https://crashmemo.com/tags/arp/Recent content in ARP on CrashMemo | IT运维经验站Hugo -- gohugo.iozhTue, 23 Jun 2026 00:00:00 +0000https://crashmemo.com/p/arp-protocol-lan-communication/Tue, 23 Jun 2026 00:00:00 +0000https://crashmemo.com/p/arp-protocol-lan-communication/<h2 id="实验环境准备">实验环境准备 </h2><ul> <li>测试设备：笔记本电脑（Windows 11，IP <code>192.168.2.162</code>）</li> <li>对端设备：手机（Android/iOS，IP <code>192.168.2.215</code>）</li> <li>测试工具：Wireshark、CMD 终端</li> </ul> <hr> <h2 id="实验一局域网初始状态通信双向互通">实验一：局域网初始状态通信（双向互通） </h2><h3 id="操作步骤">操作步骤 </h3><ol> <li>打开 PC 命令行，执行 <code>arp -d</code> 清空本地 ARP 缓存表。</li> <li>打开 Wireshark 并选择当前使用的网卡开始抓包。</li> <li>在 PC 上执行连续 PING 测试：<code>ping 192.168.2.215 -t</code>。</li> </ol> <h3 id="wireshark-报文分析">Wireshark 报文分析 </h3><p>在两端设备首次建立连接时，捕获到完整的 ARP 与 ICMP 报文交互：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">13 0.257829 AzureWav_ef:e8:22 Broadcast ARP 42 Who has 192.168.2.215? Tell 192.168.2.162 </span></span><span class="line"><span class="cl">22 0.512216 46:44:9a:bd:52:aa AzureWav_ef:e8:22 ARP 42 192.168.2.215 is at 46:44:9a:bd:52:aa </span></span><span class="line"><span class="cl">23 0.512296 192.168.2.162 192.168.2.215 ICMP 74 Echo (ping) request id=0x0001, seq=630/30210, ttl=128 (reply in 32) </span></span><span class="line"><span class="cl">32 1.023984 192.168.2.215 192.168.2.162 ICMP 74 Echo (ping) reply id=0x0001, seq=630/30210, ttl=64 (request in 23) </span></span></code></pre></td></tr></table> </div> </div><p>ARP 请求（No. 13）：由于二层封装缺少目的 MAC 地址，PC 发起二层广播（<code>Broadcast</code>），询问谁拥有该 IP。</p> <p>ARP 应答（No. 22）：手机收到广播后，以单播形式回应自己的 MAC 地址（<code>bee7945506be</code>）。</p> <p>ICMP 交互（No. 23\32）：获取 MAC 地址并写入本地 ARP 缓存表后，三层 ICMP 报文成功封装二层帧头并发送，Ping 成功。</p> <p><img alt="Wireshark ping 截图" class="gallery-image" data-flex-basis="1163px" data-flex-grow="484" height="520" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-11-07.webp" srcset="https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-11-07_hu_48bf8ea8c5463ebf.webp 800w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-11-07_hu_8f20ce43c4f8bf93.webp 1600w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-11-07_hu_7f287abd91b4a1c6.webp 2400w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-11-07.webp 2520w" width="2520"></p> <hr> <h2 id="实验二突发链路故障下的协议栈行为分析">实验二：突发链路故障下的协议栈行为分析 </h2><h3 id="操作步骤-1">操作步骤 </h3><ol> <li>在上述 <code>ping -t</code> 过程中，突然断开手机的 Wi-Fi 连接（模拟对端物理断开关机）。</li> <li>观察 PC 终端提示并持续记录 Wireshark 抓包。</li> </ol> <h3 id="报文分析与行为规律">报文分析与行为规律 </h3><p>在对端断开后，实验现象呈现明显的两个阶段：</p> <h4 id="arp-缓存存活期有表状态">ARP 缓存存活期（有表状态） </h4><p>对端刚断开时，终端立刻提示&quot;请求超时&quot;，但 Wireshark 中依然能看到 ICMP Request 发出：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">147 6.684261 192.168.2.162 192.168.2.215 ICMP 74 Echo (ping) request id=0x0001, seq=646/34306, ttl=128 (no response found!) </span></span><span class="line"><span class="cl">235 11.520937 192.168.2.162 192.168.2.215 ICMP 74 Echo (ping) request id=0x0001, seq=647/34562, ttl=128 (no response found!) </span></span></code></pre></td></tr></table> </div> </div><p>原理：Windows 协议栈在封装数据时优先读取本地 ARP 缓存。只要缓存未老化，即使对端不回应，PC 依然会根据表项中的 MAC 强行完成二层封装并送入网线。</p> <p><img alt="Wireshark ICMP Request 截图" class="gallery-image" data-flex-basis="5008px" data-flex-grow="2086" height="121" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-31-05.webp" srcset="https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-31-05_hu_35b208cebe52744b.webp 800w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-31-05_hu_2324ddfae7be9e83.webp 1600w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-31-05_hu_628d0b308474949d.webp 2400w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-31-05.webp 2525w" width="2525"></p> <h4 id="arp-缓存老化失效期无表状态">ARP 缓存老化失效期（无表状态） </h4><p>持续一会超时后，终端提示由&quot;请求超时&quot;转变为&quot;目标主机不可达&quot;或直接停止发送 ICMP，抓包中 ICMP 报文完全消失，只剩下 ARP 广播。</p> <p><img alt="Wireshark ARP Broadcast 广播的截图" class="gallery-image" data-flex-basis="797px" data-flex-grow="332" height="694" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-37-42.webp" srcset="https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-37-42_hu_4cc2595d435d0645.webp 800w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-37-42_hu_f9d6ae65cb5ceca3.webp 1600w, https://crashmemo.com/p/arp-protocol-lan-communication/PixPin_2026-06-23_14-37-42.webp 2306w" width="2306"></p> <p>原理：当本地 ARP 表项老化删除，或者操作系统触发探测机制后，协议栈在二层封装时无法获取&quot;目的 MAC&quot;。由于二层帧头残缺，三层数据包（ICMP）无法向下传递，导致报文无法发出，PC 只能持续发送 ARP 广播尝试修复连接。</p> <hr> <h2 id="结论">结论 </h2><ol> <li>网络通信，二层先行：三层协议（IP/ICMP等）能够发出的物理前提，是二层以太网帧必须具备合法的目的 MAC 地址。</li> <li>ARP 表决定封装行为：只要 ARP 表项存在，设备就会执行封装并发包（即使对方已挂）；ARP 表项缺失，数据包在本地即被阻断，转化为 ARP 寻址行为。</li> </ol>