ARP - secuguru/security-terms GitHub Wiki

ARP (Address Resolution Protocol) is a protocol used in networking to map an IP address (Layer 3) to a physical MAC address (Layer 2) within a local network. When a device wants to communicate with another device on the same network, it needs to know the recipient’s MAC address to send the data at the hardware level.

Key Functions of ARP:

  • Linking IP Address to MAC Address: ARP allows devices to find the MAC address corresponding to a known IP address. It is essential for communication within a local area network (LAN), such as when one device wants to send data to another device on the same network.
  • ARP Cache: To avoid repeatedly broadcasting ARP requests, devices maintain an ARP cache. The ARP cache stores recently resolved IP-to-MAC mappings, so the device will look at the cache first before broadcasting a new ARP request.

How ARP Works:

  1. ARP Request: When a device wants to send data to a specific IP address, it first checks its ARP cache to see if the corresponding MAC address is already known. If it is not in the cache, the device broadcasts an ARP request to the entire network, asking, for example, “Who is 0.0.0.0? Tell 0.0.0.1.” In this message:
  • “Who is 0.0.0.0?” is the device asking for the MAC address of the IP address it wants to communicate with.
  • “Tell 0.0.0.1.” is the request for the device with IP address 0.0.0.0 to reply to the requester (0.0.0.1) with its MAC address.
  1. ARP Reply: The device with the requested IP address (0.0.0.0) responds with its MAC address. This reply is sent directly to the original requester (0.0.0.1), and the mapping is stored in the ARP cache.
  2. Cache Lookup: For future communication with the same IP address, the device will look at the ARP cache first to see if the IP-to-MAC mapping is still valid. If it is found, the device can immediately use the cached MAC address without broadcasting another ARP request.

Example Scenario:

  • Device A (IP: 192.168.1.10) wants to send data to Device B (IP: 192.168.1.20).
  • Device A checks its ARP cache but doesn’t find an entry for 192.168.1.20.
  • Device A broadcasts an ARP request: “Who is 192.168.1.20? Tell 192.168.1.10.”
  • Device B replies with its MAC address.
  • Device A stores the mapping in its ARP cache for future use.

Summary:

  • ARP resolves IP addresses to MAC addresses for communication within a LAN.
  • The protocol looks at the ARP cache first before broadcasting requests.
  • ARP requests are like “Who is 0.0.0.0? Tell 0.0.0.1,” helping devices discover MAC addresses associated with IP addresses.