As an IT professional, I sometimes catch myself thinking of network communications in terms of IP addressing. As we all know, however, IP addresses are only one mechanism for identifying a node on a network. Network nodes can also be identified by their Media Access Control address, or MAC address. A MAC address is a hardware-level address that uniquely identifies a network interface on the network. There are also virtual MAC addresses, but this discussion will focus on physical addresses.
How ARP works
When a device needs to send data to another device on an IP network, it has to be able to determine the recipient device’s MAC address. This is where the Address Resolution Protocol, or ARP, comes into play. ARP’s job is to determine the MAC address that corresponds to a given IP address.
Of course, network communications would be really slow if an ARP translation had to be performed for every single packet that was sent across a network. To improve performance, devices make use of an ARP cache. The ARP cache is simply a list of known IP address to MAC address mappings. Therefore, if a device needs to determine the MAC address that corresponds to a particular IP address, it looks at the ARP cache to determine whether the recipient’s MAC address is already known.
If the recipient’s MAC address does not appear in the ARP cache, then the device that needs to transmit data to a given recipient sends an ARP request across the local subnet. The ARP request is essentially a request for the recipient to respond with its MAC address.
This of course, raises a big question. How is the sender able to send an ARP request to the recipient when it does not know the recipient’s MAC address? After all, the whole reason why the sender needs the recipient’s MAC address in the first place is so that the sender can send data to the recipient.
If the recipient’s MAC address is unknown, then the sender cannot transmit data directly to the recipient. That being the case, the sender transmits a broadcast message across the local subnet. Broadcast messages are different from normal IP communications because they are sent to every host on the subnet. Therefore, an ARP request involves broadcasting the recipient’s IP address and asking the hosts on the subnet to check to see if they are using the IP address that is contained within the ARP request. The host whose IP address is referenced within the ARP request replies with an ARP reply, containing its MAC address. Upon receiving this reply, the device that initiated the request updates its ARP cache, and is able to begin communicating with the recipient.
On the surface, the workings of the Address Resolution Protocol can seem to be completely theoretical. However, the Windows operating system exposes much of this functionality through a command that is appropriately named ARP. In fact, the ARP command has been a part of the Windows operating system for decades.
The ARP command lets you view and modify a device’s ARP cache. To show you how this works, consider that before I started writing this article, I spent a bit of time communicating with a server on my network with an IP address of 188.8.131.52. Because my PC recently communicated with this server, the server’s information should be in my PC’s ARP cache. Therefore, if I wanted to look up that server’s MAC address, I could do so by entering the following command:
ARP -A 184.108.40.206
You can see the command’s output in the figure below:
In this case, I specified a particular server’s IP address, but it is possible to examine the ARP cache in its entirety. To do so, just enter the ARP -A command without specifying an IP address. Doing so will cause the entire cache to be displayed.
OK, that makes for a nice party trick, but you’re probably wondering if there is any practical, real-world use for this utility. Believe it or not, there is something that the ARP command works really well for.
Let’s suppose for a moment that an IP address conflict occurs on your network, as a result of two hosts being assigned the same IP address. Let’s also pretend that you manage to track down the offending host, and assign it a new IP address, but that a Windows device on your network is having trouble communicating with one of those hosts even though the IP address conflict has been resolved. The problem is most likely related to an invalid entry being written to the ARP cache as a result of the IP address conflict. You could therefore use the ARP command to verify and to correct the problem.
A moment ago, I showed you how to use the ARP command to look at a particular IP address within the ARP cache. The information that was displayed for this address in the previous screen capture was correct, because no IP address conflict has occurred on my network. For the sake of discussion, however, let’s pretend that the information that was returned by the cache lookup was incorrect. In such a situation, I could use the -D switch to remove the entry from the ARP cache. The actual command would be:
ARP -D 220.127.116.11
If I wanted to create a new ARP cache entry with the correct MAC address, I could use the -S switch to create a static entry. Static entries are entries that are manually added to the ARP cache. It is worth noting, however, that static entries are removed when the system is rebooted.
I have to be honest with you in that I have never once had to create a static ARP table entry. Remember, ARP table entries are created automatically as a result of trying to communicate with a host. Therefore, if you remove an offending entry from the ARP cache, a new entry will take its place the next time that you attempt communications with the host. Assuming that the IP address conflict has been resolved, the new ARP cache entry should contain information that is correct.
Clean up after conflict
The ARP command probably isn’t one of those things that you will catch yourself using on a daily basis. Even so, this command can provide insight into the way that the address resolution process works. It’s useful for cleaning up after an IP address conflict, but it may perhaps be even more useful as an educational training tool for those who are new to networking.
Photo credit: Shutterstock