Let’s answer the questions, but before I do, you can watch my ARP lesson on Youtube here: https://youtu.be/aD_caJxD7nY and look at the lessons in the playlist:https://www.youtube.com/playlist?list=PL-nDeWT9WTjFT1syEIGsLTObjkx4XDOUt
Check out some further ARP Resources: | Our free ARP course at Udemy | Our ARP custom profile for Wireshark | Our chapter on ARP at the Online School Reference Library |
OK – let’s get to the answers.
ARP stands for Address Resolution Protocol. This protocol is used by network nodes to match IP addresses to MAC addresses. The original specification was RFC 826. That has since been updated by RFC 5227, and RFC 5494.
The basic protocol functionally divided into two parts:
- One part determines a physical address when sending a packet
- Other part answers requests from other machines
So ARP provides method for hosts send message to destination address on physical network. Ethernet hosts must convert a 32-bit IP address into a 48-bit Ethernet address. The host checks its ARP cache to see if address mapping from IP to physical address is known:
- If mapping is known, physical address is placed in frame and sent
- If mapping is not known, broadcast message is sent and awaits a reply
- Target machine, recognizing IP address matches its own, returns answer
ARP sits in Layer 2 of the OSI layered model, working with Ethernet and IPv4 as shown in the diagram:
ARP does not serve IPv6. In IPv6 networks, ARP functionality is replaced with Neighbor Discovery (ND) and that was added to the ICMPv6 protocol. More information on ND here.
ARP is transparent to bridging/switching – bridges/switches at Layer 2 will send ARP broadcasts. Routers are Layer 3, and they do not propagate Ethernet broadcasts – a router is Network Level device.
The ARP protocol format looks like this:
The operation of the ARP protocol looks like this:
- Process begins with caches being empty
- Host 2 knows that it wants to send a packet to Host 1 (eg Default GW)
- Host 2 has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for IP address 192.168.1.1.
- Host 1 responds with its MAC address (because it is 192.168.1.1) directly (unicast) to Host 2
- Host 1 and 2 both insert this received information into their ARP caches for future use
That is a normal ARP protocol process – a request and response.
That said there are some interesting variations discussed next.
Gratuitous ARP Messages
A Gratuitous ARP is an ARP Response that was not prompted by an ARP Request according to the ARP specification (RFC 826). Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Think of it as a reply to which no request has been made. The request packet sent where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff
Ordinarily, no reply packet will occur. Gratuitous ARP’s assist in the updating of other machines’ ARP tables if they are accepted. They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port. They can help indicate IP conflicts .
When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict. Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.
Here is an example:
You can clearly see the Sender IP address field and the Target IP address fields have the same IP. Further you can see that Wireshark has identified that this is a Gratuitous ARP based on its format. Therefore using the following filter, you can easily find all Gratuitous ARP packets in Wireshark (keep in mind that our ARP profile already has this filter built in – you can find the profiles repository here).
ARP Announcements
ARP Announcements are a way to officially “claim” the IP address on the network. The ARP Announcement is very similar to a Gratuitous ARP, with one notable exception: the Opcode in an ARP Announcement is set to 1, indicating a request. Typical Gratuitous ARP messages will have an Opcode set to 2. Both the Sender MAC address and the Sender IP address create a complete ARP mapping, and hosts on the network can use this pair of addresses in their ARP table
Like the Gratuitous ARP, the Target MAC address is ignored, in this example it is set to 0000.0000.0000, some implementations of the ARP Announcement use ffff.ffff.ffff instead. Finally, the Target IP confirms the subject of the communication: the IP address who’s uniqueness has now been confirmed.
Example ARP Announcement as seen in Wireshark:
Wireshark users may want to try the following display filter to show ARP Announcements:
ARP Probes
The ARP Probe serves the purpose of polling the network to validate that an IP address is not already in use. The idea is if the IP address in question is already in use, the initiator of the ARP Probe will expect a Response from original owner. Therefore, this ARP Probe is a request which might prompt a response:
- The Opcode field set to 1, indicating an ARP Request
- The Sender MAC address is set to the initiator’s MAC address
- The Sender IP address is set to 0.0.0.0
- The Target MAC address is set to 0000.0000.0000
- The Target IP Address is set to the IP address being probed
Here is an example of an ARP probe:
The key difference between a Probe and a Request is that the Sender IP address is set to 0’s. This is intentional, because the reason for sending the ARP Probe is to prevent an IP conflict. If the target IP address is already in use, it would be very undesirable for other hosts on the network to inadvertently update their ARP cache based upon the contents of the ARP Probe. This is also the primary difference between an ARP Probe and a Gratuitous ARP. A Gratuitous ARP is meant to update all the ARP caches on the network, where as an ARP Probe deliberately prevents updating of ARP caches to continue protecting against IP address conflicts.
Wireshark users will find that if you use the following display filter you can find ARP probes in your packet capture:
Inverse Address Resolution Protocol (Inverse ARP or InARP)
Used to obtain Network Layer addresses (for example, IP addresses) of other nodes from Data Link Layer (Layer 2) addresses. Since ARP translates Layer 3 addresses to Layer 2 addresses, InARP may be described as its inverse. InARP is implemented as a protocol extension to ARP: it uses the same packet format as ARP, but different operation codes. It is primarily used in Frame Relay and ATM networks, in which Layer 2 addresses of virtual circuits are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before those virtual circuits can be used.
Reverse Address Resolution Protocol (Reverse ARP or RARP)
Like InARP, translates Layer 2 addresses to Layer 3 addresses. RARP is used to obtain the Layer 3 address of the requesting station itself for address configuration purposes. RARP is essentially obsolete; it was replaced by BOOTP, which has been superseded by the Dynamic Host Configuration Protocol (DHCP).
You may see Reverse ARP used by virtual machines. Here is an example:
Here is the Wireshark filter to find these types of ARP messages:
The “arp” Command
OK, now that we have an understanding of the ARP protocol and its variants, let’s more on to the ‘arp’ command and how it is used in the terminal or command line of Windows, Linux, and MAC OSX.
arp displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.
You can use the arp command to view and modify the ARP table entries on the local computer. This may display all the known connections on your local aream network segment (if they have been active and in the cache). The arp command is useful for viewing the ARP cache and resolving address resolution problems.
Syntax (Inet means Internet address)
arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]
Here are the switch definitions:
-a [InetAddr] [-NIfaceAddr] : Displays current ARP cache tables for all interfaces. To display the ARP cache entry for a specific IP address, use arp -a with the InetAddr parameter, where InetAddr is an IP address. To display the ARP cache table for a specific interface, use the -N IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. The -N parameter is case-sensitive.
-g [InetAddr] [-NIfaceAddr] : Identical to -a.
-dInetAddr [IfaceAddr] : Deletes an entry with a specific IP address, where InetAddr is the IP address. To delete an entry in a table for a specific interface, use the IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of InetAddr. So “arp -d *” will flush your ARP cache.
-sInetAddr EtherAddr [IfaceAddr] : Adds a static entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. To add a static ARP cache entry to the table for a specific interface, use the IfaceAddr parameter where IfaceAddr is an IP address assigned to the interface.
/?: Displays help at the command prompt.
Using arp on Windows
To run the arp command in Windows click START> RUN> CMD. Now enter ‘arp -a’ at the > prompt:
I will also mention here that this command is built into my Windows Networking Tool. You can find that here.
Using arp on a MAC or Linux System
To run the arp command in MAC-OSX or Linux, first open a Terminal window. Now enter ‘arp -a’ at the $ or # prompt:
There are two types of ARP entries- static and dynamic. Most of the time, the computer will use dynamic ARP entries. This means that the ARP entry (the Ethernet MAC to IP address link) has been learned (usually from the default gateway) and is kept on a device for some period of time, as long as it is being used. A static ARP entry is the opposite of a dynamic ARP entry. With a static ARP entry, the computer is manually entering the link between the Ethernet MAC address and the IP address. Software in your computer will predefine these static entries such as multicast addresses and broadcast addresses. Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.
Detecting Duplicate IP Addresses Using ARP
When starting up, some operating systems like Windows perform a gratuitous ARP to detect any duplication with its own IP address. While this function detects most cases of duplicate IP addresses, in a few situations two TCP/IP hosts on the same network can be configured for the same IP address. Since the MAC and IP address mapping is done by the ARP module, which uses the first ARP response it receives, the impostor computer’s reply sometimes comes back before the intended computer’s reply.
These problems are difficult to isolate and track down. Use the arp -a command to display the mappings in the ARP cache. If you know the Ethernet address for the remote computer you wish to use, you can easily determine whether the two match. If not, use the arp -d command to delete the entry, then use Ping with the same address (forcing an ARP), and check the Ethernet address in the cache again by using arp -a . If both computers are on the same network, you will eventually get a response from the impostor computer. If not, you might have to capture the traffic from the impostor host with Network Monitor to determine the owner or location of the system.
Detecting Invalid Entries in the ARP Cache
Troubleshooting the ARP cache can be difficult because the problems associated with it are so often intermittent. The exception to this is when you find that the wrong host responds to a command, perhaps when you use a Netuse or Telnet command. The symptoms of invalid entries in the ARP cache are harder to reproduce and involve intermittent problems that only affect a few hosts. The underlying problem is that two computers are using the same IP address on the network. You only see the problems intermittently because the most recent ARP table entry is always the one from the host that responded more quickly to any particular ARP request.
To address the problem, display the ARP table using the arp -a command. Since addresses assigned by DHCP do not cause address conflicts like those described here, the main source of these conflicts is likely to be static IP addresses. Maintaining a list of static addresses (and corresponding MAC addresses) as they are assigned can help you track down any address conflict just by examining the IP and MAC address pairs from the ARP table and comparing them to the recorded values.
Using the arp-scan Tool in Linux
I often take issue with “not enough networking tools in Microsoft Windows”. Well, here is yet another example. If you are a Linux user, there is a great little tool called “arp-scan”. In most distributions you can install it if you do not have it with:
sudo apt install arp-scan
Once installed, simply run it specifying your network prefix. For example:
sudo arp-scan 192.168.1.0/24
You can see that the tool used ARP and cycled through the IP addresses in the subnet. When a system responded, it recorded the response using the OUI part of the MAC address to identify the manufacturer. Did it get everything? Perhaps not, and I suggest you read the following article on discovery here: https://www.cellstream.com/2023/02/24/who-is-on-my-network/
Troubleshooting Networks using ARP
If you do not have a record of all IP and MAC address pairs on your network, you might want to examine the manufacturer bytes of the MAC addresses for inconsistencies. These three-byte numbers are called Organizationally Unique Identifiers (OUIs) and are assigned by the Institute of Electrical and Electronics Engineers (IEEE); the first three bytes of each MAC address identify the card’s manufacturer. Knowing what equipment you installed and comparing that with the values returned by arp -a might allow you to determine which static address was entered in error.
Another possible issue is that DHCP might have detected a duplicate MAC/card already on the network, and thus denied a computer’s request to join. Other DHCP and related messages here can often quickly isolate and solve a problem.
If you want to read more on troubleshooting, check out my blog post here: https://www.cellstream.com/2022/04/06/a-dive-into-network-troubleshooting/
I hope you find this article and its content helpful. Comments are welcomed below. If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!