Part 15 – What ARP Does

What ARP Does

Table Of Contents
  1. What ARP Does
  2. Resources

Introduction

Welcome to Part 15 of the Network Fundamentals study notes! If you haven’t already, we recommend watching the video first.

We know that devices use IP addresses at layer 3 to identify destinations, and MAC addresses at layer 2 to deliver frames on the local network. But here’s the problem: how does a device know which MAC address belongs to a particular IP address? That’s what ARP — Address Resolution Protocol — is for.

The Problem ARP Solves

Imagine a client that wants to start an HTTP session with a web server on the same subnet. The client knows the server’s IP address. It builds a TCP segment, adds an IP header — but then it needs to add a layer 2 Ethernet header. What MAC address should it put in the destination field? It simply doesn’t know.

ARP’s entire purpose is to find the MAC address that belongs to a known IP address.

How ARP Works

ARP Request

When a device needs a MAC address, it sends an ARP request as a layer 2 broadcast to the entire LAN. The message essentially says:

“Who has IP address 10.10.10.21? Tell 10.10.10.44.”

Every device on the LAN receives this broadcast. Each one checks whether the IP in the request matches its own. For most devices, it won’t — so they discard the message.

ARP Reply

If the device being looked for receives the request, it responds with an ARP reply. Unlike the request, the reply is sent as a unicast — directly to the host that sent the request, not broadcast to everyone. The reply contains the device’s IP address and its MAC address.

The ARP Cache

Once a device receives an ARP reply, it stores the IP-to-MAC mapping in its ARP cache — a small local table. The next time it needs to reach the same IP, it checks the cache first. If the entry is there, no ARP request is needed. This avoids flooding the network with broadcasts for every single packet.

ARP cache entries aren’t permanent. They age out over time — a modern Windows device typically keeps an entry for between 15 and 45 seconds. There are two reasons for this:

  • The ARP table has limited space. Removing stale entries keeps it small and accurate.
  • Devices can change their IP addresses. If entries lasted forever, a device might send traffic to the wrong MAC after an IP change.

You can view the ARP cache from the Windows command line with arp -a. If you ping a new address, you’ll see a fresh entry appear in the cache shortly after.

RARP and Gratuitous ARP

RARP – Reverse ARP

RARP does exactly what the name suggests — the reverse of ARP. If a device knows a MAC address but needs to find the associated IP address, it sends a RARP request. The owner of that MAC replies with a RARP response containing the IP. RARP is rarely seen in modern networks but worth knowing about.

Gratuitous ARP (GARP)

Gratuitous ARP is a proactive announcement rather than a request for information. A device sends a GARP message to let everyone on the local network know its current IP-to-MAC mapping — without waiting to be asked.

GARP is sent in two situations:

  • When a device changes its IP address — rather than waiting for other devices’ ARP cache entries to expire, a well-behaved device announces its new mapping immediately.
  • When a device first boots up — this has two benefits. Other devices can learn the new device’s MAC without needing to ARP for it first. It also serves as a conflict check: if the IP is already in use, the existing owner will send a GARP reply, alerting the new device to the conflict.

Resources

Test your knowledge with the Introduction to Networking quizzes.