If you learned about the OSI Model and encapsulation / decapsulation you know that when two computers on the LAN want to communicate with each other the following will happen:
- An IP packet is created with a source and destination IP address carrying the data from an application.
- The IP packet will be encapsulated in an Ethernet frame with a source and destination MAC address.
The sending computer will of course know its source MAC address but how does it know the destination MAC address? That’s where ARP comes into play. Let me show you an example:
In the picture above we have two computers, H1 and H2 and you can see their IP addresses and their MAC addresses.
We are sitting behind H1, open up a command prompt and type:
C:UsersH1>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 time=15ms TTL=57 Reply from 192.168.1.2: bytes=32 time=15ms TTL=57 Reply from 192.168.1.2: bytes=32 time=14ms TTL=57 Reply from 192.168.1.2: bytes=32 time=17ms TTL=57 Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 14ms, Maximum = 17ms, Average = 15ms
You know about the OSI-model and also know we have to go through all the layers.
Ping uses the ICMP protocol and IP uses the network layer (layer 3). Our IP packet will have a source IP address of 192.168.1.1 and a destination IP address of 192.168.1.2. Next step will be to put our IP packet in an Ethernet frame where we set our source MAC address AAA and destination MAC address BBB.
Now wait a second…how does H1 know about the MAC address of H2? We know the IP address because we typed it but there is no way for H1 to know the MAC address of H2. There is another protocol we have that will solve this problem for us, it’s called ARP (Address Resolution Protocol). Let me show you how it works:
C:UsersH1>arp -a
Interface: 192.168.1.1 --- 0xb
Internet Address Physical Address Type
192.168.1.2 00-0c-29-63-af-d0 dynamic
192.168.1 .255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
In the example above you see an example of an ARP table on a H1. As you can see there is only one entry, this computer has learned that the IP address 192.168.1.2 has been mapped to the MAC address 00:0C:29:63:AF:D0.
Let’s take a more detailed look at ARP and how it functions:
In this example we have two computers and you can see their IP address and MAC address. We are sitting behind H1 and we want to send a ping to H2. The ARP table is empty so we have no clue what the MAC address of H2 is. The first thing that will happen is that H1 will send an ARP Request. This message basically says “Who has 192.168.1.2 and what is your MAC address?” Since we don’t know the MAC address we will use the broadcast MAC address for the destination (FF:FF:FF:FF:FF:FF). This message will reach all computers in the network.
H2 will reply with a message ARP Reply and is basically saying “that’s me! And this is my MAC address”. H1 can now add the MAC address to its ARP table and start forwarding data towards H2.
If you want to see this in action you can look at it in Wireshark:
Above you see the ARP request for H1 that is looking for the IP address of H2. The source MAC address is the MAC address of H1, the destination MAC address is “Broadcast” so it will be flooded on the network.
The second packet is the ARP reply. H2 will send its MAC address to H1. Here’s a detailed look:
When we see in ARP request packet in the Target hardware address (THA) field 0000.0000.0000 (instead of FFFF.FFFF.FFFF) maybe it is connected with the older broadcast address standard? I have read in the „TCP/IP Illustrated„ written by Kevin R. Fall and W. Richard Stevens in the “Proxy ARP” chapter that „some used an older broadcast address (a host ID of all 0 bits, instead of the current standard of a host ID with all 1 bits)”. I can’t find more information about this older broadcast address standard. Is my conjecture correct?
Link to the quoted sentence:
... Continue reading in our forumThe link with the quote doesn’t work for me but there are two different things when we look at the ARP request:
- Destination Address
- Target Hardware Address
These are two different things…the destination address is found in the layer 2 (Ethernet) header and specifies where to forward the frame to, it’s set to FFFF.FFFF.FFFF (broadcast). The target hardware address is found in the ARP header and since it’s an ARP request, we don’t know the target…it is set to 0000.0000.0000.
If you capture an ARP request with wireshark then you’ll find both values
This is best explained with the following two captures:
https://networklessons.com/wp-content/uploads/2015/12/wireshark-capture-arp-request.png
Above you can see the ARP request. The sender (fa:16:3e:38:94:94) creates the ARP request and is looking for 192.168.12.2. It encapsulates this in an Ethernet frame with its own MAC address as the source and destination broadcast.
Everyone on the subnet will hear this message, the device that has the destination MAC address will reply:
https://cdn-forum.networklessons.com/uploads/default/original/2X/9/9f60d1190267be572f
... Continue reading in our forumsir , for the scenario
Computer A ——-Switch1—–ROUTER1——————ROUTER 2 —- Switch2 —– Computer B.
you said that
"Computer A will do an ARP request for the IP address of Router 1
Computer B will do an ARP request for Router 2 (its default gateway).
Router 1 and Router 2 will do ARP requests on the link that connects them to discover each others MAC addresses."
please rectify/guide me if i am worng
computer A will send ARP request to R1 to know R1 MAC address, so whenever it sends send data to ComputerB it will then send it to MAC address of R1.
sir my second query i
... Continue reading in our forumHi.
Router A wants to know MAC address of router B. So, it broadcasts ARP. Only router B replies.
In this case, target MAC should be FF:FF:FF:FF:FF:FF which is broadcastin ARP request. Why the target MAC is all 0’s in ARP request?