 0 code points to issues with the destination
network, while a 1 code means that the issue is that the particular host is unreachable.

While many ICMP messages are designed to be sent as error messages in response to
packets of other protocols, some are designed to implement standalone functionality.

The purpose of ping is to determine if the system at a certain IP address exists and is
currently functional, and that a route to that system can be found. Typing ping into the
Windows or Linux terminal will send a series of ping packets and provide a percentage
value for the reachability of the destination based upon the number of ping requests that
received a response.

The images below show an send ping using default gateway in CMD.

Shantilal Shah Engineering College, Bhavnagar. Page 2 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

ICMP analysis for incident response

The ICMP protocol is designed to provide error information and perform simple diagnostic
actions (like ping) i.e incident response. As such, even passive monitoring of
ICMP traffic on a network can provide a wealth of data to an adversary. Eavesdropping on
ICMP packet can help to identify the hosts on a network and if certain systems are up,
down or malfunctioning.

However, an attacker can also actively use ICMP in a number of different ways. Two of the
most common are using the protocol for network scanning/mapping and for data exfiltration
and command-and-control.

Scanning

The ICMP protocol is crucial to the operation of the ping and traceroute protocols. Ping
involves sending an ICMP ping request and looking for an ICMP ping response.
Traceroute, on the other hand, uses UDP packets for requests and ICMP for responses.

The primary purpose of these protocols is to determine if a system at a particular IP address

exists and is operational. As a result, they can be used for mapping a network during the
reconnaissance phase of an attack. ICMP packets should be blocked at the network
boundary, and unusual ICMP traffic from a host may indicate scanning by an attacker in
preparation for lateral movement through the network.

Data exfiltration

As an error handling/diagnostic protocol, ICMP is not intended for carrying data. The
intended message of each ICMP packet is contained in its type value. However, the ICMP
protocol can be abused for data exfiltration.

One way of accomplishing this is by passing data in the ICMP type field itself. An example
of this is shown in the packet capture below.

Shantilal Shah Engineering College, Bhavnagar. Page 3 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

As shown above, Wireshark identifies many of the ICMP packets in the capture as obsolete
or malformed. However, not all of these packets are identified as such. The reason for this
is that, by chance, the data that ICMP is being abused to carry occasionally has a value that
matches a valid ICMP type value.

Flow graph of ICMP

Shantilal Shah Engineering College, Bhavnagar. Page 4 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

Shantilal Shah Engineering College, Bhavnagar. Page 5 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

The summary of the ICMP packets provided by Wireshark does not show the actual values
being carried by the malformed ICMP packets. However, this data is visible in each
individual packet summary. The image above is the summary of the first malformed ICMP
packet, which has a type value of 71. The exfiltrated file can be reassembled manually
using Wireshark or more efficiently using a tool like the scapy package in Python.

This is only one way that ICMP can be used for data exfiltration. In the screenshots of the
ping request and response shown earlier, the data contained in the packets is all zeros;
however, this is not necessary for the protocol to function. Placing non-zero data in ping
packets is another way to abuse ICMP for command-and-control and is another reason why
ICMP packets should be blocked at the network perimeter.

ARP in Wireshark :

ARP packets can easily be found in a Wireshark capture. As shown in the image below,
packets that are not actively highlighted have a unique yellow-brown color in a capture.
ARP packets can also be filtered from traffic using the arp filter.

The structure of an ARP session is quite simple. The computer wishing to initiate a session
with another computer sends out an ARP request asking for the owner of a certain IP
address. The system with that IP address then sends out an ARP reply claiming their IP
address and providing their MAC address.

Shantilal Shah Engineering College, Bhavnagar. Page 6 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

ARP header data :

Shantilal Shah Engineering College, Bhavnagar. Page 7 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

As shown in the images above, the structure of an ARP request and reply is simple and
identical. An ARP packet runs directly on top of the Ethernet protocol (or other base-level
protocols) and includes information about its hardware type, protocol type and so on. ARP
opcodes are 1 for a request and 2 for a reply.

The meat of the ARP packet states the IP and MAC address of the sender (populated in both
packets) and the IP and MAC address of the recipient (where the recipient’s MAC is set to
all zeros in the request packet).

ARP analysis for incident response

ARP is a simple networking protocol, but it is an important one. ARP requests are how a
subnet maps IP addresses to the MAC addresses of the machines using them. An attacker
can take advantage of this functionality in a couple of different ways.

There are two main ways in which ARP can be used maliciously. ARP poisoning attacks
can be used to set up a man-in-the-middle (MitM) attack, and ARP scanning can be used to
enumerate the IP addresses actively in use within a network and the MAC addresses of the
machines using them.

ARP poisoning

The most well-known malicious use of ARP is ARP poisoning. ARP is a stateless protocol,
meaning that a computer does not record that it has made a request for a given IP address
after the request is sent. Instead, when an ARP reply is received, a computer updates its
ARP cache with the new information, regardless of whether or not that information was
requested.

An attacker can take advantage of this functionality to perform a man-in-the-middle (MitM)

attack. If an attacker sends an unsolicited ARP reply with fake information to a system,
they can force that system to send all future traffic to the attacker.

These attacks can be detected in Wireshark by looking for ARP replies without associated
requests. However, not all unsolicited replies are malicious. Some systems will send a
gratuitous ARP reply when they enter or change their IP/MAC address on a network to
prepopulate the ARP tables on that subnet with that networking information.

Shantilal Shah Engineering College, Bhavnagar. Page 8 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

Flow graph of ARP

ARP request storms

ARP requests storms are a component of ARP poisoning attacks. Dynamic ARP caches will
only store ARP information for a short period of time if they are not actively in use. In
order to ensure that their malicious ARP information is used by a computer, an attacker will
flood a system with ARP requests in order to keep the information in the cache.

The definition of an ARP request storm is flexible, since it only requires that the attacker
send more ARP requests than the set threshold on the system. In Wireshark, look for a large
number of requests for the same IP address from the same computer to detect this. The
initial unsolicited ARP request may also be visible in the logs before the ARP request storm
began.

ARP scans

ARP can also be used for scanning a network to identify IP addresses in use. By sending
ARP requests for all of the IP addresses on a subnet, an attacker can determine the MAC
address associated with each of these.

Shantilal Shah Engineering College, Bhavnagar. Page 9 of 10

Computer Networks (3150710) Bhargav Borkhatariya (200430116515)

ARP scans can be detected in Wireshark if a machine is sending out a large number of ARP
requests. Since this approach is used during scanning, it will include IP addresses that are
not actively in use, so this can be used as a detection mechanism.

Shantilal Shah Engineering College, Bhavnagar. Page 10 of 10