ARP Packet Analysis with Wireshark

Chưa phân loại

What is ARP?

Address resolution protocol is generally used to find out MAC address. ARP is a link layer protocol but it is used when IPv4 is used over Ethernet.

Why we need ARP?

Let’s understand with a simple example.

We have one computer [PC1] with IP address and we want to ping to another computer [PC2] whose IP address is Now we have PC1 MAC address but we do not know PC2 MAC address and without MAC address we cannot send any packet.

Now let’s see step by step.

Note: Open command in administrative mode.

Step 1: Check existing ARP on PC1. Execute arp –a in command line to see existing ARP entry.

Here is the screenshot

Step 2: Delete ARP entry. Execute arp –d command in command line. And then execute arp –a to make sure ARP entries have been deleted.

Here is the screenshot

Step 3: Open Wireshark and start it on PC1.

Step2: Execute below command on PC1.


Step 3: Now ping should be successful.

Here is the screenshot

Step 4: Stop Wireshark.

Now we will check what happens in background when we delete arp entry and ping to a new IP address.

Actually when we ping, before sending ICMP request packet there was ARP Request and ARP reply packet exchanges. So PC1 got MAC address of PC2 and able to send ICMP packet.

For more information on ICMP please see here

Analysis on Wireshark:

ARP packets types:

  1. ARP Request.
  2. ARP Reply.

There are other two types RARP Request and RARP Reply but used in specific cases.

Let’s come back to our experiment.

We did ping to so before sending ICMP request , PC1 should send broadcast ARP request and PC2 should send unicast ARP reply.

Here are important fields for ARP Request.

So we understand that the main intention of ARP request to get the MAC address of PC2.

Now let’s see ARP reply in Wireshark.

ARP reply is sent by PC2 after receiving ARP request.

Here are the important fields of ARP reply.

From this ARP reply we go that PC1 got PC2 MAC and updated ARP table.

Now ping should be successful as ARP has been resolved.

Here are the ping packets

Other important ARP packets:

RARP: Its opposite of normal ARP that we have discussed. That means you have MAC address of PC2 but you do not have IP address of PC2. Some specific cases need RARP.

Gratuitous ARP: When a system gets an IP address after that system is free to send a gratuitous ARP informing the network that I have this IP. This is to avoid IP conflict in same network.

Proxy ARP: From the name we can understand that when one device sends an ARP request and gets an ARP reply but not form the actual device. That means somebody sends ARP reply on behave of original device. It’s implemented for security reason.


ARP packets are exchanged in background whenever we try to access a new IP address

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Tăng cường bảo mật SSH trên Ubuntu sử dụng port knock

Thông thường chúng ta vẫn sử dụng giao thức SSH để kết nối giữa client và server. Để thực hiện...

Debian: debian_frontend=noninteractive

In this guide we’ll discuss the advantages of Debian’s configuration engine, how configuration dialogs work, how to...

Pandas Tutorial in Python

In this lesson on Python Pandas library, we will look at different data structures this Python package provides for fast...
Bài Viết

Bài Viết Mới Cập Nhật

Huớng dẫn dùng proxy cho ios, iphone 2023

Cách gắn set proxy cho điện thoại android, oppo, giả lập android, Ldplayer Bằng Proxydroid

Mua Proxy Socks5 VN Chơi Game Gia Lập Tăng Cường Trải Nghiệm Chơi Game

Mua Proxy Mỹ, Us Nuôi Tài Khoản Etsy, eBay Tìm Hiểu Về Mua Proxy Mỹ tại

Mua Proxy Game – Giải pháp tuyệt vời cho việc chơi game trên mạng mà không bị giới hạn về vị trí địa lý