This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Exactly how does Wireshark determine and label a Gratuitous ARP as Gratuitous?

0
1

For definitions and background, this is a great post:

My specific question: Exactly what factors does Wireshark look for to label a Gratuitous ARP as Gratuitous?

This is a PCAP which includes 3 gratuitous ARPs pulled from various capture sessions.

All three are definitely Gratuitous, but Wireshark is only marking the first two as Gratuitous.

The third packet conforms to the RFC 5227 Probe, used to preemptively detect duplicate addresses before putting an IP address to use. The probe is, by definition, gratuitous, as it wasn't prompted by an ARP Request. But Wireshark does not label it as such. Why?

asked 13 Jan '17, 20:40

erh's gravatar image

erh
11124
accept rate: 0%

One Answer:

3

To quote the comment in the Wireshark ARP dissector:

 ARP requests/replies with the same sender and target protocol
 address are flagged as "gratuitous ARPs", i.e. ARPs sent out as,
 in effect, an announcement that the machine has MAC address
 XX:XX:XX:XX:XX:XX and IPv4 address YY.YY.YY.YY. Requests are to
 provoke complaints if some other machine has the same IPv4 address,
 replies are used to announce relocation of network address, like
 in failover solutions.

See also the Wireshark Wiki page on gratuitous ARPs.

RFC 5227 says, in section 1.1 "Conventions and Terminology Used in This Document":

In this document, the term 'ARP Announcement' is used to refer to an
ARP Request packet, broadcast on the local link, identical to the ARP
Probe described above, except that both the sender and target IP
address fields contain the IP address being announced.  It conveys a
stronger statement than an ARP Probe, namely, "This is the address I
am now using."

and says in section 4 "Historical Note" that:

... What Stevens describes as
Gratuitous ARP is the exact same packet that this document refers to
by the more descriptive term 'ARP Announcement'. ...

The first two packets are capital-G Gratuitous ARPs/ARP Announcements, as the source and target protocol (IP) addresses are the same. The third packet isn't a capital-G Gratuitous ARP.

Perhaps Wireshark should drop the term "Gratuitous ARP" and, instead, detect and report "ARP Announcement" and "ARP Probe" packets.

answered 14 Jan '17, 01:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I think the 3. packet is an ARP Probe in accordance to the RFC 5227, too.

In Section 2.1.1 we can read, that an ARP Probe may fillthe IP_Sender filed with all zeros:

2.1.1.  Probe Details
A host probes to see if an address is already in use by broadcasting
   an ARP Request for the desired address.  The client MUST fill in the
   'sender hardware address' field of the ARP Request with the hardware
   address of the interface through which it is sending the packet.  The
   'sender IP address' field MUST be set to all zeroes; this is to avoid
   polluting ARP caches in other hosts on the same link in the case
   where the address turns out to be already in use by another host.
   The 'target hardware address' field is ignored and SHOULD be set to
   all zeroes.  The 'target IP address' field MUST be set to the address
   being probed.  An ARP Request constructed this way, with an all-zero
   'sender IP address', is referred to as an 'ARP Probe'.
...

Even if ARP Probe/Anouncement may be more correct, the terms Gratiuos ARP Request/Response are more known I think.

(14 Jan '17, 06:30) Christian_R

I think the 3. packet is an ARP Probe in accordance to the RFC 5227, too.

Yes, that's why I mentioned ARP Probes in my comment.

Even if ARP Probe/Anouncement may be more correct, the terms Gratiuos ARP Request/Response are more known I think.

Is there any place that defines an ARP Probe, rather than an ARP Announcement, as a "Gratuitous ARP"? Richard Stevens' book defines it as "a host [sending] an ARP request looking for its own address.”, which is what RFC 5227 called an "ARP Announcement":

What Stevens describes as Gratuitous ARP is the exact same packet that this document refers to by the more descriptive term 'ARP Announcement'.

RFC 2002 section 4.6 "ARP, Proxy ARP, and Gratuitous ARP" and RFC 5944 section 4.6 "ARP, Proxy ARP, and Gratuitous ARP" say:

A Gratuitous ARP [23] is an ARP packet sent by a node in order to spontaneously cause other nodes to update an entry in their ARP cache. A gratuitous ARP MAY use either an ARP Request or an ARP Reply packet. In either case, the ARP Sender Protocol Address and ARP Target Protocol Address are both set to the IP address of the cache entry to be updated, and the ARP Sender Hardware Address is set to the link-layer address to which this cache entry should be updated. When using an ARP Reply packet, the Target Hardware Address is also set to the link-layer address to which this cache entry should be updated (this field is not used in an ARP Request packet).

(14 Jan '17, 14:21) Guy Harris ♦♦

@Guy Harris It seems that I have missunderstood you answer a liitel bit.

So I would not change the term GRAP into ARP Anouncement. But it might be helpful to name the ARP Probe as an ARP Probe.

(15 Jan '17, 01:21) Christian_R

Thanks for the run down, Guy. Maybe getting Wireshark to label the 3rd packet as an ARP Probe or Announcement would be beneficial. Because (as you pointed out) it isn't exactly a Gratuitous ARP, but it is closer to a Gratuitous ARP than a regular ARP Request/Response conversation. It would be more accurate to call it Gratuitous, but most accurate to call it an ARP Probe.

(16 Jan '17, 08:46) erh

To go a step further. There is a distinction between a ARP Probe and an ARP Announcement. I went ahead and captured the ARP packets after setting a new IP address on Win10 (but I believe this is the same process on Win8 and beyond, per this). I updated the original packet capture to include four additional ARP packets.

Of the last 4 packets, the first 3 (packet#4/5/6) are ARP Probes, they include a Sender MAC and Target IP address for the IP address/mapping they are trying to validate (192.168.0.254). They include a Sender IP and Target MAC of all zeros, in order to not accidentally update an ARP cache on the network with information that is not yet determined to be conflict free. These are ARP Probes.

The last packet (packet#7) is an ARP Announcement -- the host, having successfully determined that the IP address is not in use, "claims" it by sending out this final ARP Announcement. Wireshark currently labels this as Gratuitous ARP, which I believe is accurate enough. The only difference between this ARP Announcement and a true gratuitous arp is maybe that the ARP Announcement is still an ARP Request packet, where as the true Gratuitous ARP packets I've seen have all been ARP Replies.

That said, the RFC's do not specify that a Gratuitous ARP must be a Reply, it in fact leaves it up to the vendor to implement as a Reply or Response. So given that, I'm not sure there is enough of a way to distinguish a true Gratuitous ARP from an ARP Announcement. But it very well may be sufficient to continue to label the ARP Announcement as a Gratuitous ARP.

(But the ARP Probe should definitely be labeled as such, as it is neither an Gratuitous ARP or a regular ARP Request/Reply).

(16 Jan '17, 08:53) erh