January 13, 2000

Understanding ARP

If you've used TCP/IP or the Internet for any amount of time, you know that workstations on a TCP/IP network communicate with each other with a TCP/IP address. Over the physical network, however, workstations communicate with each other with their Media Access Control (MAC) address. Therefore, the key to communicating via TCP/IP is the mapping of a TCP/IP address to the physical address of a workstation. An Ethernet Address Resolution Protocol, RFC 826, details the conversion process from a TCP/IP address to a physical MAC address.

This process is relatively simple. In this example, the TCP/IP workstation 192.42.252.20 is planning to communicate to 192.42.252.50. To determine the physical address of the destination workstation, 192.42.252.20 sends a network broadcast to every station. This broadcast is seen by every workstation on the TCP/IP subnet.

The following portion of this initial frame shows the sender's hardware and protocol (TCP/IP) address, and the target's protocol address. Since the originating station does not know the MAC address of the destination workstation, the hardware address is all zeros.

ARP: ----- ARP/RARP frame -----
ARP: 
ARP: Hardware type = 1 (10Mb Ethernet)
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 1 (ARP request)
ARP: Sender's hardware address = 080020076A03
ARP: Sender's protocol address = [192.42.252.20]
ARP: Target hardware address   = 000000000000
ARP: Target protocol address   = [192.42.252.50]
ARP: 
ARP: 18 bytes frame padding
ARP:                                                                

If the destination station is on the TCP/IP subnet, it will receive this ARP command frame and send a response frame.

ARP: ----- ARP/RARP frame -----
ARP: 
ARP: Hardware type = 1 (10Mb Ethernet)
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 2 (ARP reply)
ARP: Sender's hardware address = 08002007972C
ARP: Sender's protocol address = [192.42.252.50]
ARP: Target hardware address   = 080020076A03
ARP: Target protocol address   = [192.42.252.20]
ARP: 
ARP: 18 bytes frame padding
ARP:                                                                

In this ARP response, the sender has replaced the all zeros hardware address with his MAC address. The original station, 192.42.252.20, will receive this frame and place the TCP/IP and MAC address of the 192.42.252.50 station into it's internal ARP table. If these stations need to communicate again, the workstations will check their internal ARP table before sending the ARP request.

Because workstation TCP/IP addresses can change, the internal ARP table has timeout values. If the workstations do not communicate to each other, the ARP timeout value will occur and the ARP information for that single workstation will be removed from the ARP table. If these two stations must communicate again, another ARP process must occur.

In the following decode, two ARP responses are returned for a single ARP command. In this situation, more than one station on the network has the same TCP/IP address.

Download the ARP Decode in Uncompressed Sniffer format
Download the ARP Decode as an ASCII File

Posted by james_messer at January 13, 2000 08:58 PM



Comments
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?