ARP should be at the top of your list of protocols to learn for two reasons: it is very simple, and it is often the first packet generated whenever you use any Internet-related protocol.
All Intenet communication occurs using IP addresses (though you may initially reference hosts by name). ARP provides the means to translate local IP addresses to Ethernet MAC addresses.
Let's go through a few examples using the previous network audit we performed:
Let's say that LB Desktop (172.16.1.169) wants to talk to TM Desktop (172.16.1.140). Even though LB knows the IP address of TM, he has now idea what TM's Ethernet MAC address is. Since there is an Ethernet network between these two hosts, we'd better figure out the appropriate MAC address to use.
Quiz: What would happen if we sent a packet with the correct destination IP address, but a destination MAC address of 00-00-00-00-00-00?
We could just broadcast the packet...that will definitely get the packet there, but that will also clog our network with unnecessary broadcasts.
ARP to the rescue. LB sends ONE broadcast packet (an ARP Request) to discover TM's MAC address. LB then stores that information in his local ARP Cache allowing unlimited communication with TM (for a period of time) without the need for further broadcasts.
D:\>arp -a
No ARP Entries Found
D:\>ping 172.16.1.140
Pinging 172.16.1.140 with 32 bytes of data:
Reply from 172.16.1.140: bytes=32 time<10ms TTL=128
Reply from 172.16.1.140: bytes=32 time<10ms TTL=128
Reply from 172.16.1.140: bytes=32 time<10ms TTL=128
Reply from 172.16.1.140: bytes=32 time<10ms TTL=128
Ping statistics for 172.16.1.140:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Here's the resulting packet trace from this PING command:
No. Time Source Destination Protocol Info
1 0.000000 00:01:02:48:52:18 ff:ff:ff:ff:ff:ff ARP Who has 172.16.1.140? Tell 172.16.1.169
2 0.000163 00:01:02:3d:1a:4e 00:01:02:48:52:18 ARP 172.16.1.140 is at 00:01:02:3d:1a:4e
3 0.000019 172.16.1.169 172.16.1.140 ICMP Echo (ping) request
4 0.000144 172.16.1.140 172.16.1.169 ICMP Echo (ping) reply
5 1.001880 172.16.1.169 172.16.1.140 ICMP Echo (ping) request
6 0.000192 172.16.1.140 172.16.1.169 ICMP Echo (ping) reply
7 1.001325 172.16.1.169 172.16.1.140 ICMP Echo (ping) request
8 0.000207 172.16.1.140 172.16.1.169 ICMP Echo (ping) reply
9 1.001153 172.16.1.169 172.16.1.140 ICMP Echo (ping) request
10 0.000199 172.16.1.140 172.16.1.169 ICMP Echo (ping) reply
If we check the ARP cache again, we see that it is now populated:
D:\>arp -a Interface: 172.16.1.169 on Interface 0x1000003 Internet Address Physical Address Type 172.16.1.140 00-01-02-3d-1a-4e dynamic
Its this ARP Cache entry that enables the 2nd, 3rd, and 4th PING to be sent without any additional ARP Requests.
Below is the ARP Request packet that LB sends prior to communicating directly with TM. Notice that the destination MAC address is broadcast and the Ethernet type is 0x0806 (ARP). Lastly, notice that the Target MAC address field is 00-00-00-00-00-00. In order words, I don't know, you tell me.
Frame 1 (42 on wire, 42 captured)
Arrival Time: Apr 10, 2002 18:24:31.117741000
Frame Number: 1
Packet Length: 42 bytes
Capture Length: 42 bytes
Ethernet II
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source: 00:01:02:48:52:18 (00:01:02:48:52:18)
Type: ARP (0x0806)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:01:02:48:52:18 (00:01:02:48:52:18)
Sender IP address: 172.16.1.169 (172.16.1.169)
Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
Target IP address: 172.16.1.140 (172.16.1.140)
A few other comments:
The ARP protocol type is set to 'IP' because we are asking ARP to resolve an IP address. Presumably ARP can be used to resolve addresses for other network protocols (though I've never seen this).
The Hardware size is set to 6 because we're expecting to receive a 6-byte Ethernet MAC address back. Technically Ethernet also supports 2-byte MAC addresses, however, I'm not aware of any implementation of this.
The Protocol size is set to 4 because an IP address (which we're trying to resovle) is a 4 byte value.
The Opcode is set to 0x0001 which indicates that this is an ARP Request. As you see in a second, an ARP Reply is opcode 0x0002.
Here is the ARP Reply packet from TM. Notice that it NOT a broadcast, rather it is sent directly to LB's MAC address. The information we were looking for is contained in the Sender MAC address field.
Quiz: How did TM determine LB's MAC address? We didn't see any ARP requests from her??
Frame 2 (60 on wire, 60 captured)
Arrival Time: Apr 10, 2002 18:24:31.117904000
Frame Number: 2
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II
Destination: 00:01:02:48:52:18 (00:01:02:48:52:18)
Source: 00:01:02:3d:1a:4e (00:01:02:3d:1a:4e)
Type: ARP (0x0806)
Trailer: 00000000000000000000000000000000...
Address Resolution Protocol (reply)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: 00:01:02:3d:1a:4e (00:01:02:3d:1a:4e)
Sender IP address: 172.16.1.140 (172.16.1.140)
Target MAC address: 00:01:02:48:52:18 (00:01:02:48:52:18)
Target IP address: 172.16.1.169 (172.16.1.169)
ARP is a datalink only protocol. That means it can only be used to resolve IP addresses that are on the same physical network (contiguous hubs, bridges, or switches). ARP packets do not pass through routers (as they operate at the network layer) from one network to another. Also, ARP will only lookup IP addresses that are in the same subnet as the host generating the request.
In order to determine your subnet, perform the following steps:
WinNT, Win2000, WinXP:
C:\ ipconfig/all
...
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-01-02-48-52-18
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.169
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.1.168
Win9x, WinME:
Use: Start/Run/Winipcfg
| IP Address | 172.16.1.169 |
| Subnet Mask | 255.255.255.0 |
| Logical AND | |
| Local Subnet | 172.16.1.0 |
Let's assume you wanted to communicate with 172.16.1.140. Your host would determine the target subnet as follows:
| Target IP Address | 172.16.1.140 |
| Subnet Mask | 255.255.255.0 |
| Logical AND | |
| Target Subnet | 172.16.1.0 |
If the Target Subnet = Local Subnet (as it does here), then we know the target host is on the local network and we send an ARP Request for that specific IP address.
On the other hand, if the target IP address was something like 198.133.219.25:
| Target IP Address | 198.133.219.25 |
| Subnet Mask | 255.255.255.0 |
| Logical AND | |
| Target Subnet | 198.133.219.0 |
Since 198.133.219.0 <> 172.16.1.0, we know the host is on a remote network in which case this request has to be routed through our default gateway, thus we ARP for the gateway's IP address (172.16.1.168).