Skip to Content

How does the Address Resolution Protocol ARP work?

How does the Address Resolution Protocol ARP work?

If you are new to networking you must have heard the term called ARP protocol – address resolution protocol many times.
You may be wondering or even confused. Well, what is the ARP protocol and how ARP works in the real world?

Before we talk about how arp works we need to know something called a mac address first.

What does MAC address mean?

MAC ( Media Access Control ) address is a 48-bits long burned in address on all the NIC (Network interface card) out there.
Every network device will have NIC and its Mac addresses. Be it a laptop, smartphone, iPad, routers and switches, etc. and it’s unique on all the devices.

MAC addresses are also known as hardware addresses or physical addresses and it also called Layer 2 addresses, meaning it works in the Data link layer of the OSI model.

You may already know that all the computers can communicate over the network via IP addresses but if you think about it, it’s not just an IP address, it also requires a MAC address.

What is ARP used for in networking?

We identified that on an Ethernet network, devices need MAC addresses to communicate with each other, not just IP addresses.
ARP protocol is a network protocol that dynamically maps an IP address to a MAC address or physical address on the ethernet network segment.

Devices looking for MAC address sends an arp request, and the device with the right MAC address would respond to that with an arp reply.

And the hosts on the network would keep a record of its IP addresses and MAC addresses in its ARP table/ARP cache on the operating system so that it doesn’t need to go through the same arp process again

How do I see the ARP table?

All the mac and IP mapping you can see them in the Arp table, each operating system uses it’s own commands to see the arp table.
First, let’s look at the Windows machine.

In windows, you can type arp -a to get the ARP table.

C:\Users\saifudhe>arp -a
Interface: 192.168.0.78 --- 0xc
  Internet Address      Physical Address      Type
  192.168.0.1           74-da-da-eb-45-af     dynamic
  192.168.0.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static
C:\Users\saifudhe>

As you can see above, you have 192.168.0.1 which is my Dlink router’s IP address and you could see its physical address ( MAC address ) associated with it and its learned via dynamic.
Along with other IP addresses, you can also see a static entry. But those static ARP entries are not added by me its added by the windows Operating system.

How do I create a static ARP entry in Windows 10?

The ARP entry can be static or dynamic, If you wanted to create a static ARP entry in windows you can do so by entering the below command, you will have to map the MAC address to the IP address manually.

arp -s 1.2.3.4 aa-bb-cc-11-22-33

Now when I look into the ARP table again I can see that the new ARP entry is added.

add static arp entry windows cmd

Remove static arp entry windows

How do I delete the arp entry which we just added? you can simply type below command.

arp -d 1.2.3.4 

In linux you can type arp -a

Both windows and Linux manage the ARP table similar way, except a few differences, so let’s look at how to manage the ARP table in Linux.

[root@getlabsdone ~]# arp -a
 gateway (192.168.1.1) at 94:3f:c2:a0:84:65 [ether] on ens1
[root@getlabsdone ~]#

We can only see the default gateway dynamic arp entry in this Linux box.

How to Add static ARP entry Linux?

Similar to how we added the static arp entry in windows, you can do the same thing in Linux as well. If you wanted to add an entry you may do so by typing arp -s
‘S’ stands for static here.

[Solution] SIOCSARP: Network is unreachable

I tried to add static arp entry just like how I did it for windows, but I got an error in Redhat Linux.

[root@getlabsdone]# arp -s 1.2.3.4 aa:bb:cc:11:22:33
 SIOCSARP: Network is unreachable

I tried with different subnet but same error

[root@getlabsdone]# arp -s 10.1.1.1 aa:bb:cc:11:22:33
 SIOCSARP: Network is unreachable
Why are we getting an error when adding the static arp in Linux?

Unlike Windows, In Linux, you can only add local subnets to the arp entries. Since we tried to use a different subnet we got the error “SIOCSARP: Network is unreachable”
The reason we are not able to add different subnets because any other subnets will send to the default gateway by default.

Let’s try to add static MAC for your local subnet, and see what happens, see below. we added four static ARP entries and it was successful.

[root@getlabsdone]# arp -s 192.168.1.2 aa:bb:cc:11:22:33
[root@getlabsdone]# arp -s 192.168.1.3 aa:bb:cc:11:22:33
[root@getlabsdone]# arp -s 192.168.1.4 aa:bb:cc:11:22:34
[root@getlabsdone]# arp -s 192.168.1.5 aa:bb:cc:11:22:35 

To verify this configuration you can do arp -a which will show you all the static arp entries that you have just added.

[root@getlabsdone]# arp -a
 ? (192.168.1.4) at aa:bb:cc:11:22:34 [ether] PERM on ens1
 ? (192.168.1.3) at aa:bb:cc:11:22:33 [ether] PERM on ens1
 gateway (192.168.1.1) at 94:3f:c2:a0:84:65 [ether] on ens1
 ? (192.168.1.5) at aa:bb:cc:11:22:35 [ether] PERM on ens1
 ? (192.168.1.2) at aa:bb:cc:11:22:33 [ether] PERM on ens1

You can also change your default gateways Mac address.

arp -s 192.168.1.1 aa:bb:cc:11:22:33

Note: if you are making changes to the default gateway MAC address you got to be a little careful while you are connected to the device remotely. Altering the default gateway mac address while you are in the same network will break the network connectivity.

How to clear ARP cache in Linux?

Use can use the command below to delete the arp entry which I just added

arp -d 192.168.1.1
arp -d 192.168.1.2
arp -d 192.168.1.3
arp -d 192.168.1.4
arp -d 192.168.1.5

here ‘d’ stands for delete

In my opinion, the best way to understand the arp process is by visualizing them.
Rather than just staring at the CLI screen and scratching your head thinking. Okay, they say it works this way and that must be it, without giving much of a thought.

What is ARP process?

let’s suppose we have two computers, PC-A and PC-E with IP address of 192.168.1.1 and 192.168.1.5 respectively.

When you try to ping PC-E from PC-A, it doesn’t send the ICMP (ping packet) packet right away, does it?
It doesn’t, because PC-A doesn’t have any clue about PC-E’s MAC address and its path. But how does PC-E can communicate with PC-E then, the answer to this question is ARP protocol – address resolution protocol.

Lets look into the ARP process steps.

In this example below.

PC-A trying ping PC-E. On the layer 2 broadcast domain, to start the communication among network hosts, it needs to know each devices MAC address

Step 1. ARP request Broadcast.

PC-A doesn’t know the MAC address of PC-E, hence PC-A sends ARP broadcast to find PC-E MAC address. In the frame, it asks, who has the IP address of 192.168.1.5 share its MAC address.
This ARP request broadcast frame sends to all the interfaces on the switch where all the PCs are connected except the PA-A interface.

ARP request broadcast

Step 2. Discard the ARP request.

All network hosts connected to the switch will drop the broadcast as that ARP broadcast doesn’t belong to them except PC-E

ARP broadcast

Step3. ARP Reply Unicast.

PC-E acknowledges the broadcast and reply saying that

Hey! 192.168.1.5 belongs to me and here is my mac address which is “eee.eee.eee.eee” and this time ARP reply would be unicast not broadcast as PC-E already knew about the PC-A’s mac address (source MAC) during the initial ARP request

ARP reply unicast

What is ARP protocol in Wireshark?

let’s simplify this whole Arp process using Wireshark, by the end of this article you will have a pretty good idea of what is arp protocol.

Here I am using two Routers to simulate computers, I will show you how.

Note: I am using a GNS3 to virtualize the environment.

In gns3 add two routers and one switch and connect both as below. I also changed the router symbol to a computer by right-clicking on the gns3.

ARP diagram in gns3

We can console into the PC by double-clicking on the computer icon and make changes on both routers as below to make the router act as a computer. also, configure the IP address on both sides.

Computer A

  Router#conf terminal
  Router(config)#hostname Computer-A
  Computer-A(config)#no ip routing #it disables the routing capabilities of the router
  Computer-A(config)#int gigabitEthernet 0/0​
  Computer-A(config-if)#ip add 192.168.1.1 255.255.255.0​
  Computer-A(config)#exit
  Computer-A#

Computer B

  Router#conf terminal
  Router(config)#hostname Computer-B
  Computer-B(config)#no ip routing
  Computer-B(config)#int gigabitEthernet 0/0
  Computer-A(config-if)#ip add 192.168.1.2 255.255.255.0
  Computer-B(config)#exit
  Computer-B#

Capture the Wireshark Capture.

Let’s start the packet capture by clicking on Start Capture, this will start the Wireshark packet capture on this network in the background. Also, click on the start of the capture visualization program.

ARP process using wireshark

Wireshark just got opened and we do see multiple traffic, but our focus is mainly to see and analyze the ARP traffic.

wireshark capture for ARP

How to filter ARP traffic in Wireshark?

To see specifically arp protocol traffic in Wireshark, you can put the filter by typing ‘arp’ in lower case in the Wireshark filter box to see the ARP traffic. We don’t see anything at the moment for the Arp process in Wireshark. Let’s generate some traffic using PING (ICMP)

How to filter ARP traffic in Wireshark

Generate ARP request using ICMP.

The best way to simulate the ARP process in the network is by generating some traffic, let’s send some ICMP packet.

Before you do that make sure to check the arp table to see if it’s empty for the address 192.168.1.2 or not.
I don’t see any arp entry at the moment. I can only see the arp entry for its local interface which is expected behavior.

 Computer A#show ip arp
 Protocol Address Age (min) Hardware Addr Type Interface
 Internet 192.168.1.1 - ca01.7d7e.0000 ARPA GigabitEthernet0/0
Computer-A#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0            192.168.1.1     YES manual up                    up

if there is something you may have to clear the arp cache and start this step again. You can clear the arp entry in cisco router by typing, clear ip arp and the IP address

Let’s do a ping from computer B to Computer A

 Computer-A#ping 192.168.1.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
  .!!!!
 Success rate is 80 percent (4/5), round-trip min/avg/max = 16/19/24 ms
 Computer-A#

Why does first ping fails?

Did you notice that our first ping failed? It’s because Computer A is not aware of the IP address 192.168.1.2 yet. Hence it started the ARP process to identify where the MAC address is. So the First ping failed due to the ARP process.

We can also see that, the moment we initiated the ping, the ARP process started in Wireshark as well.

ARP broadcast

let’s break it down and see what just happened here.

Let me change the time column to hostname to make more sense.

ARP request and reply
 I differentiated these machines with its mac address only to understand this process better for this lab, , Mac address ca01.7d7e.0000 belongs to Compute-A and the mac address  ca02.7d8c.0000 belongs to Computer-B.  But eventually, we are trying to get the mac address of computer B, which won't be the case for the real network. In the real network, we will not know about the Computer-B mac address.

ARP packet format Wireshark

We got the packet capture ready, and its time for us to analyse the packet and understand the ARP using the wireshark capture.

Step1. ARP Broadcast request

1. On the first Frame, you can notice an arp broadcast is sent to the special mac address ff:ff:ff:ff:ff:ff which is broadcast MAC address, because the ComputerA doesn’t know the mac address of the Computer B and it looking for the assigned MAC address of Computer B.

arp broadcast wireshark

2.As you can see Target MAC address which is nothing but the destination mac address shown as 00:00:00:00:00: 00, which means this frame doesn’t have the destination MAC hence put this value. As we already know the destination IP you could see the Target IP address as 192.168.1.2.

3. In the Frame you can also see the Type as ARP, in the end, it has written in Hexadecimal format 0x0806 indicates its an ARP type.

4. On the top right corner, you will be able to see info in Wireshark which basically translates in a human-readable format, who has 192.168.1.2? Tell 192.168.1.1

Step2. ARP reply

On the second Frame, only Computer-B in the ethernet segment sends ARP reply to the arp broadcast message saying that, hey the IP address 192.168.1.2 belong to the mac address ca02.7d8c.0000

ARP reply

Is ARP reply unicast or Broadcast?

You can see from the Wireshark packet capture output that, we already have the source and destination mac addresses, which means Arp reply is unicast, not Broadcast.

Down below you could see MAC and IP association.

Let’s look at Computer-A arp table and see what it has got. You can see that by typing show IP arp in Computer-A, it shows the Computer-B IP address 192.168.1.2 and its associated mac address has been learned by Computer-A

 Computer-A #show ip arp
 Protocol Address Age (min) Hardware Addr Type Interface
 Internet 192.168.1.1 - ca01.7d7e.0000 ARPA GigabitEthernet0/0
 Internet 192.168.1.2 48 ca02.7d8c.0000 ARPA GigabitEthernet0/0

Once Computer-A identified B’s mac address and the path to get there, then Computer-A will start sending ping messages.

What is ARP age timer?

Did you notice something called Age (min)in the ARP table?\

Every arp entry will have its AGE, once the Age time gets timed out the Arp entry will be removed from its table. you can alter this Age time in the cisco router by entering the command arp timeout on the interface level.

Router(config-if)#arp tim
Router(config-if)#arp timeout ?
  <0-2147483>  Seconds
Router(config-if)#arp timeout