Solved: Understanding ARP

simran2642 · ‎03-06-2012

Hi,

I Have a query. The issue is that I am trying to understand how ARP works. For this I took packet captures. in the capture files I found that the ARP request is broadcast, however the reply from the peer is always a unicast.

Can anybody help me understanding ARP. And why ARP reply to an ARP request is unicast?

Thanks

Jan Hrnko · ‎03-06-2012

Hi Simranjeet,

The purpose of the ARP (address resolution protocol) is to find out how to reach certain IP host that is in the same network as you are. In another words - to find out layer 2 (mac) address of a device which has a certain known layer 3 (IP) address and is on your local network. You need this L2 address in addition to communicate with another host - your network card must know the mac address of the host's network card.

The ARP request MUST be broadcast, because you want to ask every host on your network if he hasn't got the IP address you are looking for (you don't have idea which host can have such an IP address - that's why you ask in the first place). The response is always unicast because response come from host with such an IP to the host which has asked the question - that means you.

Best regards,

Jan

View solution in original post

Joseph W. Doherty · ‎03-06-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The ARP request is broadcast because the requestor doesn't know where the "destination" is.

The ARP reply is unicast because the requestor's MAC source address was in the ARP request, i.e. the replier "knows" the "destination" of the requestor.

fb_webuser · ‎03-06-2012

ARP always replies unicast.

1) Client send ARP query for broadcast mac. it sends IP address which mac he want to receive

2) Node answer with it's MAC and ip directly to client.

Or you need more detailed algorithm?

---

Posted by WebUser Aleksandr Yanovskiy

simran2642 · ‎03-09-2012

Which algorithm??

Jan Hrnko · ‎03-06-2012

Hi Simranjeet,

The purpose of the ARP (address resolution protocol) is to find out how to reach certain IP host that is in the same network as you are. In another words - to find out layer 2 (mac) address of a device which has a certain known layer 3 (IP) address and is on your local network. You need this L2 address in addition to communicate with another host - your network card must know the mac address of the host's network card.

The ARP request MUST be broadcast, because you want to ask every host on your network if he hasn't got the IP address you are looking for (you don't have idea which host can have such an IP address - that's why you ask in the first place). The response is always unicast because response come from host with such an IP to the host which has asked the question - that means you.

Best regards,

Jan

simran2642 · ‎03-09-2012

Thank you, very much...

Kevin Dorrell · ‎03-09-2012

Actually, there is one particular aspect of ARP that I find quite interesting. ARP requests are not always broadcasts.

I like to set the ARP aging timers quite short in my layer-3 switches - typically about 5 minutes. You would think that would increase the amout of background broadcasting on the VLAN, but it does not. What I found that that when the switch is about to age out an ARP entry, it sends an ARP request to the last known unicast MAC address of the host. If the host is still there, it replies, and the ARP table is refreshed, avoiding the need for any extra broadcasting.

Kevin Dorrell

Luxembourg

Joseph W. Doherty · ‎03-09-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

That's interesting. Wonder if its really part of any ARP "standard", or something unique and optional to the host. (Guess I'll have to read the ARP RFC now - laugh.)

Peter Paluch · ‎03-09-2012

Hello Kevin,

This is an interesting information. I haven't observed that personally but I find it logical - even if not entirely typical. In fact, this reminds me of IPv6 Neighbor Unreachability Detection (NUD).

Best regards,

Peter

Kishore Chennupati · ‎03-10-2012

Kevin,

That is definetly an interesting find. Thanks for sharing that. I guess it makes sense when you lower the ARP timers.

Regards