ARP (Address Resolution Protocol) explained


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(system) #2

Hello,

Why in the ARP reply packet do we see 00:00:00:00:00:00 as Target MAC address instead of FF:FF:FF:FF:FF:FF ?


(system) #3

I meant ARP request


(Rene Molenaar) #4

FF:FF:FF:FF:FF:FF in binary is all 1s…in other words, it will be broadcasted within the broadcast domain. This way the ARP request reaches all devices in the broadcast domain.


(system) #5

I agree with that. That’s why I wonder why we see 00:00:00:00:00:00 is the ARP request screenshot…


(system) #6

May you pls explain same scenario adding 2 switches and 2 routers in between.

Computer A -------Switch1-----ROUTER1------------------ROUTER 2 ---- Switch2 ----- Computer B.

Much Thanks !!


(Rene Molenaar) #7

Hi Virender,

When Computer A wants to reach Computer B it will have to know how to reach its default gateway because both computers are in a different subnet. What happens is that Computer A will do an ARP request for the IP address of Router 1 (its default gateway).

Computer B will do an ARP request for Router 2 (its default gateway).

Router 1 and Router 2 will do ARP requests on the link that connects them to discover each others MAC addresses.

Rene


(system) #8

thank you.
why does a pc need a pc*s mac-address that is in same network?if we know its ip address so we dont need to know its mac-address.
thank you


(Rene Molenaar) #9

Hi Reza,

IP is a layer 3 protocol and Ethernet is a layer 2 protocol. If you want to send an IP packet on the LAN you have to put it in an Ethernet frame in order to send it. Ethernet frames use MAC addresses for identification.

Rene


(system) #10

thanks Rene


(system) #11

Hello Renne,

Thank you for all this info on Networking put up in a very simple way.

Could you please explain what is the difference between ARP Table and Routing Table? And what is Reverse ARP?

Thanks,
Schweta.


(Rene Molenaar) #12

Hi Schweta,

The ARP table is what you have read about in this tutorial. A routing table is something completely different, best to read this post to understand it:

Reverse ARP (RARP) is an ancient protocol…it was used in the past so a host could get an IP address, it has been replaced by BOOTP and DHCP.

Rene


(kiran g) #13

Hi Rene ,

why do we see incomplete MAC entries when a device is connected to a CISCO Router through a switch ?


(Rene Molenaar) #14

Hi Kiran,

Which incomplete MAC entries are you referring to? Do you have an example?

Rene


(kiran g) #15

Hi Rene ,

I am referring to incomplete MAC entries connected to the router.

PNTADD01#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.137.21.1             -   0000.0c07.ac01  ARPA   GigabitEthernet0/0
Internet  10.137.21.2             -   a493.4cbd.3780  ARPA   GigabitEthernet0/0
Internet  10.137.21.3             0   Incomplete      ARPA   
Internet  10.137.21.11            0   Incomplete      ARPA   
Internet  10.137.21.12            0   Incomplete      ARPA   
Internet  10.137.21.13            0   Incomplete      ARPA   
Internet  10.137.21.14            0   Incomplete      ARPA   
Internet  10.137.21.15            0   Incomplete      ARPA

(Rene Molenaar) #16

Hi Kiran,

Ah ok, good question.

When the router does an ARP request but doesn’t get a ARP reply in return, it will show up as incomplete.

Try to ping an IP address that isn’t reachable and you’ll see it in this list.

Rene


(kiran g) #17

Hi Rene ,

Yes i am not able to ping any of those which shows as incomplete.
I was not getting an answer from anyone on this and finally i got it from you. Thanks Rene .

Regards
Kiran


(Jarisk) #18

When we see in ARP request packet in the Target hardware address (THA) field 0000.0000.0000 (instead of FFFF.FFFF.FFFF) maybe it is connected with the older broadcast address standard? I have read in the „TCP/IP Illustrated„ written by Kevin R. Fall and W. Richard Stevens in the “Proxy ARP” chapter that „some used an older broadcast address (a host ID of all 0 bits, instead of the current standard of a host ID with all 1 bits)”. I can’t find more information about this older broadcast address standard. Is my conjecture correct?

Link to the quoted sentence:
https://books.google.pl/books?id=X-l9NX3iemAC&pg=PA175&lpg=PA175&dq="older+broadcast+address"&source=bl&ots=Z2djp_J07L&sig=QDrrrD8QEBtPMOI2mx5iwxZSNlY&hl=pl&sa=X&ei=UrCPVMbYD4a9Ubavg5AC&ved=0CCUQ6AEwAQ#v=onepage&q="older%20broadcast%20address"&f=false


(Rene Molenaar) #19

The link with the quote doesn’t work for me but there are two different things when we look at the ARP request:

- Destination Address
- Target Hardware Address

These are two different things…the destination address is found in the layer 2 (Ethernet) header and specifies where to forward the frame to, it’s set to FFFF.FFFF.FFFF (broadcast). The target hardware address is found in the ARP header and since it’s an ARP request, we don’t know the target…it is set to 0000.0000.0000.

If you capture an ARP request with wireshark then you’ll find both values :slight_smile:


(Roger B) #20

You are confusing two different types of information here. the FFF…represents the broadcast destination address. why? because the request must be sent to everyone since I don’t know which Mac address is attached to the IP.
The 000… represents the Target MAc yet (unknown)

I hope this makes sense