ARP

Adress Resolution is a Layer 2 network discovery protocol.

Adress resolution protocol(ARP) is a communication protocol used for discovering the link layer adress such as a MAC adress associated with a given internet layer adres. Usually an IPv4 adress.

Within Ipv6 networks the functionality of ARP is provided by the Neighbor Discovery Protocol

Reverse ARP

Reverse ARP (RARP) is a compliment to ARP

Transport protocol

ARP is broadcasted using mac addresses and hte data is contained in the ethernet frame.

High level operation

Client A is connected on the same subnet as Client B with both assigned a IPv4. Client A has to send a packet to client B. Through DNS it resolves that Client B has ip adress X.

To send a packet a MAC adres of Client B is also needed by Client A Client A first uses a locally cached ARP table to look up the IP of Client B.

If the adres is foudn then it sends a Ethernet frame with the destination mac adress containing the the IP packet.

If there is no entry for Client B in the local ARP cache then Client A will send out a broadcast ARP request message on (FF:FF:FF:FF:FF:FF) requesting an answer for an IP adres

Client B will respond with an ARP response message containing the MAC and IP adresses of the client. and sends it to Client A.

As part of this request Client B might store the IP and MAC of Client A in the local ARP cache.

Low level operation

The arp packet is 224 octets in length and it contains the following types

Hardware type;
Protocol type;
Hardware Length;
Protocol Lenght;
Operation;
Sender hardware address;
Sender Protocol Address;
Target Hardware Address;
Target Protocol Address;

The entries are arranged in the following manner in the packet

ARP Frame

Hardware Type: Each link layer protocol is assigned a numer used in this field. For Ethernet this number is 1.

Protocol Type: Each protocol is assigned a number used in this field. For example, IPv4 is 0x0800.

Hardware Length: Length in bytes of a hardware adres. The ethernet hardware MAC adress is 6 bytes long.

Protocol Lenght: Length in bytes of a logical adress. IPv4 adressses are 4 bytes long.

Operation: Specifies the operation the sender is performing. There are 4 types of ARP messages that may be send by the ARP protocol. These are identified by four values in the operation field of the ARP message. The types are:

ARP request
ARP reply
RARP request
RARP reply

Sender Hardware Address: the hardware adress of the sender

Sender Protocol Address: Protocol Adress opf the sender.

Target Hardware Adress: Hardware adress of the intended reciever. This field is left empty upon ARP request.

Target Protocol Adress : Protocol adress of the inteded reciever.

References

Cache Flood

Cache flooding is an attack that can flood the CAM table this causes a switch to switch to a HUB mode.

Spoofing

Spoofing ARP requests can change the routing of packets and is required for a Man in the middle attack.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 31, 2020