Introduction to ARP (Address Resolution Protocol)

According to abbreviationfinder, ARP stands for Address Resolution Protocol. Said protocol allows certain tasks to be carried out whose objective is to associate an IP device, which at a logical level is identified by an IP address, to a network device, which at a physical level has a physical network address. This protocol is typically used in local network devices, Ethernet being the most widespread environment today. There is a RARP protocol, whose function is the reverse.


When a machine wants to contact another machine and its IP address is not known, then it needs a dynamic mechanism that allows its physical address to be known. Then it sends an ARP request by broadcast (ie to all machines). The protocol establishes that it will only answer the request if it carries its IP address. Therefore, only the machine that corresponds to the searched IP address will reply, with a message that includes the physical address. Communications software must maintain a cache of IP – physical address pairs. In this way, the next time we have to make a transmission to the IP address, we will already know the physical address.

The RARP protocol allows the workstation to find out its IP address from a lookup table between MAC addresses (physical addresses) and IP addresses hosted by a gateway located on the same local area network (LAN).

In order to do this, the administrator must define the parameters of the gateway (router) with the lookup table for MAC/IP addresses. Unlike ARP, this protocol is static. So the lookup table must always be up to date to allow the connection of new network interface cards.


The ARP protocol plays a key role among the Internet layer protocols related to the TCP/IP protocol, as it allows the physical address of a network interface card corresponding to an IP address to be known . That’s why it’s called Address Resolution Protocol.

Each computer connected to the network has a 48-bit identification number. This is a unique number set in the factory at the time of card manufacture. However, communication on the Internet does not directly use this number (because the addresses of the equipment should be changed every time the network interface card is changed), but uses a logical address assigned by an agency: the IP address.

In order for physical addresses to be connected to logical addresses, the ARP protocol interrogates computers on the network to find out their physical addresses and then creates a lookup table between the logical and physical addresses in a cache.

When a computer needs to communicate with another, it consults the lookup table. If the required address is not found in the table, the ARP protocol sends a request to the network. All computers on the network compare this logical address with their own. If any of them identify themselves with this address, the equipment will respond to ARP, which will store the address pair in the lookup table, and then communication can be established.

Work mode

The IP protocol addressing system poses a problem from the physical level addressing point of view. For example, on an Ethernet local network, two devices can only communicate if their respective physical MAC addresses are known. Based on its operation, the ARP protocol is network level according to the OSI reference model and its specifications are developed in RFC 826.

The ARP protocol allows physical addresses to be found based on the IP addresses of devices. For this, it is done:

  • First, a broadcast type request of an ARP packet containing, among other data, the IP address to be located. All devices on the network receive this message.
  • Second, only the device whose IP address matches the one received, responds with another ARP protocol response packet. This packet contains the physical address (MAC) of said device. Upon receipt of the response, the first device “learns” the physical (MAC) address of the second. This information is kept in cache for subsequent submissions. The entries in the cache are associated with a timer to allow the dynamic modification of the physical address of the devices because:
  1. the IP address can be changed by operation needs and
  2. the physical MAC address also changes if your network card is changed.

The calls to the ARP protocol come from the link level protocols, since these are the ones that receive the IP protocol packets with their IP addresses, and that in order to build their frame they require the MAC addresses equivalent to these IP addresses.

The ARP protocol when it receives the request for a MAC address follows the following procedure:

  • It first consults the ARP table of the device itself.
  • If such an IP address is found in the ARP table, it responds with the corresponding physical address.
  • If it is not in the ARP table, it sends a broadcast ARP request.
  • When it receives the response, it stores the corresponding physical and IP address in its ARP table for possible future use.

ARP refinement

To avoid the network traffic caused by ARP when making many requests, the chapter analyzes request needs and explains about the refinements that ARP considers in order not to saturate the network.

ARP encapsulation and identification

Specifies how an ARP-type message is sent and received, encapsulated in an Ethernet frame. Answer whether the ARP message is encapsulated in a frame or a datagram.

Package structure

The format of the ARP/RARP message when it is used for the transformation of an IP address into an Ethernet address is explained.

The ARP message corresponds to the data field of the link level protocol of the network in question. Thus, if it is an 802.3/ Ethernet network with 802.2 SNAP protocol, the source and destination SAP fields contain the number 170, and the Ethernet type field 2054, indicating that it is an ARP message. For this reason it is considered to be a network layer protocol according to the OSI reference model.

The physical address fields of the destination go to 0 in the paging message. The destination device will insert its physical address in the ARP reply message here.

Tricks to visualize the content of the table

On UNIX, the arp –a command can be used to get the contents of the table

The duration of an entry is 20 minutes.

  1. arp [-vn] [-H type] [-i if] -a [hostname]
  2. aucanada% arp –a ( at 00:20:E1:10:4f:34 [ether] on eth0 ( at 00:10:F8:B3: E4:00 [ether] on eth0

On Windows, there is also the arp command and its syntax for ARP table display is ARP.

ARP (Address Resolution Protocol)