ARP (Address Resolution Protocol) explained

If you learned about the OSI Model and encapsulation / decapsulation you know that when two computers on the LAN want to communicate with each other, the following will happen:

  • An IP packet is created with a source and destination IP address carrying the data from an application.
  • The IP packet will be encapsulated in an Ethernet frame with a source and destination MAC address.

The sending computer will of course know its source MAC address but how does it know the destination MAC address? That’s where ARP comes into play. Let me show you an example:

two computers

In the picture above we have two computers, H1 and H2 and you can see their IP addresses and their MAC addresses.

We are sitting behind H1, open up a command prompt, and type:

Pinging with 32 bytes of data:
Reply from bytes=32 time=15ms TTL=57
Reply from bytes=32 time=15ms TTL=57
Reply from bytes=32 time=14ms TTL=57
Reply from bytes=32 time=17ms TTL=57

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 17ms, Average = 15ms

You know about the OSI-model and also know we have to go through all the layers.

Ping uses the ICMP protocol and IP uses the network layer (layer 3). Our IP packet will have a source IP address of and a destination IP address of The next step will be to put our IP packet in an Ethernet frame where we set our source MAC address AAA and destination MAC address BBB.

Now wait a second…how does H1 know about the MAC address of H2? We know the IP address because we typed it but there is no way for H1 to know the MAC address of H2. There is another protocol we have that will solve this problem for us, it’s called ARP (Address Resolution Protocol). Let me show you how it works:

C:UsersH1>arp -a

Interface: --- 0xb
  Internet Address      Physical Address      Type           00-0c-29-63-af-d0     dynamic
  192.168.1  .255       ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fc     static       01-00-5e-7f-ff-fa     static       ff-ff-ff-ff-ff-ff     static

In the example above you see an example of an ARP table on a H1. As you can see there is only one entry, this computer has learned that the IP address has been mapped to the MAC address 00:0C:29:63:AF:D0.

Let’s take a more detailed look at ARP and how it functions:

ARP Request

In this example we have two computers and you can see their IP address and MAC address. We are sitting behind H1 and we want to send a ping to H2. The ARP table is empty so we have no clue what the MAC address of H2 is. The first thing that will happen is that H1 will send an ARP Request. This message basically says “Who has and what is your MAC address?” Since we don’t know the MAC address we will use the broadcast MAC address for the destination (FF:FF:FF:FF:FF:FF). This message will reach all computers in the network.

ARP Reply


H2 will reply with a message ARP Reply and is basically saying “that’s me! And this is my MAC address”. H1 can now add the MAC address to its ARP table and start forwarding data towards H2.

If you want to see this in action you can look at it in Wireshark:

ARP in Wireshark

Above you see the ARP request for H1 that is looking for the IP address of H2. The source MAC address is the MAC address of H1, the destination MAC address is “Broadcast” so it will be flooded on the network.

The second packet is the ARP reply. H2 will send its MAC address to H1. Here’s a detailed look:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 788 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

663 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hello,

    Why in the ARP reply packet do we see 00:00:00:00:00:00 as Target MAC address instead of FF:FF:FF:FF:FF:FF ?

  2. I meant ARP request

  3. FF:FF:FF:FF:FF:FF in binary is all 1s…in other words, it will be broadcasted within the broadcast domain. This way the ARP request reaches all devices in the broadcast domain.

  4. I agree with that. That’s why I wonder why we see 00:00:00:00:00:00 is the ARP request screenshot…

  5. May you pls explain same scenario adding 2 switches and 2 routers in between.

    Computer A -------Switch1-----ROUTER1------------------ROUTER 2 ---- Switch2 ----- Computer B.

    Much Thanks !!

157 more replies! Ask a question or join the discussion by visiting our Community Forum