ARP, due to its apparent simplicity, is a rather overlooked concept, and sometimes its effect on the well being of network infrastructures is underestimated.
A D V E R T I S E M E N T
ARP-related issues are fairly common in complex scenarios and often poorly understood by non-networking folks. Therefore, this section offers an overview of several manifestations of the ARP protocol itself and related aspects.
For a good understanding of network dynamics, it is also mandatory to understand the timers involved with regard to ARP and switch table entries and their lifetime. ARP table entries have a lifetime in the range of minutes up to tens of minutes, depending on the operating system under discussion.
- The program passed Tom's typed text in a buffer, to the socket.
- The data was put inside a TCP data packet with a TCP header
added to the data. This header contained a source and destination
port number along with some other information and a checksum.
- The TCP packet was be placed inside an IP data packet with a
source and destination IP address along with some other data for
- The IP data packet was placed inside an ethernet data packet.
This data packet includes the destination and source address of the
network interface cards (NIC) on the two computers. The address here
is the hardware address of the respective cards and is called the
- The ethernet packet was transmitted over the network line.
- With a direct connection between the two computers, the network
interface card on the intended machine, recognized its address and
grabbed the data.
- The IP data packet was extracted from the ethernet data packet.
- The TCP data packet was extracted from the IP data packet.
- The data was extracted from the TCP packet and the program
displayed the retrieved data (text) in the text display window for
the intended recipient to read.
In step 4 above, the IP data was going to be placed inside an ethernet data
packet, but the computer constructing the packet does not have the ethernet
address of the recipient's computer. The computer that is sending the data, in
order to create the ethernet part of the packet, must get the ethernet hardware
(MAC) address of the computer with the intended IP address. This must be
accomplished before the ethernet packet can be constructed. The ethernet device
driver software on the receiving computer is not programmed to look at IP
addresses encased in the ethernet packet. If it did, the protocols could not be
independent and changes to one would affect the other. This is where address
resolution protocol (ARP) is used. Tom's computer sends a network broadcast
asking the computer that has the recipient's IP address to send it's ethernet
address. This is done by broadcasting. The ethernet destination is set with all
bits on so all ethernet cards on the network will receive the data packet. The
ARP message consists of an ethernet header and ARP packet. The ethernet header
- A 6 byte ethernet destination address.
- A 6 byte ethernet source address.
- A 2 byte frame type. The frame type is 0806 hexadecimal for ARP and 8035
The encapsulated ARP data packet contains the following:
- Type of hardware address (2 bytes). 1=ethernet.
- Type of protocol address being mapped( 2 bytes). 0800H (hexadecimal) =
- Byte size of the hardware address (1 byte). 6
- Byte size of the protocol address (1 byte). 4
- Type of operation. 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP
- The sender's ethernet address (6 bytes)
- The sender's IP address (4 bytes)
- The recipient's ethernet address (6 bytes)
- The recipient's IP address (4 bytes)
When the ARP reply is sent, the recipient's ethernet address is left blank.
In order to increase the efficiency of the network and not tie up bandwidth
doing ARP broadcasting, each computer keeps a table of IP addresses and matching
ethernet addresses in memory. This is called ARP cache. Before sending a
broadcast, the sending computer will check to see if the information is in it's
ARP cache. If it is it will complete the ethernet data packet without an ARP
broadcast. Each entry normally lasts 20 minutes after it is created. RFC 1122
specifies that it should be possible to configure the ARP cache timeout value on
the host. To examine the cache on a Windows, UNIX, or Linux computer type "arp
If the receiving host is on another network, the sending computer will go
through its route table and determine the correct router (A router should be
between two or more networks) to send to, and it will substitute the ethernet
address of the router in the ethernet message. The encased IP address will still
have the intended IP address. When the router gets the message, it looks at the
IP data to tell where to send the data next. If the recipient is on a network
the router is connected to, it will do the ARP resolution either using it's ARP
buffer cache or broadcasting.
Reverse Address Resolution Protocol (RARP)
As mentioned earlier, reverse address resolution protocol (RARP) is used for
diskless computers to determine their IP address using the network. The RARP
message format is very similar to the ARP format. When the booting computer
sends the broadcast ARP request, it places its own hardware address in both the
sending and receiving fields in the encapsulated ARP data packet. The RARP
server will fill in the correct sending and receiving IP addresses in its
response to the message. This way the booting computer will know its IP address
when it gets the message from the RARP server.