ARP “Working, Example & QA”
=========================

Address Resolution Protocol (ARP) is one of the major protocol in the TCP/IP suit and the purpose of Address Resolution Protocol (ARP) is to resolve an IPv4 address (32 bit Logical Address) to the physical address (48 bit MAC Address).

Network Applications at the Application Layer use IPv4 Address to communicate with another device.  But at the Datalink layer, the addressing is MAC address (48 bit Physical Address), and this address is burned into the network card permanently. You can view your network card’s hardware address by typing the command "ipconfig /all" at the command prompt (Without double quotes using Windows Operating Systems).

The purpose of Address Resolution Protocol (ARP) is to find out the MAC address of a device in your Local Area Network (LAN), for the corresponding IPv4 address, which network application is trying to communicate.

              Address Resolution Protocol (ARP) Message Format

Following are the fields in the Address Resolution Protocol Message Format:

Hardware Type [2 bytes]: It specifies the type of hardware used for the local network transmitting the ARP message. Ethernet is the common Hardware Type and he value is 1. The size of this field is 2 bytes.

Protocol Type [2 bytes]: Each protocol is assigned a number used in this field, IPv4 is 2048 (0x0800 in Hexa).

Hardware Address Length: Hardware Address Length in the ARP Message is length in bytes of a hardware (MAC) address. Ethernet MAC addresses are 6 bytes long.

Protocol Address Length: Length in bytes of a logical address (IPv4 Address). IPv4 addresses are 4 bytes long.

Opcode [Operation] [2 bytes]: Opcode field in the Address Resolution Protocol (ARP) Message specifies the nature of the ARP message. 1 for ARP request and 2 for ARP reply.

Sender Hardware Address [4 bytes]: Layer 2 [MAC] address of the device sending the message.

Sender IP Address [4bytes]: The protocol address (IPv4 address) of the device sending the message

Target Hardware Address [6 bytes]: Layer 2 [MAC] address of the intended receiver. This field is ignored in requests.

Target IP Address [4 bytes]: The protocol address (IPv4 Address) of the intended receiver.

Working:
=======

Step 1: When a source device want to communicate with another device, source device checks its ARP cache to find if it has already a resolved MAC Address of the destination device. If present, it will use that MAC Address for communication. To view your Local ARP cache, Open Command Prompt and type command "arp -a” in windows.

Step 2: If ARP resolution is not there in local cache, the source machine will generate an ARP request message, it puts its own MAC address as the Sender Hardware Address and its own IPv4 Address as the Sender Protocol Address. It fills the destination IPv4 Address as the Target Protocol Address. The Target Hardware Address will be left blank, since the machine is trying to find that.

Step 3: The source broadcast the Address Resolution Protocol (ARP) request message to the local network.

Step 4: The message is received by each device on the LAN since it is a broadcast. Each device compare the Target Protocol Address (IPv4 Address of the machine to which the source is trying to communicate) with its own Protocol Address (IPv4 Address). Those who do not match will drop the packet without any action.

Step 5: When the targeted device checks the Target Protocol Address, it will find a match and will generate an Address Resolution Protocol (ARP) reply message. It takes the Sender Hardware Address and the Sender Protocol Address fields from the Address Resolution Protocol (ARP) request message and uses these values for the Targeted Hardware Address and Targeted Protocol Address of the reply message.

Step 6: The destination device will update its Address Resolution Protocol (ARP) cache, since it need to contact the sender machine soon.

Step 7: Destination device send the Address Resolution Protocol (ARP) reply message and it will NOT be a broadcast, but a unicast.

Step 8: The source machine will process the Address Resolution Protocol (ARP) reply from destination, it store the Sender Hardware Address as the layer 2 address of the destination.

Step 9: The source machine will update its Address Resolution Protocol (ARP) cache with the Sender Hardware Address and Sender Protocol Address it received from the Address Resolution Protocol (ARP) reply message.

ARP Explanation with Example
=========================

Let us take an example of below topology.

  

Suppose I am sitting at 192.168.0.93 and I want to ping to 192.168.0.109, to check the network connectivity.

NOTE: While issuing ping command, we never specify the MAC Address of the destination device.

As we know that ping command works using ICMP. ICMP is encapsulated inside IP datagram and IP datagram is encapsulated within Ethernet Frame. We need Source IP Address (my IP Address, 192.168.0.93), Destination IP Address (192.168.0.109), Source MAC Address (my MAC Address 00:00:00:00:00:33) and Destination MAC Address to make the Ethernet Frame for ICMP message. Source IP Address, Destination IP Address, Source MAC Address are known at this instance, but the Destination MAC Address unknown at this instance.

To assemble the Ethernet Frame, our device must have the Destination MAC Address corresponding to the IP Address 192.168.0.109

We need to resolve the Destination MAC Address corresponding to the IP Address 192.168.0.109.

  

HERE IS EXACTLY WHAT IS DONE:
=============================

Step 1: Before resolving the Destination MAC Address corresponding to the IP Address 192.168.0.109, using ARP, source device checks its ARP cache to find if it already has a resolved MAC Address of the destination device. We can view the ARP cache by using the command arp –a. Suppose that the ARP cache is empty.

Step 2: Computer [.93] need to resolve the destination MAC address using ARP. It will prepare an ARP Request message and send it with a Destination MAC Address as FF:FF:FF:FF:FF:FF (Broadcast MAC Address) to LAN Switch.

Step 3: Since the Destination MAC Address is FF:FF:FF:FF:FF:FF (Broadcast MAC Address), the LAN Switch will flood it to all the connected ports and every device in the LAN will get a copy of it.

If we capture the packet with Wireshark of ARP request Message. We see the below values.

Hardware Type: Ethernet (1)

Protocol Type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: request (1) -------------------Means ARP Request

Sender Mac-Address: 00:00:00:00:00:33

Sender IP Address: 192.168.0.93

Target Mac-Address: 00:00:00:00:00:00-------------- This is all Zero

Target IP Address: 192.168.0.109

We see from the above values that the Destination MAC Address is FF:FF:FF:FF:FF:FF (Broadcast MAC Address), ARP opcode is 1 (for ARP Request), and the Target MAC Address is 00:00:00:00:00:00, which is unknown at this instance, the Source IP Address is 192.168.0.93, Destination IP Address is 192.168.0.109, Source MAC Address 00:00:00:00:00:33 and Destination MAC Address is 00:00:00:00:00:00.

Step 4: The ARP Request message is received by each device on the LAN since it is a broadcast. Each device compare the Target Protocol Address (192.168.0.109), with its own IP Address. Those who do not match will drop the packet without any action.

Step 5: When the computer with the IP Address 192.168.0.109 receives the ARP Request, it must prepare an ARP Reply and send back to the computer who sent the ARP Request. ARP Reply will be a unicast, to save Network Resources.

If we capture the packet with Wireshark of ARP reply Message. We see the below values.

Hardware Type: Ethernet (1)

Protocol Type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: request (2) -------------------Means ARP Reply

Sender Mac-Address: 00:00:00:00:00:44

Sender IP Address: 192.168.0.109

Target Mac-Address: 00:00:00:00:00:33              

Target IP Address: 192.168.0.93

Now both the computers can update their ARP cache, so that the MAC Address to IP Address mappings can be used for a future communication.

ARP - Q&A
=========

What is ARP?

Address Resolution Protocol (ARP) is a network protocol, which maps a network layer protocol address to a data link layer hardware address. For example, ARP is used to resolve IP address to the corresponding Ethernet address.

To which OSI layer does ARP belong?

ARP belongs to the OSI data link layer (Layer 2). ARP protocol is implemented by the network protocol driver. ARP packets are encapsulated by Ethernet headers and transmitted.

Which RFC specify the requirements for ARP?

RFC 826 specifies the ARP packet format and other details.

What is the use of ARP?

A host in an Ethernet network can communicate with another host, only if it knows the Ethernet address (MAC address) of that host. The higher level protocols like IP use a different kind of addressing scheme (like IP address) from the lower level hardware addressing scheme like MAC address. ARP is used to get the Ethernet address of a host from its IP address. ARP is extensively used by all the hosts in an Ethernet network.

Why an  IP address needs to be mapped to a MAC address, why can't the MAC address itself is represented using the IP address?

The length of a MAC address is 6 bytes and the length of an IP address is 4 bytes. Obviously, the MAC address cannot be represented using the IP address. So an IP address must be mapped to the corresponding MAC address.

Can ARP be used in a network other than Ethernet?

ARP is a general protocol, which can be used in any type of broadcast network. The fields in the ARP packet specifies the type of the MAC address and the type of the protocol address. ARP is used with most IEEE 802.x LAN media. In particular, it is also used with FDDI, Token Ring, and Fast Ethernet, in precisely the same way as it is with Ethernet.

How does ARP resolve an IP address to an Ethernet MAC address?

When ARP needs to resolve a given IP address to Ethernet address, it broadcasts an ARP request packet. The ARP request packet contains the source MAC address and the source IP address and the destination IP address. Each host in the local network receives this packet. The host with the specified destination IP address, sends an ARP reply packet to the originating host with its IP address.

DETAIL EXPLANATION SEE ABOVE EXAMPLE.

What is an ARP cache?

ARP maintains the mapping between IP address and MAC address in a table in memory called ARP cache. The entries in this table are dynamically added and removed.

When is an ARP request packet generated?

The following steps results in the generation of an ARP request packet:

The IP module sends a packet, destined for another host in the network, to the ARP module.

The ARP module looks up the ARP table (cache) to resolve the IP address.

If the supplied IP address is present in the ARP cache, it is resolved into its Ethernet address.

If the ARP module is not able to find an entry for this IP address in the ARP cache, then it sends an ARP request packet to the Ethernet driver, to resolve the IP address to the Ethernet address.

After the IP address is resolved by the ARP module, the packet is sent to the Ethernet driver for transmission.

What happens when a host receives an ARP request packet?

The ARP request is received and processed by all the hosts in the network, since it is a broadcast packet. The following steps are carried out when a ARP request packet is received by a host:

If the IP address to be resolved is for this host, then the ARP module sends an ARP reply packet with its Ethernet MAC address.

If the IP address to be resolved is for this host, then the ARP module updates its ARP cache with the source Ethernet MAC address to source IP address mapping present in the ARP request packet. If the entry is already present in the cache, it is overwritten. If it is not present, it is added.

If the IP address to be resolved is not for this host, then the ARP module discards the ARP request packet.

Will a host update its ARP cache upon receiving any ARP request?

A host will update its ARP cache, only if the ARP request is for its IP address. Otherwise, it will discard the ARP request.

What is the disadvantage if a host updates its ARP cache upon receiving any ARP request?

The host will exhaust the ARP cache with a lot of unused ARP entries, if it updates the ARP cache for any ARP request.

What happens when a host receives an ARP reply packet?

The ARP reply packet is received only by the host, which transmitted the ARP request packet. The ARP module adds the Ethernet hardware address to IP address mapping present in the ARP reply packet to the ARP cache.

Is there a separate packet format for ARP request and ARP reply?

No. Both the ARP request and ARP reply packets use the same format.

Which MAC address is an ARP request directed to?

All ARP request packets are transmitted with the Ethernet broadcast address, so that all hosts in the network will receive the request.

To which MAC address is an ARP reply packet directed to?

ARP reply packet is directed to the host, which transmitted the ARP request packet.

If a host is not able to get the MAC address of a host, how it knows about its IP address?

A host will either use a static file like /etc/hosts or DNS protocol to get the IP address of another host.

What will happen if an ARP reply is not received for an ARP request?

If an ARP reply is not received, then that IP address cannot be resolved to an Ethernet address. Without a Ethernet address, the packets cannot be transmitted.

When is an entry added to the ARP cache?

A new entry is added to the ARP cache when an IP address is successfully mapped to a MAC address. Usually, entries are added dynamically to the ARP cache. Static entries can also be added.

What will happen if a new ARP request packet is received, but the MAC address to IP address is already present in the ARP cache?

If a ARP request packet is received and the mapping already exists in the ARP cache, it will be overwritten with the values present in the request.

When is an entry removed from an ARP cache?

An entry in an ARP cache is removed after a pre-determined timeout period (e.g. 20 minutes).

What is the format of an ARP packet?

Please see above for answer.

What is the size of an ARP request and reply packet?

The size of an ARP request or reply packet is 28 bytes.

How to differentiate between a ARP request packet and a ARP reply packet, as the Ethernet type field is same on both the packets?

An ARP request packet can be differentiated from an ARP reply packet using the 'operation' field in the ARP packet. For a ARP request it is 1 and for an ARP reply it is 2.

Why is the hardware MAC address present in both the Ethernet header and the ARP packet (request and reply)?

The Ethernet header is processed by the data link driver and removed from the packet. When the ARP layer gets the packet, it needs to know the hardware and protocol addresses in order to update the table. That is why the hardware MAC address is present in both the Ethernet header and the ARP packet.

What is proxy ARP?

Proxy ARP is the process in which one system responds to the ARP request for another system. For example, host A sends an ARP request to resolve the IP address of host B. Instead of Host B, Host C responds to this ARP request.

What is the use of proxy ARP?

When routers receive ARP requests from one network for hosts on the network, they will respond with a ARP reply packet with their MAC address. For example, let us say host A is in one network, host B is in another network and router C connects these two networks. When host A sends an ARP request to resolve the IP address of host B, the router C receives this packet. The router C sends an ARP reply with its MAC address. So host A will send all the packets destined for host B to the router C. Router C will then forward those packets to host B. Proxy ARP is also used if a host in a network is not able to understand subnet addressing. For example, if host A and host B are actually in two different subnets, but host A cannot understand subnet addressing. So host A assumes that host B is present in the same network. In this case a router, host C, can use proxy ARP to route packets between host A and host B.

What is gratuitous ARP?

When a host sends an ARP request to resolve its own IP address, it is called gratuitous ARP. In the ARP request packet, the source IP address and destination IP address are filled with the same source IP address itself. The destination MAC address is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF).

What is the use of gratuitous ARP?

Gratuitous ARP is used for the following:

In a properly configured network, there will not be an ARP reply for a gratuitous ARP request. But if another host in the network is also configured with the same IP address as the source host, then the source host will get an ARP reply. In this way, a host can determine whether another host is also configured with its IP address.

When the network interface card in a system is changed, the MAC address to its IP address mapping is changed. In this case, when the host is rebooted, it will send an ARP request packet for its own IP address. As this is a broadcast packet, all the hosts in the network will receive and process this packet. They will update their old mapping in the ARP cache with this new mapping.

Switches SW1,SW2 and SW3 are interconnected and STP deployed on the switches. PC1 is on SW1 PC2 is on SW2 and PC3 is connected to SW3. All the PC’s are on the same network address of 192.168.1.0/24. PC1 triggers ARP to find the mac-address of PC3. Will the ARP packet reach the PC3

All the PC’s are on the same network address. The PC’s are on 3 switches which makes it one large Layer 2 broadcast domain. So an ARP request which is a layer 2 broadcast will be received on all the ports on all the switches and correspondingly the PC’s

Check the below link also:
http://www.practicalnetworking.net/series/arp/traditional-arp/