Solved: DO ARP MESSAGES GET VLAN TAGGED

danmartinnorhrop · ‎01-13-2014

Hello,

I have a quick question that I am willing to bet many people here could easily asnwer. I am simply trying to test my VoIP environment and I am writing up some python Scapy scripts that kind of look like the below code:

pkt=sendp(Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=1)/IP(dst='10.0.64.1', src='10.0.64.70')/ICMP())

pkt=sendp(Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/IP(dst='10.0.64.250', src='10.0.64.70')/ARP())

Anyhow, I am just trying to see if I can VLAN hop from the data network to my VoIP network using Scapy by sending out ARP messages. So my question is do ARP messages get VLAN tagged? I am guessing not but I have seen mixed answers to this on the net. I was thinking about vlan tagging my icmp messages but the switch I believe does not reply back to icmp messages. So the only other method I can think of is sending out an open SYN packet unless I can vlan tag arp messages.

Thanks for your help,

Joe

Jon Marshall · ‎01-13-2014

Joe

Actually ignore my first response about being seen by all vlans, that was incorrect.

They still have to be tagged across a trunk link otherwise arp would not work ie. the receving switch would not know which vlan to send the broadcast to so the arp request might never get to the right device.

So yes, they will be tagged, just like everything else unless of course the arp request is in the native vlan.

Jon

View solution in original post

Jon Marshall · ‎01-13-2014

Joe

Actually ignore my first response about being seen by all vlans, that was incorrect.

They still have to be tagged across a trunk link otherwise arp would not work ie. the receving switch would not know which vlan to send the broadcast to so the arp request might never get to the right device.

So yes, they will be tagged, just like everything else unless of course the arp request is in the native vlan.

Jon

danmartinnorhrop · ‎01-13-2014

I'm going to bet your last post is correct John. It does make sense there would need to be vlan tagging for ARP messages. I will try this attack out in Scapy. However, I was thinking that if I was able to successfuly Vlan hop I should be able to just do a ping sweep across the subnet because I would think the phones would allow pings while the networking devices would not. Thanks for your help.

Joe

John Blakley · ‎01-13-2014

Daniel,

Jon is very correct, and I was incorrect in my assumption. Even though the arp broadcast won't leave the vlan, it does tag it across trunks. Here's a capture file of a quick gns topology that I threw up:

No. Time Source Destination Protocol Length Info

314 139.243375000 c4:02:06:24:00:00 Broadcast ARP 64 Who has 192.168.20.1? Tell 192.168.20.3

Frame 314: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0

Ethernet II, Src: c4:02:06:24:00:00 (c4:02:06:24:00:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Destination: Broadcast (ff:ff:ff:ff:ff:ff)

Address: Broadcast (ff:ff:ff:ff:ff:ff)

.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

Source: c4:02:06:24:00:00 (c4:02:06:24:00:00)

Address: c4:02:06:24:00:00 (c4:02:06:24:00:00)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Type: 802.1Q Virtual LAN (0x8100)

802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 20

000. .... .... .... = Priority: Best Effort (default) (0)

...0 .... .... .... = CFI: Canonical (0)

.... 0000 0001 0100 = ID: 20

Type: ARP (0x0806)

Padding: 0000000000000000000000000000

Trailer: 00000000

Address Resolution Protocol (request)

Hardware type: Ethernet (1)

Protocol type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: request (1)

Sender MAC address: c4:02:06:24:00:00 (c4:02:06:24:00:00)

Sender IP address: 192.168.20.3 (192.168.20.3)

Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)

Target IP address: 192.168.20.1 (192.168.20.1)

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John Blakley · ‎01-13-2014

My first thought is no they don't, and mainly because of the way that arp works. ARP is local to a broadcast domain. Once the workstation ARPs for a mac address for a known destination IP address, it sends a broadcast to every host on the local vlan. The router will also get the arp request and it will look to see what the destination address is. If the destination subnet is different from the requesting computer's subnet, it needs to be routed. The router will hand over its mac address to the workstation in response. Since ARPs are broadcasted, and broadcasts do not cross vlans, I would assume that a vlan tag is never in the frame.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John Blakley · ‎01-13-2014

Well, I replied, and it looks like I have some testing to do

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎01-13-2014

John

Sorry, you posted again while i was posting as well.

Jon