Securiosity

Address Resolution Protocol

Address Resolution Protocol

The most fundamental protocol in modern networks

Pasha Taylor's photo
Pasha Taylor
·

3 min read

When a device wants to send a message to another device on a network, it needs to know the IP address of the destination and MAC address in order to construct a proper packet. In general, network devices (hosts) know a large number of IP addresses for various hosts (printers, web servers, mobiles, IOTs), but not their corresponding MAC addresses.

The host must be aware of the MAC addresses of the other network nodes, which it can learn by using the Address Resolution Protocol (ARP). The ARP allows a device to associate its MAC address with a network IP address. Almost every device on a network keeps a record of the MAC addresses associated with other devices.

As a result, when one host needs to interact with another, it will broadcast a message to the entire network, searching for the specified device. It uses ARP to obtain a device's MAC address for this purpose.

How Does It Work?

Devices connected to a network are typically capable of storing information about resolved addresses, which is referred to as a cache. It is used to reduce the frequency of address resolution requests; hosts typically cache resolved addresses for a limited period of time (usually referred as TTL).

ARP Request and ARP Reply are two types of messages used by the ARP protocol to map the IP address and MAC address.

An Example

  1. D1 wants to know the MAC address of D2. It creates an ARP request and sends it to the broadcast address: FF:FF:FF:FF:FF:FF. The ARP request includes D2's IP address, 192.168.0.54. ARP Communication-step 1.drawio.png

    Source: Author's own

  2. Because the message was sent to a broadcast address, FF:FF:FF:FF:FF:FF, the Switch (S) routes the ARP packet through all of its ports, which implies that request will be sent to every device on the network (D2, D3, D4). ARP Communication-step 2.drawio.png

    Source: Author's own

  3. As part of an ARP reply, D2 tells D1 its MAC address to D1. D3 and D4 ignore the message. ARP Communication-step 3.drawio.png

    Source: Author's own

  4. At the end of the process, the switch transmits the reply to D1. ARP Communication-step 4.drawio.png

    Source: Author's own

There is no need to generate a new ARP request if there is more traffic, because in D1's ARP cache, the IP-MAC pair will be preserved, so it will remember this information.

ARP Header

As an example, when you try to record a conversation using Wireshark protocol analyzer, the ARP request and response will look like this: 

Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x08000)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: 3F:62:28:5B:F0:0C
    Sender IP address: 192.168.0.50
    Target MAC address: 00:00:00:00:00:00
    Target IP address: 192.168.0.54

Because the Target MAC address is currently unknown, the field is filled with zeroes. 

Address Resolution Protocol (response)
    Hardware type: Ethernet (2)
    Protocol type: IPv4 (0x08000)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: CB:29:60:16:53:17
    Sender IP address: 192.168.0.54
    Target MAC address: 3F:62:28:5B:F0:0C
    Target IP address: 192.168.0.50

You can learn more about the ARP header structure by following this link to the corresponding page on the wiki.

How to Check ARP Cache?

The following commands will display information about your host machine's ARP cache:

  • Linux/MacOS: ip neighbour or arp -a
  • Windows 10/11: arp -a

Where can I learn more about this topic?

Securitynetwork