What is ARP?

A. ARP stands for Address Resolution Protocol and was touched on in the previous question as a means of resolving a IP address to an actual physical network card address.

All network cards have a unique 48 bit address, that is written as six hexadecimal pairs, e.g. 00-A0-24-7A-01-48, and this address is hard coded into the network card. You can view your network cards hardware address by typing

ipconfig /all
.
Ethernet adapter Elnk31:

Description . . . . . . . . : ELNK3 Ethernet Adapter.
Physical Address. . . . . . : 00-A0-24-7A-01-48
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 200.200.200.5
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 200.200.200.1
Primary WINS Server . . . . : 200.200.50.23
Secondary WINS Server . . . : 200.200.40.190

As discussed in the Subnet question, if a packets destination is on the same local network as the senders, then the sender needs to resolve the destinations IP address into a physical hardware address, otherwise the sender needs to resolve the routers IP address into a physical hardware address. When a NT machines TCP/IP component starts, it broadcasts an ARP message with its IP to hardware address pair. The basic order of events for sending to a host on the local network is as follows:

  1. ARP checks the local ARP cache for an entry for destinations IP address. If a match is found, then the hardware address of the destination is added to the frame header and the frame sent.
  2. If a match is not found, then an ARP request broadcast is sent to the local network (remember it knows the destination is on the local network by working out the Network ID from the IP address and the subnet mask). The ARP request contains the senders IP address and hardware address, the IP address that is being queried and is sent to 255.255.255.255 (everyone, but it won't get routed).
  3. When the destination host receives the broadcast, it sends a ARP reply with its hardware address and IP address.
  4. When the source receives the ARP reply, it will update its ARP cache and then create a frame and send it.

If you are sending to a destination not on your local network, then the process is similar except the sender will resolve the routes IP address instead.

To inspect your machines ARP cache, type:
arp -a

and a list of IP address to hardware address pairs will be shown. Try pinging a host on your local network and then displaying the ARP cache again and you will see an entry for the host, also try pinging a host outside your local network and check the ARP cache and an entry for the router will have been added. You will notice that the word dynamic is listed with the records, and this is because they were added as needed and are volatile, hence will be lost on reboot. In fact the entries will be lost quicker than this! If an entry is not used again within 2 minutes then it will be deleted from the cache. If it is used within 2 minutes, it will not be deleted for a further 10 minutes, unless used again and then it would be ten minutes from when used :-).

You may wish to add static entries for some hosts (to save time with the ARP requests) and the format is
arp -s <IP address> <hardware address>, e.g.
arp -s 200.200.200.5 00-A0-24-7A-01-48


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish