What is ARP(Address Resolution Protocol)?

ARP (Address Resolution Protocol) is the protocol for associating an IP address with a MAC address. The mapping of IP addresses to MAC addresses is called address resolution, hence the name of the protocol, ARP.

ARP is an important protocol that is essential when forwarding IP packets over Ethernet.

Why is a MAC address also required?

In TCP/IP communication, the destination is specified by IP address, but why is a MAC address also required?

This is because IP alone cannot deliver data to its final destination; IP does not have the ability to convert “0” and “1” bits into physical signals that can be conveyed. Therefore, IP packets must be encapsulated in a network interface layer protocol, such as Ethernet or Wi-Fi, and converted into physical signals and sent out. When using Ethernet as the network interface layer protocol, an Ethernet header must be added to IP packets to send them out of the Ethernet interface.

The IP header requires an IP address. And the Ethernet header needs a MAC address. The source IP address and source MAC address are known because they belong to the device sending the packet. And since an IP address is always specified in TCP/IP communication, the destination IP address should be the one specified.Now the destination MAC address is needed. ARP is available to find the MAC address corresponding to the destination IP address.

 Figure: Overview of Address Resolution with ARP
Figure: Overview of Address Resolution with ARP

Although not explicitly represented in the figure, the digital data of “0” and “1” are converted to physical signals when sent out from the Ethernet interface.

How the ARP works

ARP address resolution targets IP addresses within the same network.When a device such as a PC connected via the Ethernet interface specifies a destination IP address to send IP packets, ARP processing is automatically performed. Although users do not need to be particularly aware of how ARP works, the fact that ARP is used for address resolution is very important for understanding how networks work.

The flow of ARP operation is as follows.

Broadcast ARP request
Query the MAC address corresponding to an IP address with ARP request
Return ARP reply
The host with the queried IP address gives its MAC address with the ARP reply
Update ARP cache
Stores correspondence between address resolved IP addresses and MAC addresses in the ARP cache

Note that ARP requests and ARP replies are encapsulated directly with an Ethernet header, with no IP header appended.

Figure: ARP Encapsulation
Figure: ARP Encapsulation

1.Query with ARP Request

When an IP packet is sent out of the Ethernet interface with an IP address, an ARP request is sent first. The content of an ARP request is “Please tell me the MAC address of this IP address.

ARP request is sent by broadcast so that all hosts on the same network will receive it; ARP address resolution is only available within the same network because it uses broadcasts. Broadcasts are not forwarded to different networks.

Note that ARP request is broadcast, so all hosts on the same network will receive the ARP request, but hosts other than the IP address to be queried will discard the ARP request even if they receive it.

2.Tell MAC address with ARP reply

The host with the IP address to be queried returns an ARP reply. The content of the ARP reply is the queried MAC address; the ARP reply allows the original host to recognize the MAC address for the desired IP address.

3.Update ARP Cache

It is not efficient to perform ARP address resolution every time an IP packet is sent. Besides, the correspondence between IP addresses and MAC addresses does not change that often. Therefore, once the IP address is resolved, the MAC address correspondence is stored in the ARP cache for a certain period of time. Note that the ARP cache is updated by both the querying host and the queried host.

If the IP address and MAC address correspondence exists in the ARP cache, the procedure of name resolution with ARP request and reply can be skipped.Information in the ARP cache is deleted over time; the ARP cache is also called the ARP table.

Example of ARP address resolution

The following figure shows an example of ARP address resolution, illustrating how the MAC address of PC3 is resolved when sending data from PC1 to PC3 (IP address 192.168.1.3) on the same network.

Figure: ARP Operation
Figure: ARP Operation

Once the MAC address of PC3 has been resolved, data destined for PC3 can be sent out of the Ethernet interface by specifying the destination MAC address in the Ethernet header.

Figure: Sending data after address resolution
Figure: Sending data after address resolution

When transferring data to different networks

ARP address resolution is only for IP addresses on the same network. So how do we find the MAC address when transferring data to different networks?

When sending data to an IP address of a different network, it is first forwarded to the default gateway.The default gateway is a router on the same network. It is an entry point to other networks. Multiple networks are interconnected by routers. That is, different networks are beyond routers on the same network.When sending data to different networks, send an ARP request with the IP address of the default gateway as the IP address to be queried in the ARP. The default gateway router will return an ARP reply and the source host will know the MAC address of the default gateway.

Figure: ARP when sending data to different networks
Figure: ARP when sending data to different networks

Once the MAC address for the IP address of the default gateway is resolved, the data is encapsulated in an Ethernet header and sent. The destination MAC address in the Ethernet header is that of the default gateway. But the destination IP address is that of the host to which the data will eventually be delivered.

The default gateway then receives the data and performs routing based on the destination IP address.

Figure: Sending data to different networks
Figure: Sending data to different networks

ARP cache management (Windows)

The Windows OS allows you to manage the ARP cache from the command prompt; this section explains how to view the contents of the ARP cache, register IP address to MAC address correspondence in the static, and delete ARP cache information.

Display ARP cache

From the command prompt, use the arp -a command to display the contents of the ARP cache. If there are multiple network interfaces, the ARP cache is displayed for each network interface.

C:\Users\gene>arp -a

Interface: 192.168.72.1 --- 0x2
  Internet Address      Physical Address      Type
  192.168.72.255        ff-ff-ff-ff-ff-ff     static
  224.0.0.2             01-00-5e-00-00-02     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static

Interface: 192.168.124.1 --- 0x7
  Internet Address      Physical Address      Type
  192.168.124.255       ff-ff-ff-ff-ff-ff     static
  224.0.0.2             01-00-5e-00-00-02     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static

Interface: 192.168.1.215 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           28-bd-89-d3-42-1c     dynamic
  192.168.1.27          60-57-18-62-53-9a     dynamic
  192.168.1.33          f0-72-ea-15-1d-d0     dynamic
  192.168.1.34          48-d6-d5-71-11-7b     dynamic
  192.168.1.100         00-1f-33-eb-02-29     dynamic
  192.168.1.160         00-25-dc-58-6a-71     dynamic
  192.168.1.166         54-53-ed-78-ef-7a     dynamic
  192.168.1.168         0c-fe-45-f2-b3-10     dynamic
  192.168.1.169         f4-f5-e8-4d-f8-92     dynamic
  192.168.1.170         14-c1-4e-74-d4-85     dynamic
  192.168.1.202         f8-0d-60-2e-0c-50     dynamic
  192.168.1.233         04-5d-4b-b6-09-5e     dynamic
  192.168.1.234         54-53-ed-66-7b-32     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.2             01-00-5e-00-00-02     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Static registration of ARP cache

The arp -s command allows you to statically register IP and MAC address information in the ARP cache. the format of the arp -s command is as follows: arp -s command is executed with administrative privileges.

Static registration of ARP cache

C:\>arp -s <ip-address> <mac-address>

<ip-address> : IP address
<mac-address> : MAC address

The following is an example of registering the MAC address “00-00-00-01-02-03” with the IP address “192.168.1.200”.

C:\Windows\System32>arp -s 192.168.1.200 00-00-00-01-02-03

C:\Windows\System32>arp -a

-- omitted --

Interface: 192.168.1.215 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           28-bd-89-d3-42-1c     dynamic
  192.168.1.27          60-57-18-62-53-9a     dynamic
  192.168.1.33          f0-72-ea-15-1d-d0     dynamic
  192.168.1.34          48-d6-d5-71-11-7b     dynamic
  192.168.1.100         00-1f-33-eb-02-29     dynamic
  192.168.1.160         00-25-dc-58-6a-71     dynamic
  192.168.1.166         54-53-ed-78-ef-7a     dynamic
  192.168.1.168         0c-fe-45-f2-b3-10     dynamic
  192.168.1.169         f4-f5-e8-4d-f8-92     dynamic
  192.168.1.170         14-c1-4e-74-d4-85     dynamic
  192.168.1.200         00-00-00-01-02-03     static
  192.168.1.202         f8-0d-60-2e-0c-50     dynamic
  192.168.1.233         04-5d-4b-b6-09-5e     dynamic
  192.168.1.234         54-53-ed-66-7b-32     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.2             01-00-5e-00-00-02     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Deletion of ARP cache

You can delete IP and MAC address entries in the ARP cache with the arp -d command. the format of the arp -d command is as follows: arp -d command is executed with administrative privileges.

Deletion of ARP cache

C:\>arp -d <ip-address>

<ip-address> : IP address of the ARP cache to be deleted. If the wildcard “*” is specified, all

The following is an example of deleting the ARP cache entry for IP address “192.168.1.200”.

C:\Windows\System32>arp -a

-- omitted --

Interface: 192.168.1.215 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           28-bd-89-d3-42-1c     dynamic
  192.168.1.27          60-57-18-62-53-9a     dynamic
  192.168.1.33          f0-72-ea-15-1d-d0     dynamic
  192.168.1.34          48-d6-d5-71-11-7b     dynamic
  192.168.1.100         00-1f-33-eb-02-29     dynamic
  192.168.1.160         00-25-dc-58-6a-71     dynamic
  192.168.1.166         54-53-ed-78-ef-7a     dynamic
  192.168.1.168         0c-fe-45-f2-b3-10     dynamic
  192.168.1.169         f4-f5-e8-4d-f8-92     dynamic
  192.168.1.170         14-c1-4e-74-d4-85     dynamic
  192.168.1.200         00-00-00-01-02-03     static
  192.168.1.202         f8-0d-60-2e-0c-50     dynamic
  192.168.1.233         04-5d-4b-b6-09-5e     dynamic
  192.168.1.234         54-53-ed-66-7b-32     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.2             01-00-5e-00-00-02     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

C:\Windows\System32>arp -d 192.168.1.200

C:\Windows\System32>arp -a

-- omitted --

Interface: 192.168.1.215 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           28-bd-89-d3-42-1c     dynamic
  192.168.1.27          60-57-18-62-53-9a     dynamic
  192.168.1.33          f0-72-ea-15-1d-d0     dynamic
  192.168.1.34          48-d6-d5-71-11-7b     dynamic
  192.168.1.100         00-1f-33-eb-02-29     dynamic
  192.168.1.160         00-25-dc-58-6a-71     dynamic
  192.168.1.166         54-53-ed-78-ef-7a     dynamic
  192.168.1.168         0c-fe-45-f2-b3-10     dynamic
  192.168.1.169         f4-f5-e8-4d-f8-92     dynamic
  192.168.1.170         14-c1-4e-74-d4-85     dynamic
  192.168.1.202         f8-0d-60-2e-0c-50     dynamic
  192.168.1.233         04-5d-4b-b6-09-5e     dynamic
  192.168.1.234         54-53-ed-66-7b-32     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.2             01-00-5e-00-00-02     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

What is the MAC address of the ARP frame?

ARP is used to obtain the destination MAC address when encapsulating IP packets with Ethernet. Then, what about the “destination MAC address of the ARP frame?” The MAC address of the ARP frame, i.e., ARP request and ARP reply, is specified as follows.

ARP Request
Dst MAC address : FF-FF-FF-FF-FF-FF(Broadcast)
Src MAC address : MAC address of the interface sending the ARP request

ARP Reply
Dst MAC address : ARP Request Source MAC Address
Src MAC address : MAC address of the interface sending ARP reply

There is no need to find the destination MAC address of an ARP request. The destination MAC address of the ARP request should be the broadcast MAC address “FF-FF-FF-FF-FF-FF-FF-FF”. The source MAC address is then the MAC address of the interface sending the ARP request.

An ARP reply is a response to an ARP request. Therefore, the destination MAC address of the ARP reply can simply be the source MAC address of the ARP request. The source MAC address is the MAC address of the interface sending the ARP reply.