ARP  – Address Resolution Protocol

ARP is used to find the MAC address of the next device to which the packet should be sent.

When a device creates a packet, in the Ethernet header we need two MAC addresses – source MAC and destination MAC.
The source MAC will always be available because it’s the device’s own address. The destination MAC will not be available in many cases, and this is where ARP comes into the picture.

When the MAC address of the destination is not known, the device sends an ARP request with the target IP address. This request is sent to everyone on that network (broadcast). The device that owns that IP address replies with an ARP response containing its MAC address. Once this MAC address is known, it can be used in the Ethernet header for sending data.

---

ARP process when the source and destination are in the same network

In the figure, PC1 (1.1.1.1/24) and PC2 (1.1.1.2/24) are connected to the same switch on the left side of the router, with their gateway as 1.1.1.3.

If PC1 needs to send a packet to PC2, it will first check its ARP table to see if it already knows PC2’s MAC address. If the MAC is not known, PC1 will send an ARP request as a broadcast on its network asking, “Who has 1.1.1.2? Tell me your MAC address.”

Only PC2 will respond with its MAC address. Once PC1 gets this MAC, it will send the packet directly to PC2 through the switch, without involving the router.

ARP process when the source and destination are in different networks

Now, consider PC1 (1.1.1.1/24) sending a packet to PC3 (2.2.2.1/24) on the other side of the router.

Since the destination network (2.2.2.0/24) is different, PC1 cannot send the packet directly to PC3. Instead, it must send it to its gateway, which is the router interface at 1.1.1.3.

If PC1 does not already know the MAC address of 1.1.1.3, it will send an ARP request asking, “Who has 1.1.1.3? Tell me your MAC address.” The router responds with its MAC address for that interface.

PC1 then sends the data packet to the router’s MAC. The router receives the packet, checks its routing table, and forwards it to the correct network – in this case, towards PC3 on the 2.2.2.0/24 side.

---

Points to note about ARP

• ARP requests are normally broadcast but it can be send as unicast in ARP refreshments.
• ARP replies are unicast – sent directly to the requester’s MAC address.
• Devices store learned IP-to-MAC mappings in the ARP table (or ARP cache) to avoid sending ARP requests repeatedly for the same IP.
• ARP works only within a broadcast domain. If the destination is in another broadcast domain, the request will not reach it – the gateway is used instead.

Other Types of ARP

There are different variations of ARP used in networks. The normal ARP process we discussed earlier is the most common, but there are other types used for specific purposes.

Other types of ARP are:

• Gratuitous ARP
• Reverse ARP (RARP)
• Inverse ARP (InARP)
• Proxy ARP

---

Gratuitous ARP

Gratuitous ARP is mainly used to check if an IP address is already in use on the network.

In this process, a device sends an ARP request with its own IP address as the target IP. In other words, the device is asking, “Who has my IP address?”

• Normally there will be no reply, since no other device should have that IP.
• If there is a duplicate IP on the network, the other device will respond – indicating an IP conflict.

This is usually done when:

• A device is first connected to the network.
• A new IP address is assigned to the device.

Some devices also use Gratuitous ARP to refresh ARP tables in other devices or to update switches and routers after a MAC address change.

---

Reverse ARP (RARP)

Reverse ARP is used when a device needs to learn its IP address automatically.

• The device sends an RARP request (broadcast) with its MAC address.
• A RARP server responds with the IP address mapped to that MAC address.

The RARP server must have a table that contains the MAC addresses of clients and the IP addresses assigned to them.

RARP is no longer used in modern networks because DHCP can do much more – providing IP, subnet mask, gateway, DNS server, and other configuration details. RARP can only provide an IP address, so it has been replaced by DHCP in almost all environments.

---

Inverse ARP (InARP)

Inverse ARP is used to find the IP address of a neighbor when you already know the Layer 2 identifier.

It is mostly used in Frame Relay networks, where you can learn the IP address of the remote device using the DLCI (Data Link Connection Identifier) assigned to the virtual circuit.

---

Proxy ARP

Proxy ARP is when one device answers an ARP request on behalf of another device.

A common use case is when two devices belong to the same IP network but are separated by a router. The router responds to ARP requests for the remote device using its own MAC address. The sending device will then forward the packet to the router, which in turn sends it to the actual destination.

Proxy ARP can sometimes cause confusion in network design if not used carefully, because it can make devices think they are on the same Layer 2 segment when they are not.

---

ARP Header Structure

An ARP header contains the following fields:

• Hardware Type – Identifies the type of hardware used. For Ethernet this value is 1.
• Protocol Type – The protocol for which we are resolving the address. For IPv4 this value is 0x0800.
• Hardware Size – Size of the hardware address in bytes. For Ethernet MAC addresses this is 6.
• Protocol Size – Size of the protocol address in bytes. For IPv4 this is 4.
• Opcode – Tells whether the packet is a request (1) or a reply (2).
• Sender MAC Address – MAC address of the device sending the ARP packet.
• Sender IP Address – IP address of the device sending the ARP packet.
• Target MAC Address – MAC address of the target (will be all zeros in an ARP request).
• Target IP Address – IP address of the device we are trying to find.

In a normal ARP request, the sender MAC/IP will be filled in and the target MAC will be all zeros because it is not known yet. The target IP will have the IP address we are looking for.

---

Viewing ARP Table

When a device learns the MAC address for an IP using ARP, it stores the result in its ARP table (or ARP cache).

• On Windows: arp -a
• On Linux: arp -n or ip neigh

Example output (Linux):

$ ip neigh

192.168.1.1 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE

192.168.1.10 dev eth0 lladdr 00:11:22:33:44:66 STALE

Here, REACHABLE means the entry is active and can be used. STALE means the entry hasn’t been used recently and may need to be refreshed.

---

Static ARP Entries

It is possible to add manual (static) entries to the ARP table so that the MAC address is always fixed for a particular IP.

• On Windows:
• arp -s 192.168.1.100 00-aa-bb-cc-dd-ee
• On Linux:
• ip neigh add 192.168.1.100 lladdr 00:aa:bb:cc:dd:ee dev eth0

Static entries are not removed until you delete them manually. They are useful in cases where the MAC address of a device is fixed and you want to avoid ARP broadcasts or prevent spoofing.

---

ARP Cache Timeout

Dynamic ARP entries are removed from the cache after a certain time if not used. The timeout varies depending on the operating system. When the entry is removed, the next packet to that IP will trigger a new ARP request.

---

ARP Security Concerns

Because ARP has no authentication, it is possible for an attacker to send fake ARP replies (ARP spoofing or ARP poisoning) and make devices send traffic to the wrong MAC address.
To protect against this, networks can use features like Dynamic ARP Inspection (DAI) on switches.