Dear Rene,
I studied about ARP before but one thing is still not clear about it.
ARP is located between LLC and IP layers of the protocol stack. When the destination’s MAC address is unknown ARP sends a broadcast ARP request frame.
Does it send those request frames through its data link and physical layers? When it gets the reply it goes back through physical and data link layers again, right?
Best regards,
Aisha
Hi Aisha,
That’s right. You can never skip any layers in the OSI model…it will always be encapsulated by the data link layer and physcal layer. On the other side, it will be de-encapsulated.
Rene
Thank you, Rene!
Hello sir, thank you for answering my last question about wireshark. Question, with this example how did you find the person’s (compute B) IP address in the first place?
Hi Keith,
You are welcome.
About the IP address…I had to look it up. For example, if I was trying to access a shared folder on another computer then I would have to find out the IP address of the other computer myself. On the Internet, we use DNS to find the IP address behind hostnames.
Also, some applications might have a method of finding the IP address of devices in the same subnet.
Thank you, Rene! Perhaps to be interesting to make an addendum about gratuitous ARP work.
Hug
Hi Gabriel,
I’ll create a seperate post for gratuitous ARP 
Rene
Thanks! 
Great article Rene.
Helped alot in understanding ARP.
Keep up the good work.
Thanks
Glad to hear you liked it Leonel!
nice.
Hi Rene,
Does a device’s arp cache/table get updated only when
a) it send out an arp request and receive a reply for it (then it updates it arp table).
or
b) consider this scenario
- device A recently talk to device B
- both of them are in the same LAN
- both of them have each other’s MAC info in their respective arp table
- device A does a “arp -d” and have its arp table deleted / or due to some reason device A’s arp does not have B information anymore.
- device A is not talking to device B and is not initiating any connection to B as well
- device B then send a packet/frame (not ARP related) to A (as device B still have A’s arp information)
- when device A receive the packet from B, will it update its ARP table ?
Regards,
Alan
Hi Alan,
On Cisco IOS an entry in the ARP cache will remain there for 4 hours. When it expires, it sends another ARP request right away so that the entry can be renewed. I believe this is the only method how it gets refreshed.
About your other question, when you receive an IP packet and you don’t have an entry for the IP address in the ARP cache then this will trigger an ARP request. That’s the only way how the ARP cache gets updated.
Rene
Hi Rene,
Thanks for your reply and explanation. How about this scenario below:
A send C an ARP request
C send A an ARP reply
** C also records down A arp request information in its ARP cache, so that it does not need to send A an ARP request in the near future.
** - Does C does that ? or does it send a separate ARP request to A ?
When C receives the ARP request, it will check if the destination IP address (that A is looking for) matches the IP address that is configured on C. If this is the case then C will add the IP and MAC address of A in its ARP table and then sends the ARP reply. C doesn’t have to send an ARP request for A, everything it needs to fill its ARP table is in the ARP request from A.
Sorry for the late reply Rene! thanks!
Why in the ARP request packet do we see 00:00:00:00:00:00 as Target MAC address instead of FF:FF:FF:FF:FF:FF ?
Hi Alias,
Take a look at this wireshark capture:
https://www.cloudshark.org/captures/f9a4ff3e6e27
In the ARP request you can see the destination MAC address is FF:FF:FF:FF:FF:FF which is the broadcast address. The target MAC address is all zeroes, this makes sense since that’s the address we are looking for, it’s unknown.
Rene
19 posts were merged into an existing topic: ARP (Address Resolution Protocol) explained
Tell us about the ARP encapsulation OSI