ARP – Address Resolution Protocol

ARP resolves the mapping issue between two different size protocols.

It allows to MAP an IP(32 bit) and MAC(48 bit) together.

How does it work in a nutshell :

Let’s assume that we have two hosts on different networks – A and B, we want them to communicate with each other, what will happen when host A will try reaching the host B for the first time (arp cache empty) :

  1. As we can determine by ip and subnet mask combination that host B is on another network , Host A will send a broadcast packet which will contain the following fields :
  • HW : 1 (Ethernet)
  • Protocol : 0x0800 IP
  • HW length : (6) 48 bit
  • Protocol length : (4) 32-bit
  • OPCode : 1 (Request)
  • H/W Source : aa:aa:aa:aa:aa:aa – MAC of host A
  • Protocol source : – IP of host A
  • HW Dest – ff:ff:ff:ff:ff:ff – MAC of broadcast address
  • Protocol dest – ip of gateway 

Gateway will respond with ARP reply

  • HW : 1 (Ethernet)
  • Proocol : 0x0800 IP
  • HW length : 6 48 bit
  • Protocol length : (4) 32-bit
  • OPCode : 2 (Reply)
  • H/W Source : gg:gg:gg:gg:gg:gg – Gateways MAC 
  • Protocol source : – IP of gateway
  • HW Dest – : aa:aa:aa:aa:aa:aa
  • Protocol dest : – IP of host A

The same will happen from other side – if gateway has no ARP entry for host B it will broadcast the ARP request to same broadcast domain(let’s assume we are using only one router) it will get a response from the host and will save its address to arp cache.

After request reply exchange we will have the gateway in our arp-cache now we can send the packets to B using the gateway.

  1. Host A will send a packet to default gateway with destination MAC of default gateway and destination IP of host B.
  2. Before sending the packet further gateway will change the source MAC to its own, destination IP will be left the same.
  3. Host B will reply, MAC of gateway will be the dest MAC, and ip of host A will be dest IP.

We need not to forget about :

Gratuitous ARP – in case if machine is changing it’s MAC or services are being moved, we can have a wrong data cached in ARP caches of devices, to update it machine can send gratuitous arp requests. 

A bit info about ICMP, ping and traceroute

I’ve went through RFC 792 and would like to share some basic(high level) info about ICMP and how we are using it.
  • It runs over network layer – so it’s encapsulated in IP datagrams
  • Unreliable – Simple datagram service, there is no retries to re transmit the messages in case if it failed to reach the destination
  • ICMP message is generated using the header of IP datagram(source address, destination address) and it takes first 8 bytes from original IP datagram payload,afterwards the message will be marked with type and code. Some of the types : icmp_types
  • Host unreachable – when IP datagram gets to the last router but last router doesn’t know where the host is
  • Port unreachable –  means that the ports that’s contained inside of outgoing packet is not being recognized at receivers end

How does the PING uses ICMP :

The ping application calls ICMP directly, it sends ICMP echo request – message type 8 code 0 to receiver.

that get’s encapsulated into IP datagram, flows through the network, when receiver will get it it will send echo reply – type 0 code 0

How Traceroute uses ICMP and UDP – *nix version, as Windows uses pure ICMP sends the echo requests until they won’t get echo reply from the target(link) :

  • For TRACEROUTE the goal is to discover all routers in the path, show the path and provide the round trip delay.

  • When  execute the traceroute it generates an UDP message which will be encapsulated in IP datagram, TTL will be set to 1 for the first message.

  • After reaching the first router, TTL will be decremented and equal to 0, that will force the router to drop the packet and generate a ICMP message back to sender with ICMP Type 11 = which means TTL expired.

  • To send that TTL expired message back router will take the IP header data and first 8 bytes from IP payload.

  • When TTL expired message will reach the source – traceroute will know that TTL has expired and this message has arrived from first hop router, also traceroute will measure the round-trip-time ( how long it took from sending the UDP message to receiving TTL expired back)

  • Now it will generate a second UDP message only with one change – the TTL field value will be increased to 2, then the same to 3 and etc. it will stop only when destination port unreachable message arrives back.

  • Traceroute by generating the requests also generates a random unusable UDP port number, when our UDP datagram will get through all the routers to destination, receiver won’t be able to recognize the UDP port number and will send the ICMP Type 3 Code 3 Message – Destination Port Unreachable – after receiving that Traceroute will end the trace.

Picture of ICMP types taken from Stanford Networking course