ARP is one of the most used protocols and every netwoork engineer should have a good understanding of it. The purpose of ARP is to find out the hardware address for a host for which we know the IP. ARP is in no way bound to Ethernet, it will function for other layer 2 protocols also. The topology I have used is very simple, it’s my own wireless network at home. See the picture below:

In Windows, to see what is in the ARP cache type “arp -a”. In windows Vista/7 the entry is valid for about 30 seconds.

Since I already have an entry for (my router) I need to delete it to force an ARP request to be sent. I will capture the traffic with Wireshark. The command to do this is “arp -d”.

Lets look at an ARP header:

The numbers above the image are the octet boundaries, one octet is 8 bits. This can also be expressed as one byte. The first field which is 2 octets in size is hardware type. This field indicates what layer 2 protocol is being used, in this case Ethernet. This number will be one for Ethernet(0x0001). Protocol type is the layer 3 protocol in use which in our case is IP. IP has the number 0x0800. Hardware address length is one octet long and indicates the length of the hardware address. For Ethernet this is 6 bytes(48 bits). Protocol address length is the length of IP which is 4 octets. Opcode tells us what kind of ARP message this is, this will be a one for a request or a two for a reply. It can also be a three or four in the case of RARP (Reverse ARP).

Source hardware address and destination hardware address is in our case the MAC(Media Access Control) address. The protocol address is the source and destination IP address.

My computer now sends an ARP request (Opcode 0x0001). This is what it looks like: is the router and .65 is my computer. Notice that the frame is a broadcast since we don’t know the MAC-address of the router. This is what the frame looks like in detail:

The router then sends a reply which is unicasted, the router knows the computers MAC-address since it was in the frame that it received. The frame looks like this:

This is the more detailed version:

The router will save the MAC for the computer in it’s own cache. If we are asking for the hardware address of the router that means we are interested in communicating with it so it is more effecient to save the information then to send a new request from the router to the computer.

I hope this post has given you some more detail about how ARP works.

ARP (Address Resolution Protocol)
Tagged on:

One thought on “ARP (Address Resolution Protocol)

  • December 30, 2023 at 5:16 pm

    Yes, it did. Thank you, Daniel!


Leave a Reply

Your email address will not be published. Required fields are marked *