Cheatsheet: Difference between revisions
Content deleted Content added
Line 670: | Line 670: | ||
== Sort links vs Hard link == |
== Sort links vs Hard link == |
||
;Links and index number in Linux |
|||
* In the output of ls -l, the column following the permissions and before owner is the link count. |
|||
drwxr-xr-x '''6''' aman aman 4096 Mar 30 11:50 Documents |
|||
drwxr-xr-x '''3''' aman aman 4096 Sep 15 19:11 Downloads |
|||
^ |
|||
* Link count is the number of Hard Links to a file. |
|||
* A link is a pointer to another file. |
|||
* There are two types of links: |
|||
;Symbolic links (or Soft Links) |
|||
* A separate file whose contents point to the linked-to file. |
|||
* When creating a Sym link, first refer to the name of the original file and then to the name of the link: |
|||
ln -s /home/bob/sync.sh filesync |
|||
* Editing Sym link is like directly edit the original file. |
|||
* If we delete or move the original file, the link will be broken and our filesync file will not be longer available. |
|||
* The ls -l command shows that the resulting file is a symbolic link: |
|||
ls -l filesync |
|||
lrwxrwxrwx 1 root root 20 Apr 7 06:08 filesync -> /home/bobbin/sync.sh |
|||
* The contents of a symbolic link are the name of target file only. |
|||
* The permissions on the symbolic link are completely open. |
|||
* This is because the permissions are not managed |
|||
* The original file is just a name that is connected directly to the inode, and the symbolic link refers to the name. |
|||
* The size of the symbolic link is the number of bytes in the name of the file it refers to, because no other information is available in the symbolic link. |
|||
;Hard links |
|||
== Hosts file == |
== Hosts file == |
Revision as of 01:38, 16 September 2019
ARP vs MAC Table
ARP Table | MAC Table (or CAM Table) |
---|---|
Layer3 address to Layer2 address resolution | Layer2 address to Interface binding |
Matches IP addresses to MAC addresses | Maps Ports to MAC addresses |
Needed to forward packets at layer 3 | Used to Switch frames to the right output interface |
Kept by L3 devices | Kept only by L2 devices |
No entry for dest IP address, machine will send ARP request | If no entry, switch will flood the frame |
Default timeout is 4 hours | Default timeout is 5 minutes |
Filled by each ARP reply | Filled by source MAC of each frame passing through switch |
Fragmentation
- Before fragmentation
Sequence | Identifier | Total Length | DF Flag | MF Flag | Fragment offset |
---|---|---|---|---|---|
0 | 345 | 5140 | 0 | 0 | 0 |
- After fragmentation
Sequence | Identifier | Total Length | DF Flag | MF Flag | Fragment offset |
---|---|---|---|---|---|
0-0 | 345 | 1500 | 0 | 1 | 0 |
0-1 | 345 | 1500 | 0 | 1 | 185 |
0-2 | 345 | 1500 | 0 | 1 | 370 |
0-3 | 345 | 700 | 0 | 0 | 555 |
Headers
Version | HLEN | DSCP | ECN | Total Length | |||||||||||||||||||||||||||
Identification | Flags(DF,MF) | Fragment Offset | |||||||||||||||||||||||||||||
Time To Live | Protocol | Header Checksum | |||||||||||||||||||||||||||||
Source IP Address | |||||||||||||||||||||||||||||||
Destination IP Address | |||||||||||||||||||||||||||||||
Options (if HLEN > 5) |
Source port | Destination port | ||||||||||||||||||||||||||||||
Sequence number | |||||||||||||||||||||||||||||||
Acknowledgment number (if ACK set) | |||||||||||||||||||||||||||||||
Data offset | Reserved 0 0 0 |
N S |
C W R |
E C E |
U R G |
A C K |
P S H |
R S T |
S Y N |
F I N |
Window Size | ||||||||||||||||||||
Checksum | Urgent pointer (if URG set) | ||||||||||||||||||||||||||||||
Options (if data offset > 5. Padded at the end with "0" bytes if necessary.) ... |
Source port | Destination port |
Length | Checksum |
- ARP Header
Hardware type Protocol type Hardware address length Protocol address length Operation Source MAC Source IP Dest MAC Dest IP
- ICMP Header
Code Checksum Rest of Header
TCP
- Parameters determined during Handshake:
MSS WSF SACK Permitted
- MTU vs MSS
- Congestion Control
- Slow Start - Exponential Increase
- Sender starts with cwnd = 1 MSS, Size increases 1 MSS each time one Ack arrives, Increases the rate exponentially(1,2,4,8....) until a threshold is reached
- Congestion Avoidance - Additive Increase
- Increases the cwnd Additively, When a “window” is Ack cwnd is increased by 1, Window = No of segments transmitted during RTT - The increase is based on RTT, not on the number of arrived ACKs, Congestion window increases additively until congestion is detected
- Congestion Detection - Multiplicative Decrease
- If congestion occurs, Window size must be decreased, Sender knows about congestion via RTO or 3 Dup Acks received, Size of Threshold is dropped to half
- Tahoe
- If RTO occured, TCP Reacts Strongly - Reduces cwnd back to 1 Segment, starts the slow start phase again
- Reno
- If 3 Duplicate ACKs are received, TCP has a Weaker Reaction - Starts the Congestion Avoidance phase - This is called fast transmission and fast recovery
- Silly Window Syndrome: Sender creates data slowly or Receiver consumes slowly or both.
Syndrome due to Sender:
- Nagle’s Algorithm: Send data initially, accumulate data in output buffer, Wait for Ack or till 1 MSS Data in Buffer
Syndrome due to Receiver:
- Clark’s Solution: Announce window size 0 till 1) enough space for 1 MSS in Buffer or Half Receive buffer is empty - Delayed Acknowledgment: Segment not acknowledged immediately, Sender TCP does not slide its window, reduces traffic, sender may unnecessarily retransmit, Not delay more than 500 ms.
- Fast Retransmission
- If RTO has a larger value - If sender receives four acknowledgments with same value (three duplicates) - Segment expected by all of these Ack is resent immediately
- Persistence Timer
- Issue of Deadlock created by Lost Ack, used to reset Window size 0 advertized earlier, is resolved by this timer - Sending TCP sends a special segment(1 byte of new data) called Probe, causes the receiving TCP to resend Ack - If no reply, another probe is sent and value of persistence timer is doubled and reset - Sender continues sending probes, doubling, resetting value of persistence timer until it reaches a threshold(generally 60s) - After that the sender sends one probe segment every 60s until the window is reopened
VPN Messages
- Phase 1 - Main Mode
Cookie,Proposal List Cookie,Accepted Proposal DH Key,Nonce DH Key,Nonce ID,ID Hash ID,ID Hash
- Phase 1 - Aggressive Mode
ID,Proposal List,DH Key,Nonce ID,Accepted Proposal,DH Key,Nonce,ID Hash ID Hash
- Phase 2 - Quick Mode
Ph1 Hash,Message ID,Proposal List,Nonce, DH Key,Proxy-ID Ph1 Hash,Message ID,Accepted Proposal,Nonce,DH Key,Proxy-ID Ph1 Hash,Message ID,Nonce
HTTP Error Codes
Category | Type | Code |
---|---|---|
1XX | Informational | 100 = Continue |
2XX | Successful | 200 = OK 201 = Created (URL) 202 = Accepted (request accepted but not acted upon immediately) 203 = Non-authoritative Information(info in header is from local or third-party copy, not from original server) 204 = No Content (in body) |
3XX | Re-directional | 301 = Moved Permanently 302 = Found (temporary redirect) 304 = Not Modified 305 = Use Proxy (URL must be accessed through the proxy mentioned in the Location header) 307 = Temporary Redirect (requested page has moved temporarily to a new url) |
4XX | Client Error | 400 = Bad Request 401 = Unauthorized 402 = Payment Required 403 = Forbidden 404 = Not Found 405 = Method Not Allowed |
5XX | Server Error | 500 = Internal Server Error 501 = Not Implememted 502 = Bad Gateway or Proxy 503 = Service Unavailable 504 = Gateway or Proxy Timeout 505 = HTTP Version Not Supported |
HTTP Request Methods
GET: Retrieve Data HEAD: Header only without Response Body POST: Submits Data to DB, web forum, etc PUT: Replaces target resource with the uploaded content DELETE: Removes target resource given by URI CONNECT: Used when the client wants to establish a transparent connection to a remote host, usually to facilitate SSL-encrypted communication (HTTPS) through an HTTP proxy OPTIONS: Returns the HTTP methods that the server supports for the specified URL TRACE: Performs a message loop back test to see what (if any) changes or additions have been made by intermediate servers PATCH:
SSL Handshake
NetScaler
- LB Methods:
Least Connection = Service with fewest active connections Round Robin = Rotates a list of services Least Response time(LRTM) = Fewest active connections & lowest average response time Least Bandwidth = Service serving least amount of traffic measured in mbps Least Packets = Service that received fewest packets Source IP Hash = Destination IP Hash =
- Persistence Methods:
SOURCE IP = COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session. SSL Session = Connections having same SSL session ID RULE = All connection matching a user defined rule URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded Dest IP = SRC IP DST IP = CALL ID = Same Caller ID in SIP Header
- What is Stateful & Stateless Persistence? Which one is more scalable/Efficient?
Stateless Session Persistence: Cookie inserted by ADC is more efficient because no need to create a table, NS will insert cookie & forget, with reply, it will read cookie value, decrypt it & fwd request. State-full Session Persistence: Server will insert cookie, NS will hash it & fwd based on Hash value but will need to keep a table in memory with all hashes & IP Addresses. Same is true for Source IP based Persistence, Also inefficient behind NAT Using Set-cookie-header = by Server - insert Name & Value Fields Client sends cookie in Cookie Header Who ever generates cookie, will be able to read it
OSPF
- States
Down Attempt Init 2-Way ExStart Exchange Loading Full
- LSA Type
Type 1 - Router LSAs Type 2 - Network LSAs Type 3 - Network Summary LSA Type 4 - ASBR summary LSA Type 5 - AS external LSA Type 7 - NSSA External LSA
- Packet Types
Type 1 - Hello Type 2 - Database Description (DBD) Type 3 - Link-State request (LSR) Type 4 - LSU Type 5 - LSAck
- Neighbor Requirements
Same area Same authentication config Same subnet Same hello/dead interval Matching stub flags
- OSPF path selection: O > O*IA > O*E1 > O*E2.
- “area range” summarize type 3 LSA’.
- “summary-address” summarize type 5 & 7 LSA’s.
- Auto-cost reference BW (Default = 100mb), formula = 100000000/Int-Bw.
BGP
- Route Selection Criteria
Attribute | Which is better |
---|---|
Next Hop reachable | Route cannot be used if next hop is unreachable |
Weight | Bigger |
Local Preference | Bigger |
Locally Injected | Locally injected is better than iBGP/eBGP learned |
AS Path Length | Smaller |
Origin | Prefer I over E & E over Unknown |
MED | Smaller |
Neighbor Type | Prefer eBGP over iBGP |
IGP Metric to Next Hop | Smaller |
- BGP States
Idle Active Attempting to connect Connect TCP session established OpenSent Open message sent OpenConfirm Response received Established Adjacency established
- BGP Messages
Open Update Keepalive Sent every 60 seconds Notification Always indicate something is wrong
VPN Monitor vs DPD vs IKE Heartbeat
VPN Monitor | DPD | IKE Heartbeat |
---|---|---|
Juniper Proprietary | RFC Standard | Juniper Proprietary |
Work with Non Juniper | Work with Non Juniper | Cannot work with Non Juniper |
Uses ICMP | Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) | -- |
Goes inside the Phase 2 Tunnel | Goes through Phase 1 Tunnel | -- |
Implies VPN is UP | Implies peer is up and responding | Enhancement to detect tunnel availability |
Works if supported by one peer only | -- | Both ends must support |
Configured in Phase 2 | Configured in Phase 1 | Configured in Phase 1 |
SRX Architecture
- First Path
Screens Static NAT | Dest NAT Route ==> Forwarding Lookup Zones Policy Reverse Static NAT | Source NAT Service ALG Session
- Fast Path
Screens TCP NAT Service ALG
ScreenOS
- ScreenOS Flow order
Sanity Check Screening Session lookup Route Lookup Policy lookup Session creation ARP lookup
- Route preference order
Policy Based Routing Source Interface Based Routing Source Routing Destination Routing
- NAT Preference order
Mapped IP Virtual IP Policy Based NAT (NAT-Src & NAT-Dst) Interface Based NAT
SYN Flood Protection
Threshold = Proxy connections above this limit If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly Alarm Threshold = Alarm/Alert (to log) Queue Size = The number of proxied connections held in queue After this the firewall starts rejecting new connection requests Timeout Value is maximum time before a half-completed connection is dropped from the queue The range is 0–50s; default is 20s
Linux
Linux Booting
- BIOS
- MBR
- GRUB
- Kernel
- Init
0 – halt 1 – Single user mode 2 – Multiuser, without NFS 3 – Full multiuser mode 4 – unused 5 – X11 6 – reboot
- Runlevel programs
Manually Boot using Grub
- Locate where the vmlinuz and initrd.* files are located:
grub> ls (hd0) (hd0,msdos5) (hd1) (hd1,msdos0)
- Boot the system:
grub> linux (hd1,msdos1)/install/vmlinuz root=/dev/sdb1 grub> initrd (hd1,msdos1)/install/initrd.gz grub> boot
File system layout
/ – The Root Directory /bin – Essential command binaries /boot – Boot loader files /dev – Device Files /etc – Configuration Files /home – Home Directory /lib – Essential Libraries /lost+found – Recovering Files /media – Removable Media Devices /mnt – Temporarily mounted filesystems /opt – Optional software packages /proc – Kernel & Process Information /root – Root Home Directory /sbin – System binaries /selinux – Security-Enhanced Linux /srv – Service Data /sys – virtual filesystem /tmp – Temporary files /usr – binaries, documentation, source code, libraries /var – Variable Files
ProcFS
- Procfs or /proc is a special FS under Linux used to present process information and kernel processes.
- Much of the information for kernel level of 2.6 & above have been moved to "sysfs" generally mounted under /sys.
- /proc is stored in memory.
- On multi-core CPUs, /proc/cpuinfo contains the fields for "siblings" and "cpu cores":
"siblings" = (HT per CPU package) * (# of cores per CPU package) "cpu cores" = (# of cores per CPU package)
- A CPU package means physical CPU which can have multiple cores (single core for one, dual core for two, quad core for four).
- This allows a distinction between hyper-threading and dual-core, i.e. the number of hyper-threads per CPU package can be calculated by siblings / CPU cores.
- If both values for a CPU package are the same, then hyper-threading is not supported.
- For instance, a CPU package with siblings=2 and "cpu cores"=2 is a dual-core CPU but does not support hyper-threading.
/proc/cmdline – Kernel command line information. /proc/consoles – Information about current consoles including tty. /proc/crypto – list of available cryptographic modules /proc/devices – Device drivers currently configured for the running kernel. /proc/diskstats – /proc/dma – Info about current DMA channels. /proc/fb – Framebuffer devices. /proc/filesystems – Current filesystems supported by the kernel. /proc/iomem – Current system memory map for devices. /proc/ioports – Registered port regions for input output communication with device. /proc/kmsg – holding messages output by the kernel /proc/loadavg – System load average. /proc/locks – Files currently locked by kernel. /proc/meminfo – Summary of how the kernel is managing its memory. /proc/misc – Miscellaneous drivers registered for miscellaneous major device. /proc/modules – Currently loaded kernel modules. /proc/mounts – List of all mounts in use by system. /proc/partitions – Detailed info about partitions available to the system. /proc/pci – Information about every PCI device. /proc/scsi – Information about any devices connected via a SCSI or RAID controller /proc/stat – Record or various statistics kept from last reboot. /proc/swap – Information about swap space. /proc/tty – Information about the current terminals /proc/uptime – Uptime information (in seconds). /proc/version – Kernel version, gcc version, and Linux distribution installed.
/proc/PID/cmdline – Command line arguments. /proc/PID/cpu – Current and last cpu in which it was executed. /proc/PID/cwd – Link to the current working directory. /proc/PID/environ – Values of environment variables. /proc/PID/exe – Link to the executable of this process. /proc/PID/fd – Directory, which contains all file descriptors. /proc/PID/maps – Memory maps to executables and library files. /proc/PID/mem – Memory held by this process. /proc/PID/root – Link to the root directory of this process. /proc/PID/stat – Process status. /proc/PID/statm – Process memory status information. /proc/PID/status – Process status in human readable form (eg: GID, UID, etc) /proc/PID/limits – Contains information about the limits of the process
Usage:
ls -l /proc/$(pgrep -n python)/exe
Inode Number
Source: linoxide.com
- Inode is entry in inode table containing metadata about a regular file and directory.
- An inode is a data structure on a traditional Unix-style file system such as ext3 or ext4.
- Linux extended filesystems such as ext2 or ext3 maintain an array of these inodes: the inode table.
- This table contains list of all files in that filesystem.
- The individual inodes in inode table have a unique number (unique to that filesystem) - the inode number.
- There are some data about files, such as their size, ownership, permissions, timestamp etc.
- This meta-data about a file is managed with a data structure known as an inode (index node).
- Copy file: cp allocates a free inode number and placing a new entry in inode table.
- Move or Rename a file: if destination is same filesystem as the source, Has no impact on inode number, it only changes the time stamps in inode table.
- Delete a file: Deleting a file in Linux decrements the link count and freeing the inode number to be reused.
- A Directory cannot hold two files with same name because it cannot map one name with two different inode numbers.
- The inode number of / directory is fixed, and is always 2.
- Inode number (or index number) consists following attributes:
File type: Regular file, directory, pipe etc. Permissions: Read, write, execute Link count: The number of hard link relative to an inode User ID: Owner of file Group ID: Group owner Size of file: or major/minor number in case of some special files Time stamp: Access time, modification time and (inode) change time Attributes: Immutable' for example Access control list: Permissions for special users/groups Link to location of file Other metadata about the file
- Check info:
df -i ==> Inodes on Filesystem df -i /dev/vda1 ==> Inodes on Filesystem ls -il myfile.txt ==> Show inode no of file find /home/rahul -inum 1150561 ==> Find file using inode no stat unetbootin.bin ==> Show all details of file stat --format=%i unetbootin.bin ==> Shows only inode no
- Manipulate the filesystem meta data
List the contents of the filesystem superblock
tune2fs -l /dev/sda6 | grep inode
Make sure files on the file system are not being accessed:
mount -o remount /yourfilesystem
debugfs /dev/sda1 ==> Manipulate FS here
You can use debugfs to undelete a file by using its inode and indicating a file
- Free Inodes on Filesystem
In the case of inodes are full, You need to remove unused files from the filesystem to make Inode free. There is no option to increase/decrease inodes on disk. Its only created during the creation of filesystem on any disk.
Sort links vs Hard link
- Links and index number in Linux
- In the output of ls -l, the column following the permissions and before owner is the link count.
drwxr-xr-x 6 aman aman 4096 Mar 30 11:50 Documents drwxr-xr-x 3 aman aman 4096 Sep 15 19:11 Downloads ^
- Link count is the number of Hard Links to a file.
- A link is a pointer to another file.
- There are two types of links:
- Symbolic links (or Soft Links)
- A separate file whose contents point to the linked-to file.
- When creating a Sym link, first refer to the name of the original file and then to the name of the link:
ln -s /home/bob/sync.sh filesync
- Editing Sym link is like directly edit the original file.
- If we delete or move the original file, the link will be broken and our filesync file will not be longer available.
- The ls -l command shows that the resulting file is a symbolic link:
ls -l filesync lrwxrwxrwx 1 root root 20 Apr 7 06:08 filesync -> /home/bobbin/sync.sh
- The contents of a symbolic link are the name of target file only.
- The permissions on the symbolic link are completely open.
- This is because the permissions are not managed
- The original file is just a name that is connected directly to the inode, and the symbolic link refers to the name.
- The size of the symbolic link is the number of bytes in the name of the file it refers to, because no other information is available in the symbolic link.
- Hard links
Hosts file
Check CPU, Memory and HDD
Check IP and DNS info
Adding Vlan in Linux
File permission
Commands
- netstat
netstat -s netstat -anp netstat -ant
- ps
ps -aux ps -ant ps -anp
- top
us - user cpu time (or) % CPU time spent in user space sy - system cpu time (or) % CPU time spent in kernel space ni - user nice cpu time (or) % CPU time spent on low priority processes id - idle cpu time (or) % CPU time spent idle wa - io wait cpu time (or) % CPU time spent in wait (on disk) hi - hardware irq (or) % CPU time spent servicing/handling hardware interrupts si - software irq (or) % CPU time spent servicing/handling software interrupts st - steal time % CPU time in involuntary wait by virtual cpu while hypervisor is servicing another processor (or) % CPU time stolen from a virtual machine
- ls
Append a character to each file name indicating the file type:
ls -F or ls --classify
* Executable files / Directories @ Symbolic links | FIFOs = Sockets > Doors Nothing for Regular Files
List Symoblic Links:
ls -la
lrwxrwxrwx 1 root root 11 Sep 13 14:57 mounts -> self/mounts dr-xr-xr-x 3 root root 0 Sep 13 14:57 mpt -rw-r--r-- 1 root root 0 Sep 13 14:57 mtrr
- free
- du
- df
- curl
- wget
- smem
- nslookup
- dig
- mtr
- Misc
Find Sym Links:
find . -type l -ls ls -la | grep "\->"
CPU Info:
lscpu nproc grep 'model name' /proc/cpuinfo | wc -l
Obtain the PID with a utility:
pgrep -n python pidof chrome - return all PIDs pidof -s chrome - return only 1 PID ps -C chrome -o pid= - C = CMD
Flows
- Complete Flow of PC opening a Website:
- Check NW config
- DHCP if not configured
- Check Domain name in Browser Cache
- Check Domain name in OS Cache
- If not Found in any cache, Prepare to send UDP DNS query to DNS Server
- If DNS Server configured is in same Network Check MAC address in ARP Table
- If not found, send ARP for MAC Address
- Forward DNS Query to DNS Server and wait for reply containing IP address of Website
- If DNS server configured is not in same subnet, check Gateway config(IP & MAC address)
- If MAC address not found in ARP Table, send ARP request
- After getting reply, fwd the DNS query to gateway
- After getting DNS response, start TCP 3-way handshake S-SA-A.
- Start SSL Handshake if SSL/TLS configured
- Send GET Request
- Client sends ACK & Body containing HTML Data
- If HTTP 1.0, Server sends FIN & CLoses connection
- Client send FIN-ACK
- Server sends Ack
- Complete Flow of DNS Traffic
- Check NW config
- DHCP if not configured
- Check Domain name in Browser Cache
- Check Domain name in OS Cache
- If not Found in any cache, Prepare to send UDP DNS query to DNS Server
- If DNS Server configured is in same Network Check MAC address in ARP Table
- If not found, send ARP for MAC Address
- Forward DNS Query to DNS Server and wait for reply containing IP address of Website
- If DNS server configured is not in same subnet, check Gateway config(IP & MAC address)
- If MAC address not found in ARP Table, send ARP request
- After getting reply, fwd the DNS query to gateway
- DNS Server ??
- DNS Server ?? Iterative? Recursive? TLD? Authoritative
- DNS Server ??
- After getting DNS response, start TCP 3-way handshake S-SA-A.
- Complete Flow of Traffic passing through below scenario:
[PC1]-----[Hub]-----[Switch]-----[Router]------[Router]------[PC2]
- Check NW config
- DHCP if not configured
- Check if PC2 in same Subnet(not in this scenario as routers present)
- If in Same Subnet, check if MAC address is there in ARP Table
- Else send ARP Request
- Once MAC address is known, directly send Packet to PC2
- If PC2 is in Different Subnet(True for above scenario), Check Gateway IP address & MAC address
- If MAC address is not known, send an ARP request.
- Hub is directly connected, will receive & Flood packet on all Ports.
- Switch will receive packet and check its CAM Table for the MAC to Port bindings
- If MAC entry is not found in CAM table, Switch will Flood the ARP packet on all ports.
- Other destinations will drop the ARP Request packet as they do not have the IP address requested in ARP Header.
- Only Router will accept the packet as it has the requested IP address matching its own MAC address.
- It will reply with an ARP Reply message.
- Switch will add an entry of this MAC address & port number in its CAM Table once the reply packet pass through it.
- Hub will flood the packet through all ports.
- ARP Reply will reach PC1, it will add entry to its ARP Table
- Then send a packet destined to PC2 with destintion MAC address as Router's Interface's MAC address received in ARP reply.