Although every machine on the internet has one or more IP address, these

can’t actually be used for sending packets. Because the data link layer
hardware does not understand IP address. Nowadays, most hosts are
attached to a LAN by an interface board that only understands LAN
address. For example, every Ethernet board has 48 bit Ethernet address.
Manufactures of Ethernet boards request a block of address from authority
center. Two boards can not have same address. These boards send and
receive frames (packets) based on 48 bit Ethernet address. Boards know
nothing about IP address. At this point it is clear that, IP address must be
mapped onto data link layer address.

Address resolution provides a mapping between two different forms of

adress:32 bit IP address and whatever type of address the data link uses.
RFC826 is the specification of ARP. These mapping is done dynamically.
This means, it happens automatically and is normally not a concern of
either the application user or the system administrator.

At this point, an example can be used to explain, how this work. In figure
1, there are two Ethernets, one in Computer Science Department, with IP
address 192.31.65.0 and one in Electrical Engineering Department with IP
address 192.31.63.0. These are connected by a campus FDDI ring with IP
address 192.31.60.0 . Each machine on an Ethernet has a unique Ethernet
address, labeled E1 through E6, and each machine on the FDDI ring has an
FDDI address labeled F1 through F3[2].

Router has 2 IP Router has 2 IP

addresses addresses

192.31.60.4

192.31.60.7 192.31.63.3
192.31.65.7 192.31.65.5 192.31.65.1 192.31.63.8

1 2 3 4

F1 F3

E1 E2 E3 E4 E5 E6

CS Ethernet
EE Ethernet
192.31.65.0
192.31.63.0
 Campus Ring
`
192.31.60.0

if user on host 1 sends a packet to a user on host 2 (assume the sender

knows the name of the intended receiver, possibly something like
mary@eagle.cs.hun.edu.tr), the first step is to find IP address for host 2,
known as cs.hun.edu.tr. This look up is performed by the DNS. DNS returns
192.31.65.5 for host2. Upper layer software of on host 1 builds packet with
192.31.65.5 in destination address field and gives it to the IP software to
transmit. The IP software can look at the address and see that the
destination is on its own network. But it needs a way to find destination
address. At this point host1 discards the packet (assumes it can be
retransmitted by higher level), output a broadcast packet onto the Ethernet
asking : ‘Who owns IP address 192.31.65.5 ?’. The broadcast will arrive at
every machine on Ethernet 192.31.65.0, and each one check its IP address.
Host2 will alone respond with its Ethernet address (E2). In this way host1
learns that IP address is on the host2 with Ethernet address E2. The
protocol for asking question and getting reply is called Address
Resolution Protocol-ARP. Almost every machine on the internet runs in.
It is defined in RFC826.

Advantage of ARP is its simplicity. The system manager does not have to
do much except assign each machine an IP address and decide subnet
masks. ARP does the rest.

When Host1 gets Ethernet address of host2, it gains packet from higher
level, builds an Ethernet frame addressed to E2, puts the 192.31.65.5
addressed IP packet in the payload field, and dumps it onto the Ethernet.
The Ethernet board of host2 detects this frame, recognizes it as s frame for
itself, scoops it up, and causes an interrupt. The Ethernet driver extracts
the IP packet from the payload and passes it to IP software, which sees that
it is correctly addressed and processes it.

1.2.ARP Cache

ARP caches the result in case it needs to contact the same machine shortly.
Next time it will find the mapping in its own cache, thus eliminating the
need for a second broadcast. In many cases destination host cashes
sender Ethernet address, because it may need to communicate sender[2].
Essential to the efficient operation of ARP is the maintenance of an ARP
cache on each host. This cache maintains the recent mappings from
Internet address to hardware addresses. ARP Cache can be examined with
arp command with –a option. An example of this command’s output is[1]

bsdi % arp –a

sun (140.252.13.33) at 8:0:20:3:f6:42

svr4 (140.252.13.34) at 0:0:c0:c2:9b:26

An implementation of the ARP must provide a mechanism to flush out-of-

date cache entries. If this mechanism involves a timeout, it should be
possible to configure the timeout value.

A mechanism to prevent ARP flooding (repeatedly sending an ARP Request

for the same IP address, at a high rate) must be included. The
recommended maximum rate is 1 per second per destination. Four
mechanisms have been used, sometimes in combination, to flush out-of-
date cache entries [7]:

1.Timeout : Periodically time out cache entries, even if they are in use.
Note that this timeout should be restarted when the cache entry is
"refreshed" (by observing the source fields, regardless of target
address, of an ARP broadcast from the system in question). For proxy ARP
situations, the timeout needs to be on the order of a minute. The normal
expiration time of an entry in the cache is 20 minutes from the time the
entry was created.

2.Unicast Poll : Actively poll the remote host by periodically sending a

point-to-point ARP Request to it, and delete the entry if no ARP Reply is
received from N successive polls. Again, the timeout should be on the order
of a minute, and typically N is 2.

3.Link-Layer Advice : If the link-layer driver detects a delivery problem,

flush the corresponding ARP cache entry.

4.Higher-Layer Advice : Provide a call from the Internet layer to the link
layer to indicate a delivery problem. The effect of this call would be to
invalidate the corresponding cache entry. This call would be
analogous to the "ADVISE_DELIVPROB()" call from the transport layer to the
Internet layer and in fact the ADVISE_DELIVPROB routine might in turn call
the link-layer advice routine to invalidate the ARP cache entry.

1.3. ARP Packet Format

To communicate mappings from <protocol, address> pairs to 48.bit

Ethernet addresses, a packet format that embodies the Address Resolution
protocol is needed. The format of the packet follows:

0 8 16 24
32
Hardware Type Protocol Address Type
MAC Adr. Size Prtcl Adr. Size
Operation
Length Length
Sender’s MAC Address (6 Bytes)
Sender’s Protocol Address (4
Bytes)
Target MAC Address (6 Bytes)

Target Protocol Address (4 Bytes)

Figure 2. ARP Packet Format

For Ethernet transmission there is an Ethernet header like this [4]:

48.bit: Ethernet address of destination

 48.bit: Ethernet address of sender

16.bit: Frame Type

The first two field in the Ethernet header re source and destination
Ethernet addresses. The special Ethernet destination address of all one bits
means the broadcast address. All Ethernet interfaces on the cable receive
these frames.

The 2 byte frame type specifies the type of data that follows. For an ARP
request or an ARP reply, this field is 0x806

Hardware type field specifies the type of of hardware address. Its value is 1
for an Ethernet. Protocol Address Type specifies the type of protocol
address being mapped. Its value is 0x0800 for IP addresses. This is
purposely the same value as the type field of an Ethernet frame containing
an IP datagram [4].

MAC Address Size specifies the size in bytes of the hardware addresses.
Protocol Address Size specifies the size in bytes of the protocol addresses.
For an ARP request or reply for an IP address on an Ethernet they are 6 and
4. They are included for optional consistency checking, and for network
monitoring and debugging [4].

The operation field specifies the operation is an ARP request (a value of 1),
ARP reply (2), RARP request (3) or RARP reply (4) [4].

The next two fields that fallow are the sender’s hardware address (may be
an Ethernet address), the sender’s protocol address (an IP address) are
absolutely necessary [4].

Target protocol address is necessary in the request form of the packet so

that a machine can determine whether or not to enter the sender
information in a table or to send a reply. İt is not necessary needed in the
reply form if one assumes a reply is only provoked by a request. It is
included for completeness and network monitoring [4].
The target MAC address is included for completeness and network
monitoring. It has no meaning in the request form, since it is this number
that the machine requesting. Its meaning in reply form is the address of the
machine making the request. In some implementations this may save some
register shuffling or stack space by sending this field to that hardware
driver as the hardware destination address of the packet [4].

There are no padding bytes between addresses. The packet data should be
viewed as s byte stream in which only 3 byte pairs are defined to be words
(hardware type, protocol address type, operation) which are sent most
significant byte first [4].

Notice that, there is no duplication of information: the sender’s hardware

address is available both in the Ethernet header and in the ARP request [4].

1.4. ARP Packet Generation

As a packet is sent down through the network layers, routing determines

the protocol address of the next hop for the packet and on which piece of
hardware it expects to find the station with the immediate target protocol
address. In the case of the 10Mbit Ethernet, address resolution is needed
and some lower layer (probably the hardware driver) must consult the
Address Resolution module (perhaps implemented in the Ethernet support
module) to convert the <protocol type, target protocol address> pair to a
48.bit Ethernet address. The Address Resolution module tries to find this
pair in a table. If it finds the pair, it gives the corresponding 48.bit Ethernet
address back to the caller (hardware driver) which then transmits the
packet. If it does not, it probably informs the caller that it is throwing the
packet away (on the assumption the packet will be retransmitted by a
higher network layer), and generates an Ethernet packet with a frame type
field of ether_type$ADDRESS_RESOLUTION. The Address Resolution
module then sets the hardware type field to Ethernet, protocol address
type field to the protocol type that is being resolved, MAC address size
field to 6 (the number of bytes in a 48.bit Ethernet address), protocol
address size field to the length of an address in that protocol, operation
field to ares_op$REQUEST, sender’s MAC address field to the 48.bit
Ethernet address of itself, sender’s protocol address to protocol address of
itself, and target protocol address field with the protocol address of the
machine that is trying to be accessed. It does not set target MAC address
field to anything in particular, because it is this value that it is trying to
determine. It could set target MAC address field to the broadcast address
for the hardware (all ones in the case of the 10Mbit Ethernet) if that makes
it convenient for some aspect of the implementation. It then causes this
packet to be broadcast to all stations on the Ethernet cable originally
determined by the routing mechanism [4].

Notice that, ARP was designed to be used on networks that support

hardware broadcast. This means, for example, that ARP will not work on an
X.25 network [3].

1.5. ARP Packet Reception

When an address resolution packet is received, the receiving Ethernet

module gives the packet to the Address Resolution module which goes
through an algorithm similar to the following [3]:

l for finding a host's hardware address when only its network layer address is known.
This protocol operates below the network layer as a part of the interface between the
OSI network and OSI link layer. It is used when IPv4 is used over Ethernet.Before
stepping into the nuances of it lets go through its Frame structure of this protocol.

ARP Frame Format and types

ARP Packet Format
The above fig shows the ARP format used , below is the explanation of each field:

Hardware type
Each data link layer protocol is assigned a number used in this field. For Ethernet it is 1.

Protocol type
Each protocol is assigned a number used in this field. For example, IPv4 is 0x0800.

Hardware length
Length in bytes of a hardware address. Ethernet addresses are 6 bytes long.

Protocol length
Length in bytes of a logical address. IPv4 addresses are 4 bytes long.

Operation
Specifies the operation the sender is performing: 1 for request, and 2 for reply.

There are actually four types of ARP messages that may be sent by the ARP protocol. These are
identified by four values in the "operation" field of an ARP message. The types of message are:

1.ARP request
2.ARP reply
3.RARP request
4.RARP reply

Sender hardware address

Hardware address of the sender.
Sender protocol address
Protocol address of the sender.

Target hardware address

Hardware address of the intended receiver. This field is zero on request.

Target protocol address

Protocol address of the intended receiver.

ARP Function explained

ARP is used in four cases when two hosts are communicating:

1.When two hosts are on the same network and one desires to send a packet to the other
2.When two hosts are on the different networks and must use a gateway or router to reach the
other host
3.When a router needs to forward a packet for one host through another router
4.When a router needs to forward a packet from one host to the destination host on the same
network

When an ARP response arrives, the receiver inserts a binding into an ARP cache so that it can be
used for further packets. The oldest entry is removed if the table is either full or after an entry has
not been updated recently. When an ARP request arrives, the receiver checks if it has the senders
protocol address in the cache; if so, then the receiver updates the cache entry with the sender's
binding. After a host replies to an ARP request, it adds the sender's binding to the cache - if a
message travels from one host to another, then a reply will often travel back.

To understand this further lets see how an ARP actually works:

ARP works by broadcasting the packet to all hosts attached to an Ethernet network. The packet
contains the IP address the sender is interested in communicating with. The target machine,
recognizing that the IP address in the packet matches its own, returns an answer. Hosts actually
keep a cache of ARP responses

Lets take an example here to study this concept by ARP across subnet:
From the fig above lets say:

 computer A needs to send some data to computer B

 Since host B is not on the same subnet, before sending computer A transmits an ARP request
in order to discover the MAC address of port A on the local router. This is done after the A
checks its ARP cache and it does not find an entry for the MAC address of port A.

 Once host A knows the MAC address, it transmits an Ethernet frame to the router.

 This router C will send an ARP request out of port B in order to discover the MAC address of
computer B.

 Once Computer B replies to this ARP request, the router will strip off the Ethernet frame from
the data and create a new one.

 The router replaces the source MAC address (originally host A address) with the MAC
address of port B. It will also replace the destination MAC address (originally port A) with the
MAC address of host B.The fig 1 shows the Message format used.

The following fig shows the basic strategy and principle used by ARP:
ARP Cache concept

The ARP cache contains a table containing matched sets of MAC and IP addresses. Each device
on the network manages its own ARP cache table. There are two ways in which ARP cache is
populated:

 Static ARP Cache Entries: In this type address resolutions are manually added to the
cache table for a device and are kept in the cache on a permanent basis.

 Dynamic ARP Cache Entries: These are hardware and IP address pairs that are added
to the cache by the software itself as a result of successfully completed past ARP resolutions.
They are kept in the cache only for a period of time and are then flushed. After a particular entry
times out, it is removed from the cache. The next time that address mapping is needed a fresh
resolution is performed to update the cache.

Note: A devices ARP cache can contain both static and dynamic entries.

Reverse ARP and Proxy ARP defined

Reverse Address Resolution Protocol (RARP) is a complement of the Address Resolution
Protocol. It is a network layer protocol used to obtain an IP address for a given MAC address.
The primary limitation of RARP is that each MAC address must be configured manually on a
centralised server, and that the protocol only conveys an IP address. Its useful for diskless
systems.

Proxy ARP a protocol that is used to hide a machine with a public IP on a private network
behind a router, and still have the machine appear to be on the public network "in front of" the
router. For this example, let's assume that host A is on a network segment connected to Router
A's interface A, and host B is on a network segment connected to Router A's interface B. Host A
wants to send data directly to host B, but doesn't have host B's MAC address. An ARP Request
sent to host B from host A will stop at the router as it is a broadcast - but with Proxy ARP, the
router A will actually answer the ARP Request with the MAC address of the router interface that
received the ARP Request.

In this case, Router A will respond to the ARP Request with the MAC address of it's own
interface A. This is transparent to the host A - when host A sends data to host B, the destination
IP address will be that of host B, but the destination MAC address will be that of RouterA's A
interface.

Though ARP is a simple resolution protocol its features and use with regards to network is
immense.