What is ARP?

Address resolution protocol is generally used to find out MAC address. ARP is a link layer protocol but it is used when IPv4 is used over Ethernet.

Why we need ARP?

Let’s understand with a simple example.

We have one computer [PC1] with IP address 192.168.1.6 and we want to ping to another computer [PC2] whose IP address is 192.168.1.1. Now we have PC1 MAC address but we do not know PC2 MAC address and without MAC address we cannot send any packet.

Now let’s see step by step.

Note: Open command in administrative mode.

Step 1: Check existing ARP on PC1. Execute arp –a in command line to see existing ARP entry.

Here is the screenshot

Step 2: Delete ARP entry. Execute arp –d command in command line. And then execute arp –a to make sure ARP entries have been deleted.

Here is the screenshot

Step 3: Open Wireshark and start it on PC1.

Step2: Execute below command on PC1.

Step 3: Now ping should be successful.

Here is the screenshot

Step 4: Stop Wireshark.

Now we will check what happens in background when we delete arp entry and ping to a new IP address.

Actually when we ping 192.168.1.1, before sending ICMP request packet there was ARP Request and ARP reply packet exchanges. So PC1 got MAC address of PC2 and able to send ICMP packet.

For more information on ICMP please see here

Analysis on Wireshark:

ARP packets types:

1. ARP Request.
2. ARP Reply.

There are other two types RARP Request and RARP Reply but used in specific cases.

Let’s come back to our experiment.

We did ping to 192.168.1.1 so before sending ICMP request , PC1 should send broadcast ARP request and PC2 should send unicast ARP reply.

Here are important fields for ARP Request.

So we understand that the main intention of ARP request to get the MAC address of PC2.

Now let’s see ARP reply in Wireshark.

ARP reply is sent by PC2 after receiving ARP request.

Here are the important fields of ARP reply.

From this ARP reply we go that PC1 got PC2 MAC and updated ARP table.

Now ping should be successful as ARP has been resolved.

Here are the ping packets

Other important ARP packets:

RARP: Its opposite of normal ARP that we have discussed. That means you have MAC address of PC2 but you do not have IP address of PC2. Some specific cases need RARP.

Gratuitous ARP: When a system gets an IP address after that system is free to send a gratuitous ARP informing the network that I have this IP. This is to avoid IP conflict in same network.

Proxy ARP: From the name we can understand that when one device sends an ARP request and gets an ARP reply but not form the actual device. That means somebody sends ARP reply on behave of original device. It’s implemented for security reason.

Summary:

ARP packets are exchanged in background whenever we try to access a new IP address