What is Address Resolution Protocol (ARP) ?

By | 2005-11-01

Address Resolution Protocol (ARP) is a network protocol used to map an IP address to a physical machine (or MAC) address on a local area network (LAN). It is a crucial part of the Internet Protocol suite and operates at the Link Layer (Layer 2) of the OSI model.

How ARP works

  • ARP Request: When a device wants to communicate with another device on the same network, it first checks its ARP cache to see if it has already mapped the IP address to a MAC address. If not, it broadcasts an ARP request packet to all devices on the network. This packet includes the IP address of the target device.
  • ARP Reply: The device with the matching IP address receives the ARP request and responds with an ARP reply. This reply includes its MAC address.
  • Updating ARP Cache: The requesting device receives the ARP reply and updates its ARP cache with the IP-to-MAC address mapping, allowing it to send data directly to the target device using its MAC address.

This process is essential for devices to communicate over a LAN because while IP addresses are used for logical addressing, MAC addresses are necessary for actual data transmission on the network.

Example

Consider a scenario where Device A wants to send data to Device B on the same network:

  1. Device A checks its ARP cache for Device B’s IP address.
  2. If the entry is not found, Device A broadcasts an ARP request.
  3. Device B receives the request and replies with its MAC address.
  4. Device A updates its ARP cache and proceeds to send data directly to Device B’s MAC address.

ARP Cache

Each device maintains an ARP cache, a table that stores mappings of IP addresses to MAC addresses. This cache reduces the need for frequent ARP requests, improving network efficiency.

Security Concerns

ARP is inherently insecure and vulnerable to attacks such as ARP spoofing or ARP poisoning, where an attacker sends fake ARP messages to link their MAC address with the IP address of another device. This can lead to various security issues, including man-in-the-middle attacks.

Syntax Examples

View the contents of the local ARP cache tableARP -a [ip_addr] [-N if_addr]
Add a static Arp entry for frequent accessed hostsARP -s ip_addr eth_addr [if_addr]
Delete an entryARP -d ip_addr [if_addr]

Switches

SwitchExplanation
-aDisplay current ARP entries. May include more than one network interface. If ip_addr is specified, the IP and Physical addresses for only the specified computer are displayed.
-gSame as -a.
-N if_addrDisplay the ARP entries for the network interface specified by if_addr.
-d ip_addrDelete the host specified by ip_addr. -d * will delete all hosts.
-sAdd the host and associates the Internet address ip_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent.
eth_addrSpecifies a physical address.
if_addrIf present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used.

If two hosts on the same sub-net cannot ping each other successfully, try running ARP -a to list the addresses on each computer to see if they have the correct MAC addresses.

A host’s MAC address can be checked using IPCONFIG. If another host with a duplicate IP address exists on the network, the ARP cache may have had the MAC address for the other computer placed in it. ARP -d is used to delete an entry that may be incorrect.

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.