Network Basics: Local Host ARP Requests - dummies

Network Basics: Local Host ARP Requests

By Edward Tetz

For local hosts (hosts on your network segment), an Address Resolution Protocol (ARP) request starts with some type of network communication request between two computers. This could be ping, the establishment of a Transmission Control Protocol (TCP) session, or a User Diagram Protocol (UDP) session. Regardless of the reason, the net result is the following process:

  1. The first host contacts another host.

    The first host performs an AND operation on its address and subnet mask, as well as the second host’s address and its subnet mask. This determines that the IP addresses belong on the same network, so the second host should be on the same network segment.

  2. This request goes down through the OSI layers until it hits the network layer (or the Internet layer in the IP network model). At that layer, the target IP address must to be matched to a MAC or hardware address.

  3. The decision tree in the following figure is followed:


    The very first thing that is checked is the local ARP cache.

    The following section takes a closer look at what happens during that process.

    By default, items will not remain the ARP cache of a computer for longer than ten minutes but are in the ARP cache of a Cisco network device for four hours. On a computer, the ARP cache contains only recent hosts that have had communication sessions.

  4. If the IP address you are trying to communicate with is not in the ARP cache, the address needs to be resolved.

    The following figure shows the first step in this process. Notice that the target hardware address is the broadcast address for Ethernet.

  5. The data request is placed on hold until the address is resolved and an ARP request is generated and sent onto the network.

    All ARP requests have the same basic format: two hardware (or MAC) addresses and two protocol (or IP) addresses (source and target).

    The data request includes the sending host’s MAC and IP information as well as the IP address of the targeted host. The opcode for this type of packet is 0x0001, denoting that this is a request.


  6. The packet is sent to the local hardware broadcast address, so every computer on the local network segment sees that frame and processes it.

    Upon processing the frame and reading the packet information, most computers discard the data because their IP address does not match the one being searched.

  7. If by chance, a host does have that address, it records the source MAC and IP address in its own ARP cache, knowing that if someone wants to talk to it, it will likely need to send data shortly, so it then builds its own ARP packet in response.

    The response ARP packet has an opcode of 0x0002, denoting that it is a reply. The ARP reply’s structure, looks the same as the ARP request, except that all four address fields are filled out and completed. Logically, it uses its address as the sender address and the sender of ARP request as the target. The following figure gives you an idea of what this looks like.


  8. With the response sent, the original host sees a frame on the local network segment that is addressed directly to its MAC address; it opens that frame and processes the ARP packet.

    The original host then knows the target MAC it needs to send its data to.

  9. The original host adds the ARP information to its ARP cache and then releases the data it had placed on hold, sending it to the target MAC address over the local network segment.