ARP (Address Resolution Protocol) explained

Hi Rene ,

why do we see incomplete MAC entries when a device is connected to a CISCO Router through a switch ?

Hi Kiran,

Which incomplete MAC entries are you referring to? Do you have an example?

Rene

Hi Rene ,

I am referring to incomplete MAC entries connected to the router.

PNTADD01#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.137.21.1             -   0000.0c07.ac01  ARPA   GigabitEthernet0/0
Internet  10.137.21.2             -   a493.4cbd.3780  ARPA   GigabitEthernet0/0
Internet  10.137.21.3             0   Incomplete      ARPA   
Internet  10.137.21.11            0   Incomplete      ARPA   
Internet  10.137.21.12            0   Incomplete      ARPA   
Internet  10.137.21.13            0   Incomplete      ARPA   
Internet  10.137.21.14            0   Incomplete      ARPA   
Internet  10.137.21.15            0   Incomplete      ARPA

Hi Kiran,

Ah ok, good question.

When the router does an ARP request but doesn’t get a ARP reply in return, it will show up as incomplete.

Try to ping an IP address that isn’t reachable and you’ll see it in this list.

Rene

Hi Rene ,

Yes i am not able to ping any of those which shows as incomplete.
I was not getting an answer from anyone on this and finally i got it from you. Thanks Rene .

Regards
Kiran

When we see in ARP request packet in the Target hardware address (THA) field 0000.0000.0000 (instead of FFFF.FFFF.FFFF) maybe it is connected with the older broadcast address standard? I have read in the „TCP/IP Illustrated„ written by Kevin R. Fall and W. Richard Stevens in the “Proxy ARP” chapter that „some used an older broadcast address (a host ID of all 0 bits, instead of the current standard of a host ID with all 1 bits)”. I can’t find more information about this older broadcast address standard. Is my conjecture correct?

Link to the quoted sentence:
https://books.google.pl/books?id=X-l9NX3iemAC&pg=PA175&lpg=PA175&dq="older+broadcast+address"&source=bl&ots=Z2djp_J07L&sig=QDrrrD8QEBtPMOI2mx5iwxZSNlY&hl=pl&sa=X&ei=UrCPVMbYD4a9Ubavg5AC&ved=0CCUQ6AEwAQ#v=onepage&q="older%20broadcast%20address"&f=false

The link with the quote doesn’t work for me but there are two different things when we look at the ARP request:

- Destination Address
- Target Hardware Address

These are two different things…the destination address is found in the layer 2 (Ethernet) header and specifies where to forward the frame to, it’s set to FFFF.FFFF.FFFF (broadcast). The target hardware address is found in the ARP header and since it’s an ARP request, we don’t know the target…it is set to 0000.0000.0000.

If you capture an ARP request with wireshark then you’ll find both values :slight_smile:

You are confusing two different types of information here. the FFF…represents the broadcast destination address. why? because the request must be sent to everyone since I don’t know which Mac address is attached to the IP.
The 000… represents the Target MAc yet (unknown)

I hope this makes sense

Dear Rene,

I studied about ARP before but one thing is still not clear about it.

ARP is located between LLC and IP layers of the protocol stack. When the destination’s MAC address is unknown ARP sends a broadcast ARP request frame.

Does it send those request frames through its data link and physical layers? When it gets the reply it goes back through physical and data link layers again, right?

Best regards,
Aisha

Hi Aisha,

That’s right. You can never skip any layers in the OSI model…it will always be encapsulated by the data link layer and physcal layer. On the other side, it will be de-encapsulated.

Rene

Thank you, Rene!

Hello sir, thank you for answering my last question about wireshark. Question, with this example how did you find the person’s (compute B) IP address in the first place?

Hi Keith,

You are welcome.

About the IP address…I had to look it up. For example, if I was trying to access a shared folder on another computer then I would have to find out the IP address of the other computer myself. On the Internet, we use DNS to find the IP address behind hostnames.

Also, some applications might have a method of finding the IP address of devices in the same subnet.

Thank you, Rene! Perhaps to be interesting to make an addendum about gratuitous ARP work.

Hug

Hi Gabriel,

I’ll create a seperate post for gratuitous ARP :slight_smile:

Rene

Thanks! :smiley:

Great article Rene.
Helped alot in understanding ARP.

Keep up the good work.
Thanks

Glad to hear you liked it Leonel!

nice.

Hi Rene,

Does a device’s arp cache/table get updated only when
a) it send out an arp request and receive a reply for it (then it updates it arp table).

or

b) consider this scenario
- device A recently talk to device B
- both of them are in the same LAN
- both of them have each other’s MAC info in their respective arp table

- device A does a “arp -d” and have its arp table deleted / or due to some reason device A’s arp does not have B information anymore.
- device A is not talking to device B and is not initiating any connection to B as well

- device B then send a packet/frame (not ARP related) to A (as device B still have A’s arp information)
- when device A receive the packet from B, will it update its ARP table ?

 

Regards,
Alan