DEV Community

Faizan Nazir
Faizan Nazir

Posted on

Day 4: How Devices Actually Communicate — Networking Explained for SOC Analysts

Most people study networking as a set of definitions.
A SOC analyst experiences networking through alerts, logs, packet captures, and incidents.

Day 4 was about closing that gap. Instead of memorizing terms, the goal was to understand how communication actually happens inside a network, and why attackers love abusing these fundamentals.

In this article, I explain MAC Address, ARP, ICMP, and Ping in full depth — what they are, how they work, where they are used, where they are not used, and why each of them matters in a real SOC environment.MAC Address — The Physical Identity of a Device
A MAC (Media Access Control) address is the physical identity of a network device. It is assigned to the network interface card (NIC) and uniquely identifies a device within a local network. Unlike IP addresses, which can change depending on the network, a MAC address is designed to remain stable and tied to the hardware.

Every device that connects to a network — laptops, servers, routers, switches, printers, and even IoT devices — communicates at the local level using MAC addresses. This is why MAC addresses operate at the Data Link Layer (Layer 2) of the OSI model.

The purpose of a MAC address is simple but critical: it allows devices inside a local network to know exactly which device should receive a frame. Switches do not understand IP addresses in the way routers do. Instead, they read the destination MAC address in a frame and forward it to the correct physical port.

When a device sends data inside a LAN, it encapsulates that data into a frame that contains both a source MAC and a destination MAC. The switch examines the destination MAC, looks it up in its MAC address table, and forwards the frame only to the appropriate port. This process makes local communication fast and efficient.

MAC addresses are used for local identification, switching decisions, and asset tracking. However, they are not used for routing across the internet, they do not provide encryption, and they do not authenticate users. This limitation becomes important from a security perspective.

From a SOC analyst’s point of view, MAC addresses are extremely valuable. They help identify rogue devices, detect unauthorized connections, correlate IP addresses with physical systems, and spot MAC spoofing attempts. If the same MAC address suddenly appears in multiple locations, or if a trusted MAC changes unexpectedly, it often indicates suspicious activity.

ARP — How an IP Address Becomes a MAC Address
While applications and routing logic rely on IP addresses, actual delivery of data inside a LAN requires MAC addresses. This creates a fundamental problem: a device may know the destination IP address, but without the MAC address, it cannot deliver the frame.

ARP (Address Resolution Protocol) exists to solve this exact problem. Its role is to map an IP address to its corresponding MAC address within a local network.

When a device wants to communicate with another device in the same LAN, it first checks its ARP table to see if it already knows the MAC address associated with the destination IP. If the mapping is missing, the device sends an ARP Request. This request is broadcast to all devices in the network, asking which device owns the target IP address.

The device that owns that IP responds with an ARP Reply, sent as a unicast message, providing its MAC address. The sender then stores this mapping in its ARP cache and uses it for subsequent communication.

ARP enables seamless local communication, but it comes with a serious weakness: it has no authentication mechanism. Devices blindly trust ARP replies, even if they are malicious. This makes ARP vulnerable to spoofing attacks.

In ARP spoofing or ARP poisoning, an attacker sends fake ARP replies claiming to be the router or another trusted device. This causes traffic to be redirected through the attacker, enabling man-in-the-middle attacks, credential theft, and session hijacking.

Become a Medium member
For SOC analysts, ARP is a critical internal threat vector. ARP-based attacks often bypass perimeter defenses because they occur inside the network. Analysts monitor ARP anomalies such as IP-to-MAC mismatches, duplicate MAC addresses, and frequent ARP table changes to detect these attacks.

ICMP — The Network’s Feedback and Error Reporting System
IP is responsible for delivering packets, but it does not report what happens when something goes wrong. ICMP (Internet Control Message Protocol) fills this gap by acting as the feedback mechanism of the network.

ICMP is used by routers and hosts to report errors, signal delivery problems, and assist in network diagnostics. It operates at the Network Layer (Layer 3) and is encapsulated inside IP packets.

When a packet cannot reach its destination, when a route fails, or when a packet’s Time To Live (TTL) expires, ICMP messages are generated and sent back to the source. These messages help systems understand why communication failed.

ICMP is widely used for troubleshooting and monitoring. Tools like ping and traceroute rely on ICMP to test reachability and discover network paths. Without ICMP, diagnosing network issues would be extremely difficult.

However, ICMP is not designed to carry application data, establish connections, or guarantee delivery. It exists purely for control and reporting purposes.

From a security perspective, ICMP is a double-edged sword. While it provides visibility, attackers abuse it for reconnaissance, denial-of-service attacks, and covert data exfiltration through ICMP tunneling. SOC teams often choose to rate-limit ICMP rather than blocking it completely, balancing security with operational visibility.

Ping — A Simple Tool with Powerful Implications
Ping is often misunderstood as a protocol, but in reality, it is a diagnostic tool that uses ICMP. Its primary purpose is to test whether a host is reachable and how long it takes to respond.

When a ping command is executed, the system sends an ICMP Echo Request to the destination. If the destination is reachable and allows ICMP, it responds with an ICMP Echo Reply. The time taken for this round trip is measured as latency.

Ping is used to verify basic connectivity, measure network delay, and detect packet loss. However, it does not test application availability or service health. A system can respond to ping while critical services remain down, and conversely, a system may block ICMP while still serving traffic normally.

From an attacker’s perspective, ping is a reconnaissance tool. Ping sweeps are commonly used to discover live hosts within a network. From a SOC perspective, unusual ICMP volumes, sequential ping patterns, or unexpected ping activity can indicate scanning or early-stage intrusion attempts.

Final SOC Takeaway
Day 4 connected the foundational pieces of networking:

MAC addresses identify devices, ARP connects IPs to those devices, ICMP reports network health, and ping tests reachability. These concepts are not just theoretical — they directly shape how SOC analysts interpret alerts, investigate incidents, and understand attacker behavior.

Learning networking at this depth transforms logs from noise into signals. This is not shortcut learning — this is SOC-ready understanding.

SOC Analyst Journey — Day 4 Completed

Top comments (0)