What is ARP and how does it work ?
ARP (Address Resolution Protocol) converts an Internet Protocol (IP) address to its corresponding physical network address. IP networks including those that run on Ethernet and Wi-Fi require ARP in order to function.
The address resolution protocol (arp) is a protocol used by the Internet Protocol (IP) to map IP network addresses to the hardware addresses used by a data link protocol. The protocol operates below the network layer as a part of the interface between the OSI network and OSI link layer. It is used when IPv4 is used over Ethernet.
Let's have a look at normal ARP exchange. Please refer the above diagram :-
ARP cache on hostC1 at the start:
[student@hostC1 ~]$ arp -a
hostC1.test.ca (10.1.3.1) at 00:00:0a:01:00:21 on e0 permanent [ethernet]
routerC.test.ca (10.1.3.254) at 00:00:0a:01:00:08 on e0 expires in 1200 seconds [ethernet]
ARP cache on hostC2 at the start:
[student@hostC2 ~]$ arp -a
hostC2.test.ca (10.1.3.2) at 00:00:0a:01:00:22 on e0 permanent [ethernet]
routerC.test.ca (10.1.3.254) at 00:00:0a:01:00:08 on e0 expires in 1200 seconds [ethernet]
Send a single ping:
ping -c1 hostC2
PING hostC2.test.ca (10.1.3.2): 56 data bytes
64 bytes from 10.1.3.2: icmp_seq=0 ttl=64 time=0.052 ms
--- hostC2.test.ca ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.052/0.052/0.052/0.000 ms
ARP cache on hostC1 after the ping:
[student@hostC1 ~]$ arp -a
hostC1.test.ca (10.1.3.1) at 00:00:0a:01:00:21 on e0 permanent [ethernet]
hostC2.test.ca (10.1.3.2) at 00:00:0a:01:00:22 on e0 expires in 1006 seconds [ethernet]
routerC.test.ca (10.1.3.254) at 00:00:0a:01:00:08 on e0 expires in 506 seconds [ethernet]
ARP cache on hostC2 after the ping:
[student@hostC2 ~]$ arp -a
hostC1.test.ca (10.1.3.1) at 00:00:0a:01:00:21 on e0 expires in 960 seconds [ethernet]
hostC2.test.ca (10.1.3.2) at 00:00:0a:01:00:22 on e0 permanent [ethernet]
routerC.test.ca (10.1.3.254) at 00:00:0a:01:00:08 on e0 expires in 535 seconds [ethernet]
tcpdump output:
[student@hostC1 ~]$ sudo tcpdump -ne -vvv arp or icmp
tcpdump: listening on e0, link-type EN10MB (Ethernet), capture size 96 bytes
13:55:37.012333 00:00:0a:01:00:21 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.1.3.2 tell 10.1.3.1, length 28
13:55:37.012377 00:00:0a:01:00:22 > 00:00:0a:01:00:21, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.1.3.2 is-at 00:00:0a:01:00:22, length 28
13:55:37.012379 00:00:0a:01:00:21 > 00:00:0a:01:00:22, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 15714, offset 0, flags [none], proto ICMP (1), length 84)
10.1.3.1 > 10.1.3.2: ICMP echo request, id 15627, seq 0, length 64
13:55:37.012381 00:00:0a:01:00:22 > 00:00:0a:01:00:21, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 15713, offset 0, flags [none], proto ICMP (1), length 84)
10.1.3.2 > 10.1.3.1: ICMP echo reply, id 15627, seq 0, length 64
Discussion:
Frame 1 is the Ethernet broadcast ARP Request from hostC1.
Frame 2 is the unicast ARP reply from hostC2 to host C1.
Frame 3 is the ICMP echo request from hostC1 to hostC2.
Frame 4 is the ICMP echo reply from hostC2 to HostC1.
After the experiment, each host has the other host in its ARP cache.