Address Resolution Protocol (ARP) is a network protocol used to map an IP address to a physical machine (or MAC) address on a local area network (LAN). It is a crucial part of the Internet Protocol suite and operates at the Link Layer (Layer 2) of the OSI model.
How ARP works
- ARP Request: When a device wants to communicate with another device on the same network, it first checks its ARP cache to see if it has already mapped the IP address to a MAC address. If not, it broadcasts an ARP request packet to all devices on the network. This packet includes the IP address of the target device.
- ARP Reply: The device with the matching IP address receives the ARP request and responds with an ARP reply. This reply includes its MAC address.
- Updating ARP Cache: The requesting device receives the ARP reply and updates its ARP cache with the IP-to-MAC address mapping, allowing it to send data directly to the target device using its MAC address.
This process is essential for devices to communicate over a LAN because while IP addresses are used for logical addressing, MAC addresses are necessary for actual data transmission on the network.
Example
Consider a scenario where Device A wants to send data to Device B on the same network:
- Device A checks its ARP cache for Device B’s IP address.
- If the entry is not found, Device A broadcasts an ARP request.
- Device B receives the request and replies with its MAC address.
- Device A updates its ARP cache and proceeds to send data directly to Device B’s MAC address.
ARP Cache
Each device maintains an ARP cache, a table that stores mappings of IP addresses to MAC addresses. This cache reduces the need for frequent ARP requests, improving network efficiency.
Security Concerns
ARP is inherently insecure and vulnerable to attacks such as ARP spoofing or ARP poisoning, where an attacker sends fake ARP messages to link their MAC address with the IP address of another device. This can lead to various security issues, including man-in-the-middle attacks.
Syntax Examples
| View the contents of the local ARP cache table | ARP -a [ip_addr] [-N if_addr] |
| Add a static Arp entry for frequent accessed hosts | ARP -s ip_addr eth_addr [if_addr] |
| Delete an entry | ARP -d ip_addr [if_addr] |
Switches
| Switch | Explanation |
|---|---|
| -a | Display current ARP entries. May include more than one network interface. If ip_addr is specified, the IP and Physical addresses for only the specified computer are displayed. |
| -g | Same as -a. |
| -N if_addr | Display the ARP entries for the network interface specified by if_addr. |
| -d ip_addr | Delete the host specified by ip_addr. -d * will delete all hosts. |
| -s | Add the host and associates the Internet address ip_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. |
| eth_addr | Specifies a physical address. |
| if_addr | If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. |
If two hosts on the same sub-net cannot ping each other successfully, try running ARP -a to list the addresses on each computer to see if they have the correct MAC addresses.
A host’s MAC address can be checked using IPCONFIG. If another host with a duplicate IP address exists on the network, the ARP cache may have had the MAC address for the other computer placed in it. ARP -d is used to delete an entry that may be incorrect.