What is ARP (Address Resolution Protocol)?

In order to be able to send data packets in TCP/IP networks, a transmitter requires three bits of address information to be sent via the host: the subnet mask, the IP address and the MAC address (also the hardware address or physical address). Your netmask and IP address receive network devices automatically and flexibly when they connect to a network. For this purpose, the connecting communication devices, such as routers or hubs, revert to the DHCP protocol. In local networks, the two entries can also be entered manually. The hardware address is, however, assigned by the manufacturer of the respective device and is linked to a specific IP address by means of the so-called Address Resolution Protocol (ARP).

ARP protocol definition

The Address Resolution Protocol was specified in RFC-Standard 826 in 1982 to accomplish the resolution of IPv4 addresses into MAC addresses. ARP is indispensable for the transmission of data in Ethernet networks for two reasons: on the one hand, the individual data frames (also Ethernet frames) of an IP packet can only be sent to the desired destination hosts by means of the hardware address. However, the Internet protocol cannot refer to these physical addresses independently. On the other hand, due to its’ limited length, the IPv4 protocol does not provide the option to store device addresses. ARP provides a solution with its’ own ARP caching mechanism. For the newer IPv6, the corresponding functions are adopted by the Neighbor Discovery Protocol (NDP).

When resolving the address via ARP, a distinction must always be made as to whether the target host’s IP address is located in the same local network of another subnet. In that case, if the MAC address is to be assigned to a specific address, the subnet mask is first inspected.

If the IP is located in the local network, the first step is to check whether there is already an entry for this in the ARP cache.

Note

The ARP cache is a tabular listing of the most frequently required MAC addresses, with the individual entries being generated either by the network protocol itself, or manually. The first entries (also called dynamic entries) are given a time stamp, after which they are deleted from the cache again. The latter, static address entries remain until the device is switched off or restarted and the entire ARP cache is emptied.

If a physical counterpart is already assigned to the IP address, it can be used for addressing. If this is not the case, the sender sends an ARP request with the target IP to all hosts on the network. For this purpose, it uses the ARP broadcast address FF:FF:FF:FF:FF:FF as the receiver address. The individual stations compare the IP address specified in the request with their own and reject the request if there is no match. However, if a station registers that it is its own address, it responds with an ARP reply, as well as the MAC address. Both sides can now add the MAC and IP address of the counter to the cache, which provides the basis for the data exchange.

If the target host is not in the same subnet, the sender addresses the default gateway (usually a router). This can also be done by combining MAC and IP addresses, which is why the Address Resolution Protocol is also required. The gateway receives the data packet after the address resolution and then takes care of forwarding it to the target host. For this purpose, it analyses the IP header first, to obtain the necessary information. Subsequently, it also uses different aspects of the ARP protocol to solve:

  • Either the physical address of the target computer directly, if it’s located in a neighbouring subnet
  • Or the hardware address of another gateway if the target computer is on a remote subnet and the packet path cannot be determined using the routing table

In the latter scenario, the process is repeated until the data packet reaches its destination or the TTL field (time to live) has the value 0 in the IP header. 

Setting up ARP messages

ARP protocol uses a simple message format to send requests/respond to requests. Although it was originally intended for IPv4 and MAC addresses, using other network protocols are theoretically possible. This is why fields exist for the type and size of the hardware and protocol addresses. Consequently, the overall size of the ARP packets can also differ. For example, in a standard situation, the use of ARP in IPv4 ethernet networks obtains a length of 224 bits (28 bytes). The following illustration shows the components of one of these information packets:

Setting up ARP messages

ARP protocol uses a simple message format to send requests/respond to requests. Although it was originally intended for IPv4 and MAC addresses, using other network protocols are theoretically possible. This is why fields exist for the type and size of the hardware and protocol addresses. Consequently, the overall size of the ARP packets can also differ. For example, in a standard situation, the use of ARP in IPv4 ethernet networks obtains a length of 224 bits (28 bytes). The following illustration shows the components of one of these information packets:

The ARP header begins with the 16-bit-long information sequence about the specifics of the hardware address. In the case of the intended ethernet devices, the packet above would have the value 1. The protocol (also 16 bits long) follows, and its job is to serve as the basis for the ARP address resolution. IPv4 addresses are characterised by the value 0x0800 (2048), which is also used in ethernet frames as the value for the IPv4 protocol (EtherType). The next two fields provide information on the length of the two addresses (in bytes). MAC addresses have a size of 6 bytes (48 bits) and are therefore identified by the value 6. IP addresses are 4 bytes long (32 bits), which is why the default value is 4.

The next 16 bits (operation) are reserved for specifying the ARP message. Thus, 1 represents an ARP request, while 2 indicates that it is an ARP response. Finally, the packets contain the four relevant and previously declared addresses:

  • Senders‘ MAC address: Contains the MAC address of the requesting computer in a request; in an ARP response, the destinations’ physical address, or the next gateways’ address is found at this point

  • Senders‘ IP address: Contains the IP address of the requesting computer (ARP request) or the destination of the next gateway (response)

  • Receivers‘ MAC address: This field shows the MAC address broadcast FF:FF:FF:FF:FF:FF, if the sender makes a request; in an ARP response, the hardware address of the requesting host is listed here

  • Receivers‘ IP address: In a request, this field contains the IP address of the host whose MAC address is being searched; in a response message, this contains the IP address of the requesting computer

ARP configuration – how it works

As standard protocol, the address resolution protocol supports cross platform support and provides MAC address resolution in the background – whether it is a Linux, Windows or MacOS system. Additionally, there is a command line tool of the same name for the various operating systems, which allows you to display the ARP cache, and to add or remove entries manually. For a complete overview of the possibilities, you can open the command prompt or the terminal, and enter the command arp (Windows), or arp-man (Linux).

If you are looking at the entered combinations of IP and MAC addresses, the command arp–a works across the system. The input lists the address pairs for all ARP-using network interfaces. In addition, you also receive information about whether an entry has been created dynamically or manually. If you expand the command by a specific IP address, the application will only provide you with information on that IP address.

If you want to add the address combination of a host independently or remove it from the ARP tables, you need the –s and –d parameters. For example, if the physical address 00-aa-00-62-c6-09 is behind the IP address 157.55.85.212, create a corresponding static entry with the following command:

arp -a 157.55.85.212 00-aa-00-62-c6-09

This information is also removed from the cache just as quickly if you apply the “delete” parameter to one of the archived addresses instead:

arp -d 157.55.85.212

Instead of a specific internet address, you can also use the placeholder * to denote all temporarily stored data.

What are the ARP protocol modifications?

Apart from the previously introduced standard function, there are a number of alternative uses for ARP message packages. For example, a host can also use it to inform the other network members about their own MAC address. For this purpose, it sends an ARP request to the broadcast and enters its own IP as both a source address and a recipient address. Since this is done on its own, this modification of the protocol is also called Gratuitous ARP (“Unsolicited ARP”). Such a self-initiated message of the physical address may occur, for example, in the following cases:

  1. Due to their IP addressing, GARP messages are not allowed to produce any response in the theory – otherwise, it would indicate that the IP address used by the sender would be duplicated. If one of the broadcast-contacted hosts replies with a response message anyway, is it the fault of the network administrator

  2. Gratuitous ARP allows all hosts to include the hardware address of the sender in their own cache. This is particularly advantageous when this address has changed, for example, because of the network card being exchanged. Therefore, the modified ARP messages are always sent when a computer boots up

  3. Servers that are configured as spares for the purpose of fail-protection often share an IP address. In order for data traffic to be redirected to the incoming server, the latter must announce the MAC address to the other hosts. For this, GARP messages are an excellent option

  4. Mobile IP allows a mobile host to keep its own IP address even when a network is switched. To this end, a so-called HomeAgent takes over the IP address of the mobile hosts when it’s removed from the home network.  In order to draw attention to themselves, they send a gratuitous ARP message. In the same way, the mobile host logs back when it is back on the home network

A further modification is the Reverse Address Resolution Protocol (RARP), which basically inverts the function of the ARP: it does not resolve IP addresses in MAC addresses, but rather MAC addresses in IP addresses. This is the possibility to determine your own internet address by using devices in which the allocation or permanent storage is not provided (e.g., work stations without a hard disk drive).

The modification proxy ARP is also common, which enables routers to answer ARP requests for other hosts. This allows communication between two hosts from different subnets without the need for any changes to the devices’ network configurations. If an ARP request reaches a router with ARP proxy enabled, it responds instead of the actual target computer. It transmits its own MAC address, whereupon it also receives sender’s data packets. Subsequently, the router forwards the data to the target host, using the ARP cache information.

Note

If ARP messages and the ARP cache are deliberately manipulated to gain unauthorised access to confidential data, it’s known as ARP spoofing. How this type of man-in-the-middle attack works and what security precautions should be taken can be found in our guide.