• The router creates the incomplete entry in the ARP table and sends an ARP request. If the router receives an ARP response then it puts the destination MAC address into the ARP table and the entry is now complete. If no ARP response is received the router will purge the incomplete entry.
• Typically you would need to find it on one of your machine's arp tables. If there is a router in your network, this is usually the most central place to gather that type of info. On a cisco router, the command is 'show arp' - it will give you a listing of the MAC addresses and their corresponding IP address.
• The ARP request is then sent to the MAC broadcast address (ff.ff.ff.ff.ff.ff), so that all local devices will receive it. If the server is listening on the network (and wants to answer), it responds with an ARP reply. In this reply, the server includes its MAC address; PC1 then uses that MAC address to send its Ethernet traffic destined for the.

The ARP/PING command can be used to change the IP address settings of the machine via the network. Thus, in order to ensure secure communication, it is recommended to disable the ARP/PING command after setting the IP address. Type 'arp -a' in the command prompt. This lists a number of MAC addresses with the associated IP addresses. Since you have the MAC address, scroll down the list to find the associated IP address. The MAC address is shown in the 'Physical Address' column with the IP address in the 'Internet Address.

We have gone through how MAC addresses and Switching work, and other sections discuss the functionality of IP addresses and Routing. What hasn’t been discussed however is the glue that binds those together. How do the MAC and IP addresses interact?

There is another protocol called ARP which stands for Address Resolution Protocol. It is used to associate MAC addresses with IP addresses and is a way for a computer to look up an unknown MAC address for a device that it wants to communicate with.

Most commonly a computer knows what IP address that it is sending the traffic to. For example, if you are browsing to a web page on the Internet, you would enter an address in the browser. The computer would then use DNS to do a name resolution lookup to obtain the IP address of that web page. So the computer will easily find out what the IP address of the web server is, meaning that the destination IP address is known to the computer in one way or another.

But let’s go back to that DNS message. You have just instructed the computer to browse to a web page in a web browser. The computer must use DNS to find out the IP address of the web page.

After the computer has created the DNS query it will put the query inside an IP packet and send the packet to a DNS server. Let’s say the computer is configured to use the home router as its DNS server. So the computer creates a packet with a DNS query that it wants to send off to the home router’s IP address. But the computer must also enter the MAC address of the Router as the destination MAC address for the traffic. How will the computer know which MAC address that the router has?

This is where the ARP protocol comes into play. ARP lets devices on the network ask each other which MAC addresses they have.

To find out what MAC address the router has got the computer will first put its DNS query on hold in a queue. Then it will create an ARP request.

The ARP request contains a simple question. In this case, the computer wants to find out which MAC address that the 192.168.1.1 device has got. So the request is basically as follows:

“Device with IP address 192.168.1.1, reply back with your MAC address”

ARP requests are always sent as broadcasts because we don’t know what MAC address we want to send the message to. Since it is a broadcasted message, every other device on the LAN will receive the message. This is because the integrated switch in the Home Router handles the message as a broadcast and forwards it to all other ports including the integrated router. But all devices except one will notice when they read the contents of the ARP request that the message is intended for another device with IP address 192.168.1.1

The home router, which is configured with IP address 192.168.1.1, will read the message and will notice that the message is directed at itself. It will then construct an ARP reply:

“I have IP address 192.168.1.1 and my MAC address is 00:13:fe:19:c7:9e”

Every time a computer receives an ARP reply it will save the response for at least a few minutes in an ARP table (or ARP cache) in memory. This is so that the computer doesn’t have to do an ARP request for each packet it wants to send. From now on and for as long as it keeps communicating with the router it will remember the router’s MAC address. If however they stop communicating for a while then the computer will clear out the router’s MAC address from its ARP table.

Each time a computer is sending a packet to an IP address it will look in its ARP cache to see if it already knows what MAC address that is associated with that IP address.

• If the address exists in the ARP cache then the MAC address in the table will be used.
• If the address does not exist in the ARP cache, then an ARP request must be created and sent out.

Finally once the computer has gone through the ARP request it now has all the necessary information to send the DNS query to the router to find out what IP address that the web page has got.

The Address Resolution Protocol(ARP) is a communication protocol used to discover the data-link layer address(Layer 2 address like Media Access Control(MAC) address) associated with an Internet layer address(Layer 3 address like IPv4 address). ARP was defined in 1982 by RFC 826.

ARP is a request-response or request-reply protocol in which one device sends a request to another device asking for some information, to which the other device will reply with the required information. It is a message exchange pattern. ARP packets are encapsulated by link layer and are distributed only in a particular network. As a result, ARP is said to be a link layer protocol.

Why do we need ARP?

Devices in a Local Area Network(LAN) are programmed to communicate using link layer addresses. Switches are not configured for a standard that will allow destination decisions to be based on IP within the same broadcast domain. A device that is not connected to the internet will not have an IP address. In that case, the network has to resort to using MAC addresses for communication. If a device wants to communicate with another device in the same LAN, it needs to know the MAC address of the other device’s network interface. This allows for the communication between the two end devices to be unicast.

How does ARP work?

Every device that is capable of handling IPv4 packets has an ARP table. An ARP table consists of IPv4 address to MAC address mappings. Switches do not have an ARP table as they are not equipped to handle IP packets. However, switches maintain another kind of cache mapping the MAC address of the non-switch devices connected to this LAN to the port where packets should go to reach that device. Switches will send out the packet on all the enabled ports if they do not have the destination MAC address in the cache.

When device 1 with IP 192.168.10.154 wants to send a packet to device 3 with IP 192.168.10.160, it looks into its ARP cache to fetch device 3’s MAC address. If the IP to MAC translation for device 3 does not exist in the ARP cache, device 1 sends a broadcast packet to the network using the ARP protocol to ask “who has 192.168.10.160?'.

All the devices in that network receive the ARP broadcast packet. The device with the requested IP address will reply with an ARP response that contains its MAC address. Note that the ARP response is unicast i.e it is sent only to the device that sent the ARP request. On receiving the ARP response, device 1 updates its ARP table with an entry for device 3. The switch too, updates its ARP cache noting which of its ports is connected to device 3.

Arp For Mac Address Finder

On Linux systems, ARP table can be displayed with the command “arp -an”.

Gratuitous ARP

A gratuitous ARP is an unprompted ARP response.When a new device joins the LAN, it broadcasts its MAC address to the entire network immediately after its network interface boots up. Gratuitous ARP packet has both, source and destination IP set to the IP address of the device issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff or 00:00:00:00:00:00 based on the ARP implementation. There will be no follow up packets sent in response to a gratuitous ARP packet.

Inverse ARP(InARP)

InARP is an addition to ARP technology that enables a device to request for an IP address corresponding to a given MAC address. InARP is defined in RFC 1293. InARP specifically applies to Frame Relay stations with Data Link Connection Identifier(DLCI) associated with a Permanent Virtual Circuit(PVC) that do not know the IP address of the station on the other side of this connection. The devices in a Frame Relay network do not have MAC addresses. Instead, they have a unique identifier called DLCI for every virtual circuit they are connected to. DLCI is the Frame Relay equivalent of a hardware/MAC address. InARP uses MAC addresses to find corresponding IP addresses. It is used mainly for device configuration. InARP is used when a device knows the DLCI of a remote router, but does not know its IP address. This is a common scenario on networks that share data-link addresses across different physical networks, such as Frame Relay and ATM. In that case, the device sends an InARP request asking for its IP address which, on receiving, it maps to its corresponding DLCI in the InARP table.

Proxy ARP

Proxy ARP is used to facilitate ARP exchanges in order to resolve IP addresses to MAC addresses in devices that are separated by routers in the same network or sub-network. Routers cannot forward Layer 2 packets and hence, ARP messages are never propagated outside of their networks. When a device wants to resolve the MAC address of another device in a different subnet, the router located between the two subnets acts as a proxy for the other device and responds to the ARP broadcast with its own MAC address. Proxy ARP is defined in RFC 1027.

When the ARP request from 192.168.1.2 asking for the MAC address of the device with IP 192.168.2.3 reaches 192.168.1.1(router interface), the router notices that 192.168.2.3 is in a different network. It acts as the proxy and sends an ARP response to 192.168.1.2 with its own MAC address i.e 00:00:AB:00:00:01.192.168.1.2 sends all packets destined for 192.168.2.3 to the router first. The router takes care of further ARP resolution and routes packets to the intended destination.

Arp Mac Address Flip-flop

Reverse ARP(RARP)

RARP is used by a device that knows its MAC address but not its IP address in a LAN. It is defined in RFC 903. RARP is essential for devices that do not have enough memory to store their IP addresses. Consequently, they resort to broadcasting RARP requests to the LAN. A specially configured host called the RARP-server, which stores MAC address to IP address mappings, is responsible for responding to RARP requests with the requested IP addresses. RARP is now obsolete and has been replaced by Bootstrap Protocol(BOOTP) and Dynamic Host Configuration Protocol(DHCP).

Additional Resources

About the author

Shreya A N is a senior at JSS Science and Technology University, India and a Network Security Intern at Cisco. She is passionate about computer networks, machine learning and data science. Shreya likes to spend her leisure time cooking, reading and making music.