Address Resolution Protocol

The Address Resolution Protocol (ARP) is a network protocol that the physical address (hardware address) of the network access layer determines to a network address of the Internet layer and optionally stores this mapping in the so-called ARP tables of the participating hosts. It is almost exclusively related to the IPv4 address to Ethernet networks, that is used for the determination of MAC addresses to IP addresses given, though it is not limited thereto. For IPv6, this functionality is not ARP, but by the Neighbor Discovery Protocol (NDP ) is provided.

  • 6.1 ARP Spoofing


MAC address (hardware address) is assigned by the manufacturer of an Ethernet network card or an Ethernet -enabled device. The address of each interface is theoretically unique worldwide. Some networks, such as Novell and DECnet, the network addresses are uniquely mapped to the Ethernet addresses, for instance, by the MAC address is supplemented by other information. A sender can then easily determine the receiver 's MAC address from the network address.

IP addresses are assigned by the IANA ( Internet Assigned Numbers Authority ). Since IPv4 addresses are only 32 bits, they are not able to store MAC addresses. For this reason, there is no fixed relationship between MAC addresses and IP addresses. Before a computer on an Ethernet sends an IP packet to a computer on the same subnet, it must be packed in an Ethernet frame information. For this purpose he must the MAC address of the target computer know and insert in the appropriate field of the Ethernet frame. Is it this is not known, it can not deliver the IP packet. Instead, he then determined using the ARP first the MAC address of the target computer.

Operation on the example Ethernet

It is an ARP request (ARP Request) sent with the MAC address and the IP address of the inquiring computer as the source address and the IP address of this computer as a receiver IP address to all computers on the local network. As a receiver, MAC address, the broadcast address is then ff -ff -ff -ff -ff - FF16 used. A computer receives such a packet, it looks to see if this packet contains its IP address as the receiver's IP address. If this is the case, it replies with sending back its MAC address and IP address ( ARP reply or ARP Reply ) to the source MAC address of the requester. This, upon receipt of the response the received combination of IP and MAC address in its ARP table, called the ARP cache, a. For ARP Request and ARP Reply packet, the same format will be used.

In addition, the recipient of ARP requests can also enter the combination of IP address and MAC address of the requesting computer in its ARP table or update an existing entry. In particular, the computer with the requested in the ARP request IP address should make this entry, since it can be assumed that the ARP request as a preparation for further communication shall serve on a higher protocol level, which he then for any answers also the MAC address of the requestor needs.

The ARP cache contains a four-column table is generally composed of . The time interval after an entry from the ARP cache is cleared is implementation dependent. To discard current Linux distributions entries after about 5 minutes. Once an entry is used in the table, the end of which time is prolonged.

On Unix and Windows, the ARP cache can be displayed with arp (or arp -a) and manipulated. With the addition arping program can be sent manually requirements.

ARP in a global context

The ARP is responsible for resolving the MAC addresses in the local network. If data over network boundaries being broadcast, the Internet Protocol ( IP) is used. IP implementations can be seen in the situation, that a packet is not destined for the local subnet and send it to a local router that handles the forwarding of the packet. This router in turn has a local MAC address, which can be determined through ARP.

The following flow chart shows the relationship of IP routing with ARP is:

Packet format

The ARP packet is adjacent to the Ethernet MAC header. The type field in the Ethernet frame is set to 0x0806 ( 2054 ). This number is reserved for the ARP protocol. This will allow ARP packets from packets of other protocols such as IP are different.

As the package is very short, additional bytes must usually in the Ethernet frame between ARP packet and CRC are added ( padding) to reach the minimum frame length of 64 bytes.

Although ARP was originally developed for IPv4 and MAC addresses, address types and log size fields are provided in the package. ARP is thus also suitable for other protocols. For IPv6, the protocol address size instead of 4 could be set to 16 bytes and the address fields to 128 bits (= 16 bytes) can be extended but ARP is used for IPv6 Neighbor Discovery Protocol by the (NDP ) replaced, which is based on ICMPv6.

Hardware address type (2 bytes) contains the type of the MAC address in the packet ( for Ethernet: 1).

Protocol address type (2 bytes) contains the protocol type that is requested for the MAC address ( for IPv4 addresses: 0x0800 ( 2048) ).

Hardware address size (1 byte) contains the size of the MAC address ( for Ethernet: 6).

Protocol address size (1 byte) contains the size of the protocol ( for IPv4: 4).

Operation ( 2 bytes) contains a value that indicates which operation is to be executed ( one for ARP Request 2 for ARP reply ).

Source MAC address ( 6 bytes) contains an ARP request, the MAC address of the transmitter. In an ARP reply, it contains the MAC address of the responding host or next-hop router.

Source IP address ( 4 bytes for IPv4) contains in an ARP request the IP address of the requesting host. In an ARP reply, it contains the IP address of the responding host or next-hop router.

Destination MAC address ( 6 bytes) in an ARP request is a broadcast ( FF: FF: FF: FF: FF: FF). In an ARP reply, it contains the MAC address of the requesting host.

Destination IP address ( 4 bytes for IPv4) is the IP address of the desired host in an ARP request. In an ARP reply, it contains the IP address of the requesting host.

Special ARP messages

Proxy ARP

Proxy ARP allows a router to answer ARP requests for hosts.

The hosts are doing in separated by a router networks - use uncharacteristically but the same IP address range. When communicating the router is transparent to the hosts, that is, he does not need to be specifically addressed, but the hosts can send packets as usual over different networks.

Computer A sends an ARP request to computer B, the router intermediate reacts instead of the computer B with an ARP reply and the hardware address of the interface ( MAC of the ports on the router ) on which the request was received. The requesting computer A then sends its data to the router, which then forwards it to computer B.

Proxy ARP can be seen in the ARP cache from computer A. If the same MAC address is registered for multiple IP addresses, the router works with this MAC address as a proxy. The entries can also be an indication of an attack by ARP spoofing.

Gratuitous ARP

Gratuitous ARP (English " unsolicited ARP " ) refers to a special use of ARP. In this case, a host sends an ARP request broadcast in which he shall record its own IP address as the source and destination IP address. He shares his possibly new MAC address with unsolicited. This can serve several purposes:

RARP - Reverse ARP

The Reverse ARP (RARP ) works in reverse to ARP. It can thus resolve MAC addresses to IP addresses. This is useful for determining the local IP address for devices in which no permanent storage or assignment of an address is provided. Both protocols have the same packet format. However, the applications of RARP and ARP differ substantially.


ARP is invisible to the user, so the presence of this protocol is usually only noticed when rare errors occur.

The duration of the validity of an ARP entry ( usually a few minutes) can be a problem if incorrect entries. As long as an incorrect entry exists, can not be communicated with the host in question. The malfunction is often attributed to the ARP protocol, but the power, or a fault in the network implementation. In addition, does not allow any operating system generating a corrected entry or a request.

More serious is entering data in the ARP cache of packets for which no request was generated ( blind faith ). An overloaded host that performs an old IP address, responds to the last most likely to an ARP request with a reply containing the wrong address. This last package overwrites the ARP table of all devices in the network, an erroneous entry remains.

ARP Spoofing

With ARP spoofing, it is possible to intentionally distribute an incorrect hardware address in a network. This allows the traffic for one computer to another deflected and possibly even changed by this ( man-in- the-middle attack). This poses a security problem

ARP spoofing is very easy to implement due to the architecture of ARP. It simply must be sent with the wrong MAC-/IP-Kombinationen ARP packets. Then none of the recipients computer will do any checks, but simply enter the data in its cache.

Modern implementations modify the ARP table for ARP replies for which a request has been previously generated by the relevant host.