ARP (Address Resolution Protocol) explained

If you learned about the OSI Model and encapsulation / decapsulation you know that when two computers on the LAN want to communicate with each other, the following will happen:

  • An IP packet is created with a source and destination IP address carrying the data from an application.
  • The IP packet will be encapsulated in an Ethernet frame with a source and destination MAC address.

The sending computer will of course know its source MAC address but how does it know the destination MAC address? That’s where ARP comes into play. Let me show you an example:

two computers

In the picture above we have two computers, H1 and H2 and you can see their IP addresses and their MAC addresses.

We are sitting behind H1, open up a command prompt, and type:

C:UsersH1>ping 192.168.1.2 
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time=15ms TTL=57
Reply from 192.168.1.2: bytes=32 time=15ms TTL=57
Reply from 192.168.1.2: bytes=32 time=14ms TTL=57
Reply from 192.168.1.2: bytes=32 time=17ms TTL=57

Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 17ms, Average = 15ms

You know about the OSI-model and also know we have to go through all the layers.

Ping uses the ICMP protocol and IP uses the network layer (layer 3). Our IP packet will have a source IP address of 192.168.1.1 and a destination IP address of 192.168.1.2. The next step will be to put our IP packet in an Ethernet frame where we set our source MAC address AAA and destination MAC address BBB.

Now wait a second…how does H1 know about the MAC address of H2? We know the IP address because we typed it but there is no way for H1 to know the MAC address of H2. There is another protocol we have that will solve this problem for us, it’s called ARP (Address Resolution Protocol). Let me show you how it works:

C:UsersH1>arp -a

Interface: 192.168.1.1 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.2           00-0c-29-63-af-d0     dynamic
  192.168.1  .255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

In the example above you see an example of an ARP table on a H1. As you can see there is only one entry, this computer has learned that the IP address 192.168.1.2 has been mapped to the MAC address 00:0C:29:63:AF:D0.

Let’s take a more detailed look at ARP and how it functions:

ARP Request

In this example we have two computers and you can see their IP address and MAC address. We are sitting behind H1 and we want to send a ping to H2. The ARP table is empty so we have no clue what the MAC address of H2 is. The first thing that will happen is that H1 will send an ARP Request. This message basically says “Who has 192.168.1.2 and what is your MAC address?” Since we don’t know the MAC address we will use the broadcast MAC address for the destination (FF:FF:FF:FF:FF:FF). This message will reach all computers in the network.

ARP Reply

 

H2 will reply with a message ARP Reply and is basically saying “that’s me! And this is my MAC address”. H1 can now add the MAC address to its ARP table and start forwarding data towards H2.

If you want to see this in action you can look at it in Wireshark:

ARP in Wireshark

Above you see the ARP request for H1 that is looking for the IP address of H2. The source MAC address is the MAC address of H1, the destination MAC address is “Broadcast” so it will be flooded on the network.

The second packet is the ARP reply. H2 will send its MAC address to H1. Here’s a detailed look:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
543 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Hello,

    Why in the ARP reply packet do we see 00:00:00:00:00:00 as Target MAC address instead of FF:FF:FF:FF:FF:FF ?

  2. I meant ARP request

  3. FF:FF:FF:FF:FF:FF in binary is all 1s…in other words, it will be broadcasted within the broadcast domain. This way the ARP request reaches all devices in the broadcast domain.

  4. I agree with that. That’s why I wonder why we see 00:00:00:00:00:00 is the ARP request screenshot…

  5. May you pls explain same scenario adding 2 switches and 2 routers in between.

    Computer A -------Switch1-----ROUTER1------------------ROUTER 2 ---- Switch2 ----- Computer B.

    Much Thanks !!

157 more replies! Ask a question or join the discussion by visiting our Community Forum