ARP Protocol Explained

ARP is a link layer protocol in the TCP/IP model. It crosses the layer 3 in the OSI model, although it was created before the OSI model.

Each protocol layer has its own addresses, e.g. IP addresses or Ethernet addresses.

The Network layer addresses and the Link layer addresses are logically separated. But, they are used together in practice. In fact, it’s ARP that does that. ARP provides a logical mapping between a network layer address and a link layer address. We often think of Ethernet when we talk about link layer addresses. However, don’t forget that there are many other link layer technologies (by the way an Ethernet address is 48-bit long, or 6 bytes separated by colons).

In TCP/IP stack, ARP does not cross link layer boundaries (remember when we talked about cross-layer implementations). It sits in the Network layer, of the TCP/IP model.

Each TCP/IP host maintains an ARP cache. the duration of the ARP cache varies among implementations. E.g. on Mac OS X, ARP cache times out in 20 minutes.

ARP Table

The ARP table -aka ARP cache- displays a table of associations between link layer addresses and IP addresses.

To display the ARP table on a Cisco router, we enter one of the following commands:

  • show ip arp
  • show arp


Protocol Basic Operation

To send a frame on a link, the host needs to know the destination link layer address. When a host knows the destination Network layer address but not the destination link layer address, it reads the ARP cache to determine it. If the destination link layer address is not found in the ARP cache, the host sends an ARP Request saying “Who has the link layer that corresponds to network address X?”. When an ARP Reply is received, the host updates its ARP cache and sends the frame to the newly learned destination link layer address.

ARP Operation when hosts are separated by a gateway

Let’s suppose that we have two nodes: SRC and DST, on different networks, separated by many gateways.


SRC wants to ping DST. Let’s make sure the ARP cache of SRC is empty so that the whole ARP process fires from the beginning:


SRC host checks if DST host is on the same network as him (using calculations against the subnet mask). Even if we configure SRC and DST on the same subnet, these two guys really do not know that they are on the same network; they are dumb stations.

So SRC host finds that DST host is on a different subnet. SRC then needs to send data to a gateway in order to reach DST. SRC checks if it has a gateway IP address set. If yes, the next hop of the frame will be the link layer address of the gateway.

The Network layer at host SRC prepares the PDU to be encapsulated into a layer 2 frame. The layer 2 frame will be destined to the link layer address of the gateway. But SRC host does not know about the link layer address (for Ethernet, the MAC address) of the gateway yet. In fact, its ARP cache is still empty. So SRC buffers the ICMP Echo Request datagram and invokes the ARP process.

The ARP process crafts an ARP request PDU, which is encapsulated into a link layer frame. The frame is sent. Everybody on the link hears the ARP request. But only the gateway will answer because the ARP request contains an IP address that matches the IP address of the gateway interface that receives the frame.

The gateway Router1 sends an ARP reply that reaches only host SRC. Now host SRC has learned the link layer address of its gateway Router1. Therefore it updates its ARP cache with the IP address and the MAC address of Router1.

Host SRC now retrieves the ICMP Echo Request datagram from the buffer and encapsulates it into a link layer frame destined to the gateway Router1.

The gateway Router1 receives the frame, decapsulates the layer 3 PDU from it, reads the IP destination address, looks up its Forwarding Table (or CEF Table), determines the next hop (which is Router2 here), encapsulates the new layer 3 PDU back into a new frame (with a new header and trailer, depending on the transmission media) and sends it to the next hop, towards host DST.

This process repeats until the packets reach host DST.

ARP Replies are usually Unicast. Only the host that sent the ARP Request will hear the reply.

ARP Header Format

The ARP header is composed of the following fields:

ARP header format – copyright
  • HTYPE (1B): Hardware Type: determines the link layer protocol. E.g: 1 for Ethernet (10Mb)
  • PTYPE (1B): Protocol Type: determines the upper network layer protocol. E.g: 0x800 for IP
  • HLEN (1B): Hardware address Length: determines the length of the hardware address, in bytes. E.g: 6 for Ethernet
  • PLEN (1B): Protocol Length: determines the length of the network layer address, in bytes. E.g: 4 for IP
  • Opcode (aka Operations or OPER) determines whether the type of the ARP message:1 for Request, 2 for Reply, etc.
  • SHA (2B): Source Hardware Address: contains the link layer address of the sender of the ARP message
  • THA (2B): Target Hardware Address: contains the link layer address of the target of the ARP message
  • SPA (2B): Source Protocol Address: contains the network layer address of the source of the ARP message
  • TPA (2B): Target Protocol Address: contains the network layer address of the target of the ARP message.

ARP Probe

ARP Probe: an ARP message that tests if a newly-assigned network layer address (statically or via DHCP) is being used in the network or not. The SPA of the message contains all zeros. This is an implementation of the RFC specification “IPv4 Address Conflict Detection”.

Gratuitous ARP

Gratuitous ARP or GARP is a type of an ARP announcement. When a host is newly added to an Ethernet network, it sends a gratuitous ARP or GARP packet.

On one hand, if a host sees its link-layer address (MAC address on Ethernet networks) then it replies with an ARP Reply. Boom! We have two devices with the same IP address! In this case, the original sender generates a “duplicate IP address” on its system console interface.


On the other hand, hosts receiving the Gratuitous ARP, and having an ARP entry that contains the IP address of the sender, update the corresponding ARP entry in their ARP cache.

As for the ARP probe, the Gratuitous ARP can be a tool to detect address conflicts.

In addition to that, Gratuitous ARP packets help to update the ARP cache of all hosts that receive it.

Gratuitous ARP is said for both Gratuitous ARP requests and Gratuitous ARP replies.

  • a Gratuitous ARP request is a message where:
    • SPA = TPA = IP address of the sending machine,
    • SHA = The link-layer address of the sending machine,
    • THA = the link-layer broadcast address (ff:ff:ff:ff:ff:ff)
  • a Gratuitous ARP reply is a message where:
    • SPA = TPA = IP address of the sending machine, and
    • SHA = THA = link-layer address of the sending machine also.

Here is an example of a Gratuitous ARP header:

sample Gratuitous ARP header. The Source IP and the Target IP are the same

The reason it is not important whether the Gratuitous ARP is a request or reply because, in ARP, every host updates its ARP cache before processing the OpCode field.

Useful tutorials

Here is a collection of useful videos that explain the ARP protocol.

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI for short) is a security mechanism that builds a security database and prevents unauthorized hosts to connect to Ethernet networks.

ARP Broadcast

An ARP broadcast is simply an ARP request, since ARP requests are broadcast packets.

Cmd arp -a

Computers have their ARP caches. To display the ARP table on your Windows computer, enter the following command in a Windows shell:

arp -a

Flush ARP cache

It is possible to erase all ARP cache entries in Windows with the following command:

arp -d

ARP Request and Reply example in Wireshark

The ARP request is a broadcast:


The ARP reply is a unicast:


By the way, learning the ARP protocol is necessary to be able to ace the Wireshark exam.


  • ARP Packet Format, Wikipedia
  • Gratuitous ARP and DAD,

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *