Address Resolution Protocol

from Wikipedia, the free encyclopedia
ARP (Address Resolution Protocol)
Family: Internet protocol family
Operation area: Network address mapping
ARP in the TCP / IP protocol stack :
application HTTP IMAP SMTP DNS ...
transport TCP UDP
Internet IPv4
Network access ARP
Ethernet Token
FDDI ...
Standards: RFC 826 (1982)

The Address Resolution Protocol ( ARP ) is a network protocol that determines the physical address (hardware address) of the network access layer for a network address of the Internet layer and, if necessary, stores this assignment in the ARP tables of the computers involved. It is almost exclusively related to IPv4 -Adressierung on Ethernet - networks , ie to identify MAC addresses to given IP addresses used, although it is not limited thereto. For IPv6 , this functionality is not provided by ARP, but by the Neighbor Discovery Protocol (NDP).


MAC addresses (hardware addresses ) are assigned by the manufacturer of an Ethernet network card or an Ethernet-capable device. Theoretically, the address of each interface is unique worldwide. In some networks, such as Novell and DECnet , the network addresses are uniquely mapped to the Ethernet addresses, for example by adding further information to the MAC address. A sender can then easily determine the MAC address of the recipient from the network address.

IP addresses are assigned by the IANA ( Internet Assigned Numbers Authority ). Since IPv4 addresses only consist of 32 bits , they are not able to store MAC addresses. Because of this, there is no fixed relationship between MAC addresses and IP addresses. Before a computer in an Ethernet sends an IP packet to a computer in the same subnet , it must pack the information in an Ethernet frame. To do this, he must know the MAC address of the target computer and insert it in the corresponding field of the Ethernet frame. If he does not know this, he cannot deliver the IP packet. Instead, it then first uses the ARP to determine the MAC address of the target computer.

How it works using the example of Ethernet

An ARP request ( ARP request ) is sent to all computers in the local network with the MAC address and the IP address of the requesting computer as the sender address and the IP address of the computer being searched for as the recipient IP address. The broadcast address in the Ethernet frame is used as the recipient MAC address so that all computers in the local network receive the ARP request. However, the destination MAC address is filled in within the ARP request to indicate that the sender of the ARP request wants to find out this MAC address. If a computer receives such a packet, it checks whether this packet contains its IP address as the recipient IP address. If this is the case, it replies by sending back its MAC address and IP address (ARP reply or ARP reply ) via broadcast or as unicast. After receiving the response, the recipient enters the received combination of IP and MAC address in its ARP table, the so-called ARP cache. The same packet format is used for ARP requests and ARP replies. ff-ff-ff-ff-ff-ff1600-00-00-00-00-0016

In addition, the recipients of the ARP request can also enter the combination of IP address and MAC address of the requesting computer in their ARP table or update an existing entry. In particular, the computer with the IP address requested in the ARP request should make this entry, since it can be assumed that the ARP request is to serve as preparation for further communication at a higher protocol level, for which it then also uses the MAC address of the Requester needed.

The ARP cache contains a four-column table, which generally consists of <protocol type, protocol address of the sender, hardware address of the sender, time of entry>. The time interval after which an entry is deleted from the ARP cache depends on the implementation. Current Linux distributions discard entries after about 5 minutes. As soon as an entry in the table is used, its expiry time is extended.

Under Unix and Windows , the ARP cache can be displayed with arpor arp -aand also manipulated with the corresponding program. With the additional program arping, requests can be sent manually.

ARP in a global context

The ARP is responsible for resolving the MAC addresses in the local network. If data is to be sent across network borders, the Internet Protocol (IP) is used. IP implementations are able to recognize that a packet is not intended for the local subnet and send it to a local router , which takes care of forwarding the packet. This router in turn has a local MAC address that can be determined via ARP.

The following flowchart shows the relationship between IP routing and ARP:

Schematic representation of ARP and routing

Packet format

The ARP packet is attached to the Ethernet MAC header. The type field in the Ethernet frame is set to 0x0806 (2054). This number is reserved for the ARP protocol. This allows ARP packets to be distinguished from packets from other protocols such as IP.

Since the packet is very short, additional bytes usually have to be inserted between the ARP packet and the CRC in the Ethernet frame (padding) in order to achieve the minimum frame length of 64 bytes.

Although ARP was originally developed for IPv4 and MAC addresses, address types and protocol size fields are provided in the package. This makes ARP also suitable for other protocols. For IPv6 , the protocol address size could be set to 16 bytes instead of 4 and the address fields could be extended to 128 bits (= 16 bytes), but ARP for IPv6 is being replaced by the Neighbor Discovery Protocol (NDP), which is based on ICMPv6 .

ARP message format using the example of Ethernet MAC addresses and IPv4 addresses
octet offset 0 1
0 Hardware address type
2 Protocol address type
4th Hardware address size Protocol address size
6th surgery
8th Source MAC address (first 2 bytes)
10 (next 2 bytes)
12 (last 2 bytes)
14th Source IP address (first 2 bytes)
16 (last 2 bytes)
18th Destination MAC address (first 2 bytes)
20th (next 2 bytes)
22nd (last 2 bytes)
24 Destination IP address (first 2 bytes)
26th (last 2 bytes)

Hardware address type (2 bytes) contains the type of MAC address in the packet (for Ethernet:) 1.

Protocol address type (2 bytes) contains the protocol type that is requested for the MAC address (for IPv4 addresses:) 0x0800 (2048).

Hardware address size (1 byte) contains the size of the MAC address (for Ethernet:) 6.

Protocol address size (1 byte) contains the size of the protocol (for IPv4:) 4.

Operation (2 bytes) contains the value indicating which operation is to be carried out ( 1for ARP request, 2for ARP response).

Source MAC address (6 bytes) contains the MAC address of the sender in an ARP request. In an ARP response, it contains the MAC address of the responding host or next-hop router.

Source IP address (4 bytes for IPv4) contains the IP address of the requesting host for an ARP request. In an ARP response, it contains the IP address of the responding host or next-hop router.

Destination MAC address (6 bytes) is ignored in an ARP request (usually 00: 00: 00: 00: 00: 00 16 ). In an ARP response, it contains the MAC address of the requesting host.

The destination IP address (4 bytes for IPv4) is the IP address of the host searched for in an ARP request. In an ARP response, it contains the IP address of the requesting host.

Special ARP messages

Proxy ARP

Proxy ARP allows a router to answer ARP requests for hosts.

The hosts are located in networks that are separated by a router - but atypically they use the same IP address range. During communication, the router is transparent to the hosts , that is, it does not need to be specifically addressed, but the hosts can send packets across different networks as usual.

If computer A sends an ARP request to computer B, the intermediate router reacts instead of computer B with an ARP response and the hardware address of the interface (MAC of the port on the router) on which the request was received. The requesting computer A then sends its data to the router, which then forwards it to computer B.

Proxy ARP can be recognized by computer A's ARP cache. If the same MAC address is entered for several IP addresses , the router works with this MAC address as a proxy. The entries can also indicate an ARP spoofing attack .

Gratuitous ARP

Gratuitous ARP ("unsolicited ARP") describes a special use of ARP. A host sends an ARP request broadcast in which it enters its own IP address as the source and destination IP address. In doing so, it will notify you of its new MAC address, if necessary. This can serve several purposes:

  1. Normally there should be no answer because an IP address must be unique in a network. If he still receives a response, this is an indication for the administrator that a host is not configured correctly, ie the designated IP address is already being used for another purpose.
  2. Each host updates its ARP cache. This is useful, for example, if the network card of a computer has been replaced and the other hosts are to be informed of the new MAC address. Gratuitous ARP therefore normally happens when you boot a computer.
  3. If two servers are set up as servers and replacement servers for reasons of failure safety and share an IP address and the active traffic is to be switched from one to the other, the IP address can now be reached via a different MAC address. This new MAC / IP address assignment must be made known. Otherwise nobody will notice the change.
  4. In a Mobile IP scenario, the home agent sends a gratuitous ARP when the mobile host moves away from the home network in order to receive the packets on its behalf. Similarly, the mobile host sends a gratuitous ARP as soon as it is back on the network.

RARP - Reverse ARP

The Reverse ARP (RARP) does the reverse of ARP. So it can resolve MAC addresses to IP addresses. This is useful for determining your own IP address for devices that do not have permanent storage or assignment of an address. Both protocols have the same packet format. However, the areas of application of RARP and ARP are very different from each other.


ARP is invisible to the user, so the presence of this protocol is usually only noticed when infrequent errors occur.

The length of time an ARP entry is valid (usually a few minutes) can be a problem if there are incorrect entries. As long as there is an incorrect entry, it is not possible to communicate with the host concerned. The malfunction is often not attributed to the ARP protocol, but to the network or an error in the network implementation. In addition, not every operating system allows a corrected entry or request to be generated.

More serious is the entry of data in the ARP cache from packets for which no request was generated (blind belief). An overloaded host with an old IP address is likely to be the last to respond to an ARP request with a response that contains the wrong address. This last packet overwrites the ARP table of all devices in the network, one incorrect entry remains.

ARP spoofing

With ARP spoofing it is possible to intentionally distribute the wrong hardware address in a network. This means that the data traffic for one computer can be diverted to another and possibly even changed by this computer ( man-in-the-middle attack ). This is a security problem.

ARP spoofing is very easy to implement due to the architecture of ARP. ARP packets simply have to be sent with the wrong MAC / IP combinations. Thereupon none of the recipient computers will do any checks, but simply enter the data in its cache.

Modern implementations only change the ARP table for ARP responses for which a request was previously generated by the host concerned.

See also

related protocols:

Web links