ARP (Address Resolution Protocol) is a network protocol used to find out the hardware (MAC) address of a device from an IP address. It is used when a device wants to communicate with some other device on a local network (for example on an Ethernet network that requires physical addresses to be known before sending packets). The sending device uses ARP to translate IP addresses to MAC addresses. The device sends an ARP request message containing the IP address of the receiving device. All devices on a local network segment see the message, but only the device that has that IP address responds with the ARP reply message containing its MAC address. The sending device now has enough information to send the packet to the receiving device.
ARP request packets are sent to the broadcast addresses (FF:FF:FF:FF:FF:FF for the Ethernet broadcasts and 255.255.255.255 for the IP broadcast).
Let’s say that Host A wants to communicate with host B. Host A knows the IP address of host B, but it doesn’t know the host B’s MAC address. In order to find out the MAC address of host B, host A sends an ARP request, listing the host B’s IP address as the destination IP address and the MAC address of FF:FF:FF:FF:FF:FF (Ethernet broadcast). The switch will forward the frame out all interfaces (except the incoming interface). Each device on the segment will receive the packet, but because the destination IP address is host B’s IP address, only host B will reply with the ARP reply packet, listing its MAC address. Host A now has enough information to send the traffic to host B.
All operating systems maintain ARP caches that are checked before sending an ARP request message. Each time a host needs to send a packet to another host on the LAN, it first checks its ARP cache for the correct IP address and matching MAC address. The addresses will stay in the cache for a couple of minutes. You can display ARP entries in Windows by using the arp -a command:
Why we need ARP?
Let’s understand with a simple example.
We have one computer [PC1] with IP address 192.168.1.6 and we want to ping to another computer [PC2] whose IP address is 192.168.1.1. Now we have PC1 MAC address but we do not know PC2 MAC address and without MAC address we cannot send any packet.
Now let’s see step by step.
Note: Open command in administrative mode.
Step 1: Check existing ARP on PC1. Execute arp –a in command line to see existing ARP entry.
Here is the screenshot
Step 2: Delete ARP entry. Execute arp –d command in command line. And then execute arp –a to make sure ARP entries have been deleted.
Here is the screenshot
Step 3: Open Wireshark and start it on PC1.
Step2: Execute below command on PC1.ping 192.168.1.1
Step 3: Now ping should be successful.
Here is the screenshot
Step 4: Stop Wireshark.
Now we will check what happens in background when we delete arp entry and ping to a new IP address.
Actually when we ping 192.168.1.1, before sending ICMP request packet there was ARP Request and ARP reply packet exchanges. So PC1 got MAC address of PC2 and able to send ICMP packet.
Analysis on Wireshark:
ARP packets types:
- ARP Request.
- ARP Reply.
There are other two types RARP Request and RARP Reply but used in specific cases.
Let’s come back to our experiment.
We did ping to 192.168.1.1 so before sending ICMP request , PC1 should send broadcast ARP request and PC2 should send unicast ARP reply.
Here are important fields for ARP Request.
So we understand that the main intention of ARP request to get the MAC address of PC2.
Now let’s see ARP reply in Wireshark.
ARP reply is sent by PC2 after receiving ARP request.
Here are the important fields of ARP reply.
From this ARP reply we go that PC1 got PC2 MAC and updated ARP table.
Now ping should be successful as ARP has been resolved.
Here are the ping packets
Other important ARP packets:
RARP: Its opposite of normal ARP that we have discussed. That means you have MAC address of PC2 but you do not have IP address of PC2. Some specific cases need RARP.
Gratuitous ARP: When a system gets an IP address after that system is free to send a gratuitous ARP informing the network that I have this IP. This is to avoid IP conflict in same network.
Proxy ARP: From the name we can understand that when one device sends an ARP request and gets an ARP reply but not form the actual device. That means somebody sends ARP reply on behave of original device. It’s implemented for security reason.
Summary:
ARP packets are exchanged in background whenever we try to access a new IP address.