The Address Resolution Protocol (ARP) is a protocol used in network communication on the link layer ( second layer of the OSI model). This protocol is a crucial component in network communication in order to establish a communication link between devices, both on the subnet as well adjacent subnet. Without the ARP protocol, it becomes pretty hard for devices on the network to actually communicate through the physical layer. Let us take a look at ARP.
ARP Table
Network-related devices that support the link layer needs to have a table of media access control address (MAC address). for instance, switches, it is used for forwarding the packages on the correct physical wired or wireless connection. However, devices such as computers, smartphones that have an IP address associated need a table of all MAC addresses and their corresponding IP address. Thus, when sending a package to a device on the local network, the correct MAC address is assigned to the package. For instance, a common one is sending your package to the default gateway router, in order to forward your network packages to whatever server you are connected to. for instance, when browsing the web.
Protocol Header
The protocol header used for performing ARP requests is quite straightforward. For instance, the following image is an example of a broadcast package header.
The next image shows the actual header format.
- Hardware Type (16 bits): The link layer protocol type, such as Ethernet that has the value 0x1.
- Protocol Type (16 bits):
- Hardware Address Length (8 bits): The length in the numbers of bytes the hardware address, MAC is 6 bytes.
- Protocol Address Length (8 bits): The length in the numbers of bytes the protocol address, IP4 is 4 bytes.
- OPCode (16 bits): The operation, such as request, reply and etc.
- Sender IP Address: The sender protocol address.
- Sender MAC Address: The sender hardware address.
- Target IP Address: The target protocol address.
- Target Mac Address: The target hardware address.
Protocol Communication
The protocol uses a broadcast method that will send packages to all devices on the network. This is done by sending to a particular reserved MAC address, in this case, 00:00:00:00:00. This address differs from the link layer and on the network layer. Within the broadcasted message it will request what devices on the network, it commonly in many networks will request what devices have a particular IP address. In addition, it will provide a return MAC address so that whatever devices can send a reply it is the owner of the IP address along with its MAC Address.
Real-Life – Example
Package Capturing
The ARP protocol can be seen in action by using Wireshark, which is a very good network tool for doing a network kind of analysis on a network. The following table shows a package that is sent between routable devices to establish ARP tables between each other. Furthermore, the device with the specified IP will replay with an ARP package with its MAC address.
| No. | Time | Source | Destination | Protocol | Length | Info |
|---|---|---|---|---|---|---|
| 1 | 0.000000 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.148? Tell 77.105.203.254 |
| 2 | 0.028728 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.203.213? Tell 77.105.203.254 |
| 3 | 0.035586 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.86? Tell 77.105.203.254 |
| 4 | 0.051244 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.203.211? Tell 77.105.203.254 |
| 5 | 0.060240 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.203.216? Tell 77.105.203.254 |
| 6 | 0.060324 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.253? Tell 77.105.203.254 |
| 7 | 0.094020 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.203.179? Tell 77.105.203.254 |
| 8 | 0.116644 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.118? Tell 77.105.203.254 |
| 9 | 0.127775 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.45? Tell 77.105.203.254 |
| 10 | 0.140879 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.246? Tell 77.105.203.254 |
| 11 | 0.143240 | Cisco_3a:77:d1 | Broadcast | ARP | 60 | Who has 77.105.202.240? Tell 77.105.203.254 |
In addition to the usage of the ARP protocol. It is possible to take advantage of the protocol for another use case. By broadcasting an ARP request to all devices on the network, it will behave as a scanning software. There is much software that can perform ARP scans such as arpsc and many more. It is a very easy program to create and, would be recommended that you wrote your own.
Linux
On Linux, it is very easy to print the ARP table by using many of the command line tools. One of these tools is the arp that can be installed by installing the net-tools package. This is done by using the apt program that will install the package with all the binaries, manual and etc.
sudo apt update && sudo apt install net-tools
With the package installed, the program can be used by executing the command: ‘arp -a’ . See following:
user@hostname:~$ arp -a gatewayrouter (192.168.2.1) at 68:05:ca:3b:eb:bd [ether] on wlp2s0 user@hostname:~$
Free/Open software developer, Linux user, Graphic C/C++ software developer, network & hardware enthusiast.