ARP (Address Resolution Protocol) explained

If you learned about the OSI Model and encapsulation / decapsulation you know that when two computers on the LAN want to communicate with each other the following will happen:

  • An IP packet is created with a source and destination IP address carrying the data from an application.
  • The IP packet will be encapsulated in an Ethernet frame with a source and destination MAC address.

The sending computer will of course know its source MAC address but how does it know the destination MAC address? That’s where ARP comes into play. Let me show you an example:

two computers

In the picture above we have two computers, H1 and H2 and you can see their IP addresses and their MAC addresses.

We are sitting behind H1, open up a command prompt and type:

Pinging with 32 bytes of data:
Reply from bytes=32 time=15ms TTL=57
Reply from bytes=32 time=15ms TTL=57
Reply from bytes=32 time=14ms TTL=57
Reply from bytes=32 time=17ms TTL=57

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 17ms, Average = 15ms

You know about the OSI-model and also know we have to go through all the layers.

Ping uses the ICMP protocol and IP uses the network layer (layer 3). Our IP packet will have a source IP address of and a destination IP address of Next step will be to put our IP packet in an Ethernet frame where we set our source MAC address AAA and destination MAC address BBB.

Now wait a second…how does H1 know about the MAC address of H2? We know the IP address because we typed it but there is no way for H1 to know the MAC address of H2. There is another protocol we have that will solve this problem for us, it’s called ARP (Address Resolution Protocol). Let me show you how it works:

C:UsersH1>arp -a

Interface: --- 0xb
  Internet Address      Physical Address      Type           00-0c-29-63-af-d0     dynamic
  192.168.1  .255       ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fc     static       01-00-5e-7f-ff-fa     static       ff-ff-ff-ff-ff-ff     static

In the example above you see an example of an ARP table on a H1. As you can see there is only one entry, this computer has learned that the IP address has been mapped to the MAC address 00:0C:29:63:AF:D0.

Let’s take a more detailed look at ARP and how it functions:

ARP Request

In this example we have two computers and you can see their IP address and MAC address. We are sitting behind H1 and we want to send a ping to H2. The ARP table is empty so we have no clue what the MAC address of H2 is. The first thing that will happen is that H1 will send an ARP Request. This message basically says “Who has and what is your MAC address?” Since we don’t know the MAC address we will use the broadcast MAC address for the destination (FF:FF:FF:FF:FF:FF). This message will reach all computers in the network.

ARP Reply


H2 will reply with a message ARP Reply and is basically saying “that’s me! And this is my MAC address”. H1 can now add the MAC address to its ARP table and start forwarding data towards H2.

If you want to see this in action you can look at it in Wireshark:

ARP in Wireshark

Above you see the ARP request for H1 that is looking for the IP address of H2. The source MAC address is the MAC address of H1, the destination MAC address is “Broadcast” so it will be flooded on the network.

The second packet is the ARP reply. H2 will send its MAC address to H1. Here’s a detailed look:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 735 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

527 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. When we see in ARP request packet in the Target hardware address (THA) field 0000.0000.0000 (instead of FFFF.FFFF.FFFF) maybe it is connected with the older broadcast address standard? I have read in the „TCP/IP Illustrated„ written by Kevin R. Fall and W. Richard Stevens in the “Proxy ARP” chapter that „some used an older broadcast address (a host ID of all 0 bits, instead of the current standard of a host ID with all 1 bits)”. I can’t find more information about this older broadcast address standard. Is my conjecture correct?

    Link to the quoted sentence:

    ... Continue reading in our forum

  2. The link with the quote doesn’t work for me but there are two different things when we look at the ARP request:

    - Destination Address
    - Target Hardware Address

    These are two different things…the destination address is found in the layer 2 (Ethernet) header and specifies where to forward the frame to, it’s set to FFFF.FFFF.FFFF (broadcast). The target hardware address is found in the ARP header and since it’s an ARP request, we don’t know the target…it is set to 0000.0000.0000.

    If you capture an ARP request with wireshark then you’ll find both values :slight_smile:

  3. This is best explained with the following two captures:

    Above you can see the ARP request. The sender (fa:16:3e:38:94:94) creates the ARP request and is looking for It encapsulates this in an Ethernet frame with its own MAC address as the source and destination broadcast.

    Everyone on the subnet will hear this message, the device that has the destination MAC address will reply:

    ... Continue reading in our forum

  4. sir , for the scenario
    Computer A ——-Switch1—–ROUTER1——————ROUTER 2 —- Switch2 —– Computer B.

    you said that

    "Computer A will do an ARP request for the IP address of Router 1

    Computer B will do an ARP request for Router 2 (its default gateway).

    Router 1 and Router 2 will do ARP requests on the link that connects them to discover each others MAC addresses."

    please rectify/guide me if i am worng
    computer A will send ARP request to R1 to know R1 MAC address, so whenever it sends send data to ComputerB it will then send it to MAC address of R1.

    sir my second query i

    ... Continue reading in our forum

  5. Hi.

    Router A wants to know MAC address of router B. So, it broadcasts ARP. Only router B replies.
    In this case, target MAC should be FF:FF:FF:FF:FF:FF which is broadcastin ARP request. Why the target MAC is all 0’s in ARP request?

131 more replies! Ask a question or join the discussion by visiting our Community Forum