January 13, 2000
If you've used TCP/IP or the Internet for any amount of time, you know that workstations on a TCP/IP network communicate with each other with a TCP/IP address. Over the physical network, however, workstations communicate with each other with their Media Access Control (MAC) address. Therefore, the key to communicating via TCP/IP is the mapping of a TCP/IP address to the physical address of a workstation. An Ethernet Address Resolution Protocol, RFC 826, details the conversion process from a TCP/IP address to a physical MAC address.
This process is relatively simple. In this example, the TCP/IP workstation 184.108.40.206 is planning to communicate to 220.127.116.11. To determine the physical address of the destination workstation, 18.104.22.168 sends a network broadcast to every station. This broadcast is seen by every workstation on the TCP/IP subnet.
The following portion of this initial frame shows the sender's hardware and protocol (TCP/IP) address, and the target's protocol address. Since the originating station does not know the MAC address of the destination workstation, the hardware address is all zeros.
ARP: ----- ARP/RARP frame ----- ARP: ARP: Hardware type = 1 (10Mb Ethernet) ARP: Protocol type = 0800 (IP) ARP: Length of hardware address = 6 bytes ARP: Length of protocol address = 4 bytes ARP: Opcode 1 (ARP request) ARP: Sender's hardware address = 080020076A03 ARP: Sender's protocol address = [22.214.171.124] ARP: Target hardware address = 000000000000 ARP: Target protocol address = [126.96.36.199] ARP: ARP: 18 bytes frame padding ARP:
If the destination station is on the TCP/IP subnet, it will receive this ARP command frame and send a response frame.
ARP: ----- ARP/RARP frame ----- ARP: ARP: Hardware type = 1 (10Mb Ethernet) ARP: Protocol type = 0800 (IP) ARP: Length of hardware address = 6 bytes ARP: Length of protocol address = 4 bytes ARP: Opcode 2 (ARP reply) ARP: Sender's hardware address = 08002007972C ARP: Sender's protocol address = [188.8.131.52] ARP: Target hardware address = 080020076A03 ARP: Target protocol address = [184.108.40.206] ARP: ARP: 18 bytes frame padding ARP:
In this ARP response, the sender has replaced the all zeros hardware address with his MAC address. The original station, 220.127.116.11, will receive this frame and place the TCP/IP and MAC address of the 18.104.22.168 station into it's internal ARP table. If these stations need to communicate again, the workstations will check their internal ARP table before sending the ARP request.
Because workstation TCP/IP addresses can change, the internal ARP table has timeout values. If the workstations do not communicate to each other, the ARP timeout value will occur and the ARP information for that single workstation will be removed from the ARP table. If these two stations must communicate again, another ARP process must occur.
In the following decode, two ARP responses are returned for a single ARP command. In this situation, more than one station on the network has the same TCP/IP address.
Download the ARP Decode as an ASCII File
Posted by james_messer at January 13, 2000 08:58 PM