ARP (Address Resolution Protocol) explained

If you learned about the OSI Model and encapsulation / decapsulation you know that when two computers on the LAN want to communicate with each other the following will happen:

• An IP packet is created with a source and destination IP address carrying the data from an application.
• The IP packet will be encapsulated in an Ethernet frame with a source and destination MAC address.

The sending computer will of course know its source MAC address but how does it know the destination MAC address? That’s where ARP comes into play. Let me show you an example:

In the picture above we have two computers, H1 and H2 and you can see their IP addresses and their MAC addresses.

We are sitting behind H1, open up a command prompt and type:

C:UsersH1>ping 192.168.1.2 
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time=15ms TTL=57
Reply from 192.168.1.2: bytes=32 time=15ms TTL=57
Reply from 192.168.1.2: bytes=32 time=14ms TTL=57
Reply from 192.168.1.2: bytes=32 time=17ms TTL=57

Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 17ms, Average = 15ms

You know about the OSI-model and also know we have to go through all the layers.

Ping uses the ICMP protocol and IP uses the network layer (layer 3). Our IP packet will have a source IP address of 192.168.1.1 and a destination IP address of 192.168.1.2. Next step will be to put our IP packet in an Ethernet frame where we set our source MAC address AAA and destination MAC address BBB.

Now wait a second…how does H1 know about the MAC address of H2? We know the IP address because we typed it but there is no way for H1 to know the MAC address of H2. There is another protocol we have that will solve this problem for us, it’s called ARP (Address Resolution Protocol). Let me show you how it works:

C:UsersH1>arp -a

Interface: 192.168.1.1 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.2           00-0c-29-63-af-d0     dynamic
  192.168.1  .255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

In the example above you see an example of an ARP table on a H1. As you can see there is only one entry, this computer has learned that the IP address 192.168.1.2 has been mapped to the MAC address 00:0C:29:63:AF:D0.

Let’s take a more detailed look at ARP and how it functions:

In this example we have two computers and you can see their IP address and MAC address. We are sitting behind H1 and we want to send a ping to H2. The ARP table is empty so we have no clue what the MAC address of H2 is. The first thing that will happen is that H1 will send an ARP Request. This message basically says “Who has 192.168.1.2 and what is your MAC address?” Since we don’t know the MAC address we will use the broadcast MAC address for the destination (FF:FF:FF:FF:FF:FF). This message will reach all computers in the network.

H2 will reply with a message ARP Reply and is basically saying “that’s me! And this is my MAC address”. H1 can now add the MAC address to its ARP table and start forwarding data towards H2.

If you want to see this in action you can look at it in Wireshark:

Above you see the ARP request for H1 that is looking for the IP address of H2. The source MAC address is the MAC address of H1, the destination MAC address is “Broadcast” so it will be flooded on the network.

The second packet is the ARP reply. H2 will send its MAC address to H1. Here’s a detailed look: