Arp protocol – Discover how ARP works in the real world

Saifudheen SidheeqLatest Posts, NetworkingLeave a Comment

What is Arp protocol

If you are new to networking you must have heard the term called ARP protocol – address resolution protocol many times.
You may be wondering or even confused. Well, what is the ARP protocol and how ARP works in the real world?

Before we talk about how arp works we need to know something called a mac address.

What is a MAC address?

MAC ( Media Access Control ) address is a 48-bits long burned in address on all the NIC (Network interface card) out there.
Every network device will have NIC and its Mac addresses. Be it a laptop, smartphone, iPad, routers and switches, etc. and it’s unique on all the devices.

MAC addresses are also known as hardware addresses or physical addresses and it also called Layer 2 addresses, meaning it works in the Data link layer of the OSI model.

You know that all the computers can communicate over the network via IP addresses but if you think about it, it’s not just an IP address, it also requires MAC address.

What is ARP protocol?

On an Ethernet network, devices need MAC address to communicate with each other, not just IP addresses.
ARP protocol is a network protocol that dynamically maps an IP address to a MAC address or physical address on the ethernet network segment.

Devices looking for MAC address sends an arp request, and the device with the right MAC address would respond to that with an arp reply.

And the hosts on the network would keep a record of its ARP table in its cache on the operating system.

How to see the ARP table

All the mac and IP mapping you can see them in the Arp table, each operating system uses it’s own commands to see the arp table.
First, let’s look at the Windows machine.

In windows, you can type arp -a to get the ARP table.

C:\Users\saifudhe>arp -a

Interface: 192.168.0.78 --- 0xc
  Internet Address      Physical Address      Type
  192.168.0.1           74-da-da-eb-45-af     dynamic
  192.168.0.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

C:\Users\saifudhe>

As you can see above, you have 192.168.0.1 which is my Dlink routers IP address and you could see its physical address ( MAC address ) associated with it and its learned via dynamic.
Along with other IP addresses, you can also see a static entry. But those static ARP entries are not added by me its added by windows Operating system.

The ARP entry can be static or dynamic, If you wanted to create static ARP entry in windows you can do that by entering the below command, you will have to map the MAC address to the IP address manually.

arp -s 1.2.3.4 aa-bb-cc-11-22-33

Now when I look into the ARP table again I can see that the new ARP entry is added.

adding static ARP in windows.

How do I delete the arp entry which we just added? you can simply type below command.

arp -d 1.2.3.4 

Manage ARP table in Linux.

Both windows and Linux managing the ARP table are similar, except few differences, so let’s look at how to manage the ARP table in Linux.

[[email protected] ~]# arp -a
 gateway (192.168.1.1) at 94:3f:c2:a0:84:65 [ether] on ens1
[[email protected] ~]#

We can only see the default gateway dynamic arp entry in this Linux box, if you wanted to add an entry you may do so by typing arp -s ‘S’ stands for static here.

[Solution] SIOCSARP: Network is unreachable

I tried to add static arp entry just like how I did it for windows, but I got an error in Redhat Linux.

[[email protected]]# arp -s 1.2.3.4 aa:bb:cc:11:22:33
 SIOCSARP: Network is unreachable

I tried with different subnet but same error

[[email protected]]# arp -s 10.1.1.1 aa:bb:cc:11:22:33
 SIOCSARP: Network is unreachable

Why are we getting this error?
In Linux, you can only add local subnets to the arp entries, unlike windows. Since we tried to use different subnet we got the error “SIOCSARP: Network is unreachable”
The reason we are not able to add different subnets cos any other subnets will send to the default gateway by default.

Let’s try to add static MAC for your local subnet, and see what happens, see below. we added four static ARP entries and it was successful.

[[email protected]]# arp -s 192.168.1.2 aa:bb:cc:11:22:33
[[email protected]]# arp -s 192.168.1.3 aa:bb:cc:11:22:33
[[email protected]]# arp -s 192.168.1.4 aa:bb:cc:11:22:34
[[email protected]]# arp -s 192.168.1.5 aa:bb:cc:11:22:35 

To verify this configuration you can do arp -a which will show you all the static arp entries that you have just added.

[[email protected]]# arp -a
 ? (192.168.1.4) at aa:bb:cc:11:22:34 [ether] PERM on ens1
 ? (192.168.1.3) at aa:bb:cc:11:22:33 [ether] PERM on ens1
 gateway (192.168.1.1) at 94:3f:c2:a0:84:65 [ether] on ens1
 ? (192.168.1.5) at aa:bb:cc:11:22:35 [ether] PERM on ens1
 ? (192.168.1.2) at aa:bb:cc:11:22:33 [ether] PERM on ens1

You can also change your default gateways Mac address.

arp -s 192.168.1.1 aa:bb:cc:11:22:33

Note: if you are making changes to default gateway MAC address you got to be a little careful while you are ssh into the device, as you will be disconnected and you will no longer able to access the device via ssh. Because we just broke the arp entry with the MAC which doesn’t exist in the network. make sure you have access to the CLI via VNC or some other remote applications while doing this change.

How you can delete this arp entry from the Linux?

Use can use the command below to delete the arp entry which I just added

arp -d 192.168.1.1
arp -d 192.168.1.2
arp -d 192.168.1.3
arp -d 192.168.1.4
arp -d 192.168.1.5

here d stands for delete

In my opinion, the best way to understand the arp process is by visualizing them.
Rather than just staring at the CLI screen and scratching your head thinking. Okay, they say it works this way and that must be it, without giving much of a thought.

How ARP works with the lab

let’s suppose we have two computers, PC-A and PC-E with IP address of 192.168.1.1 and 192.168.1.5 respectively.

When you try to ping PC-E from PC-A, it doesn’t send the ICMP (ping packet) packet right away, does it?
It doesn’t, because PC-A doesn’t have any clue about PC-E’s MAC address and its path. But how does PC-E can communicate with PC-E then, the answer to this question is ARP protocol – address resolution protocol.

ARP process Steps

Lets look into the ARP process steps.

In this example below.

PC-A trying ping PC-E. On the layer 2 broadcast domain, to start the communication among network hosts, it needs to know each devices MAC address

Step1. PC-A doesn’t know the MAC address of PC-E, hence PC-A sends
ARP broadcast to find PC-E MAC address, In the frame, it asks, who has the IP address of 192.168.1.5 share its MAC address.
This broadcast frame sends to all the interfaces on the switch where all the PC’s are connected.

ARP request broadcast

Step2. All network hosts connected to the switch will drop the broadcast as that ARP broadcast doesn’t belong to them except PC-E

ARP broadcast

Step3. PC-E acknowledges broadcast and reply saying that hey! 192.168.1.5 belongs to me and here is my mac address which is “eee.eee.eee.eee” and this time ARP reply would be unicast not broadcast as PC-E already knew about the PC-A’s mac address (source MAC) during the initial ARP request

ARP reply unicast

ARP in Wireshark using GNS3

let’s simplify this whole Arp process using Wireshark, by step by step in a gns3 lab with Wireshark and by the end of this article you will have a pretty good idea on what is arp and how it works.

Here I am using two Routers to simulate computers, I will show you how.

In gns3 add two routers and one switch and connect both as below. I also changed the router symbol to a computer by right-clicking on the gns3.

ARP diagram in gns3

We can console into the PC by double-clicking on the computer icon and make changes on both routers as below to make router to act as a computer. also, configure the IP address on both sides.

Computer A

  Router#conf terminal
  Router(config)#hostname Computer-A
  Computer-A(config)#no ip routing #it disables the routing capabilities of the router
  Computer-A(config)#int gigabitEthernet 0/0​
  Computer-A(config-if)#ip add 192.168.1.1 255.255.255.0​
  Computer-A(config)#exit
  Computer-A#

Computer B

  Router#conf terminal
  Router(config)#hostname Computer-B
  Computer-B(config)#no ip routing
  Computer-B(config)#int gigabitEthernet 0/0
  Computer-A(config-if)#ip add 192.168.1.2 255.255.255.0
  Computer-B(config)#exit
  Computer-B#

Let’s start the packet capture by clicking on Start Capture, this will start the Wireshark packet capture on this network in the background. Also, click on the start of the capture visualization program.

ARP process using wireshark

Wireshark just got opened and we do see multiple traffic, but our focus is mainly to see and analyze the ARP traffic.

wireshark capture for ARP

How to filter ARP traffic in Wireshark.

To see specifically arp protocol traffic in Wireshark, you can put the filter by typing ‘arp’ in lower case in the Wireshark filter box to see the ARP traffic. We don’t see anything at the moment for the Arp process in Wireshark. Let’s generate some traffic using PING (ICMP)

How to filter ARP traffic in Wireshark

ARP process in action with ICMP

The best way to simulate the ARP process in the network is by generating some traffic, let’s send some ICMP packet. Before you do that make sure to check the arp table to see it’s empty for the address 192.168.1.2 or not.
I don’t see any arp entry at the moment. I can only see the arp entry for its local interface which is expected behavior.

 Computer A#show ip arp
 Protocol Address Age (min) Hardware Addr Type Interface
 Internet 192.168.1.1 - ca01.7d7e.0000 ARPA GigabitEthernet0/0
Computer-A#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0            192.168.1.1     YES manual up                    up

if there is something you may have to clear the arp cache and start this step again. You can clear the arp entry in cisco router by typing, clear ip arp and the IP address

Let’s do a ping from computer B to Computer A

 Computer-A#ping 192.168.1.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
  .!!!!
 Success rate is 80 percent (4/5), round-trip min/avg/max = 16/19/24 ms
 Computer-B#

We can see the first ICMP packet failed and at the same time in the Wireshark, we got some ARP packets as well.

ARP broadcast

let’s break it down and see what just happened here.

Let me change the time column to hostname to make more sense.

ARP request and reply
 I differentiated these machines with its mac address only to understand this process better for this lab, , Mac address ca01.7d7e.0000 belongs to Compute-A and the mac address  ca02.7d8c.0000 belongs to Computer-B.  But eventually, we are trying to get the mac address of computer B, which won't be the case for the real network. In the real network, we will not know about the Computer-B mac address.

Step.1 ARP Broadcast request

1. On the first Frame, Computer-A sends an ARP broadcast request message to its Ethernet segment with the destination mac address ff:ff:ff:ff:ff:ff which is broadcast MAC address, looking for the assigned MAC address of Computer B.

ARP broadcast

2.As you can see Target MAC address which is nothing but the destination mac address shown as 00:00:00:00:00: 00, which means this frame doesn’t have the destination MAC hence put this value. As we already know the destination IP you could see the Target IP address as 192.168.1.2.

3. In the Frame you can also see the Type as ARP, in the end, it has written in Hexadecimal format 0x0806 indicates its an ARP type.

4. On the top right corner, you will be able to see info in Wireshark which basically translates in a human-readable format, who has 192.168.1.2? Tell 192.168.1.1

Step2. ARP reply

On the second Frame, only Computer-B in the ethernet segment sends ARP reply to the arp broadcast message saying that, hey the IP address 192.168.1.2 belong to the mac address ca02.7d8c.0000

ARP reply

Is ARP reply unicast or Broadcast?

You can see from the Wireshark packet capture output that, we already have the source and destination mac addresses, which means Arp reply is unicast, not Broadcast.

Down below you could see MAC and IP association.

Let’s look at Computer-A arp table and see what it has got. You can see that by typing show IP arp in Computer-A, it shows the Computer-B IP address 192.168.1.2 and its associated mac address has been learned by Computer-A

 Computer-A #show ip arp
 Protocol Address Age (min) Hardware Addr Type Interface
 Internet 192.168.1.1 - ca01.7d7e.0000 ARPA GigabitEthernet0/0
 Internet 192.168.1.2 48 ca02.7d8c.0000 ARPA GigabitEthernet0/0

Once the Computer-A identified B’s mac address and the path to get there, then Computer-A will start sending ping messages.

Did you notice something called Age (min)in the ARP table, every arp entry will have its AGE, once the Age time timed out the Arp entry will be removed from its table. you can alter this Age time in the cisco router by entering the command arp timeout on the interface level.

Router(config-if)#arp tim
Router(config-if)#arp timeout ?
  <0-2147483>  Seconds

Router(config-if)#arp timeout

How come the first ping failed.

Now you might have other question in your mind. Alright, I know how does the arp work now, but when we tried to do the ping how come it failed at first. ?

Computer-A#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/12/20 ms
Computer-A#

Its because during the first ping, the source host didn’t know how to get to the destination host and it was busy with ARP process, hence the first ping failed, by the time the second ping initiated the source host already knew about the destination mac-address and it was successful from then on.

Post arp process you would never see any packet drops unless if there is any network issues.