ARP - What is it and how does it work?
Today, it`s time for an another tool from an admin’s pocket. This note is about the program for a suspicion of a connection between second and third OSI layer. It calls ARP. ARP protocol is common and available on every platform, so the tool has the same name. ARP is the abbreviation from Address Resolution Protocol, i.e. in free translation it is a resolve address protocol. It means that set of rules which allow to translate IP address into physical MAC address. If a host want to talk with an another host and it did not do that earlier, then it sends an inquiry: “who has that IP address?” to everyone. It is a broadcast message on second layer, i.e. it is sent to FF:FF:FF:FF:FF:FF address. Generally, the source host gets a feedback from polling device with a physical address of the target host. Both addresses are written to the local memory in ARP table. It is important to decrease this kind of network traffic (normally, hosts have to query for the address every time, again and again). It is possible to opt out of ARP protocol and eliminate broadcast frames, but this would require the creation of ARP tables manually for each host separately. It is not difficult when we work in one network and communicate within it. The situation is more complicated when computers try to talk with others hosts that are outside the network (where there are routers along the way). If host initiates transmission, then it knows that the receiving computer , is not near (at the same broadcast domain). However if this condition is not met then ARP inquiry is sent to “someone” who knows where the target host is. Naturally, it is the default gateway. The gateway can route, so if it does not know where is the searched host, then it knows whom to ask (it is the entire routing).The host which send an ARP inquiry does not add entries to an ARP table. It is done by host, which can communicate via second layer directly. Usually, a network is a life organism and addresses can change often, so ARP rules have to refresh every time when it happens. If ARP table entry is not used for longer time, then it becomes expired and ARP inquire must be sent again during the next attempt to contact.
Can the ARP be useful?
In addition to the key functions, the ARP can be used also otherwise. It can be used for creation (in a non-invasive way) of hosts connected to the network on individual interfaces. ARP can not scan, send pings and “fallow the rabbit” ;) Hosts which are connected to the network broadcasts information about themselves (IP and MAC addresses) during the first communication. Others hosts add their to ARP tables. It can to used if we want to define what routing device is in the network.
Finally, one of tittle-tattles. Because, ARP replies to one problem, who is irritating. Do you know the situation when you ping device on the other network first time and you do not get response for the first ping? It is simple! One of the routers do not have the ARP entry for the target host. It is not important that the time of delivery the package is longer. The ping request is denied! Some implementations of ping treat the first packets like warm-up and do not take them into account for statistic.