Computer networks are often based on Ethernet technology and use the TCP/IP protocol. When two devices want to communicate, they need to know the MAC address and IP address. The station obviously knows its own details (they are set). The target station is commonly addressed using a domain name (DN - domain name or FQDN - fully qualified domain name), which can (and must) be translated into an IP address.
The principle of communication between stations in the network is described in the article TCP/IP and Ethernet - network path, active network elements. Here we see that we always need the MAC address of either the target station or the router/gateway on the path (next hop). So we need to find the MAC address of a station whose IP address we know.
The standardized protocol that finds the MAC address for a given IP address is called the Address Resolution Protocol (ARP) and is defined in RFC 826. It is a protocol that runs on the network layer of the TCP/IP model (Layer 2), the same level as the IP protocol.
Note: The ARP protocol is primarily intended for Ethernet but also works in other technologies such as Token Ring, IEEE802.11, FDDI, or ATM.
Principle of ARP Operation
Note: The source station refers to the machine looking for the MAC address based on the IP address. The target station has the sought IP address set.
- The source station constructs an ARP request and sends it as a broadcast
- All stations on the local segment receive the request, and if they do not have this IP, they ignore it
- The target station constructs an ARP response and sends it as a unicast to the source station
Note: The broadcast address used is ff:ff:ff:ff:ff:ff
Structure of the ARP Packet
The format of the request and response is similar. The difference is in the type in the frame; the request has the type set to 0x0806 in the Ethernet header and the response to 0x0835. The filled values also differ; the operation code is 1 for the request and 2 for the response. In the request, the target hardware address is set to zeros, and in the response, it is set to the correct value.
Note: In general, the MAC address is the hardware address, and the IP address is the protocol address. I describe the use for IP and MAC addresses here, but it can be substituted according to the technology.
bits | 0 - 7 | 8 - 15 | 16 - 31 | |
0 | Hardware type (2B) | Protocol type (2B) | ||
32 | Hardware size (1B) | Protocol size (1B) | Operation code (2B) | |
64 | Sender MAC address (6B) | |||
96 | Sender MAC address (cont.) | Sender IP address (4B) | ||
128 | Sender IP address (cont.) | Target MAC address (6B) | ||
160 | Target MAC address (cont.) | |||
192 | Target IP address (4B) |
ARP Announcement
A special type of ARP packet is the ARP announcement, which is not used to find someone's MAC address but to announce my MAC address to other stations on the network. The packet is usually similar to an ARP query, with the sender's IP and MAC address filled in and the target IP address set to its own IP. It is used, for example, when the station's IP address changes, sending the announcement updates the ARP cache of other stations.
ARP Cache
To avoid constantly sending ARP queries during ongoing communication, devices use an ARP cache, where combinations of IP addresses and MAC addresses are stored for a certain period (in minutes).
In the Windows operating system, we do not have a tool to create an ARP query, but we can use a command like ping to the appropriate IP address. ARP is used automatically whenever a frame (data to the network) needs to be sent. To view the ARP cache, we can use the command line command arp -a
.
Inverse ARP
The opposite protocol to ARP is the Inverse Address Resolution Protocol (Inverse ARP or InARP), which looks for the IP address for a given MAC address. InARP was used in Frame Relay and ATM networks, but we probably won't encounter it today.
Reverse ARP
The Reverse ARP (RARP) protocol, similar to InARP, is used to find the IP address for a MAC address. However, RARP looks for the IP address for itself. This method is no longer used today as it was first replaced by BOOTP (Bootstrap protocol) and now by DHCP (Dynamic Host Configuration Protocol). For RARP, the MAC and IP address assignments had to be manually set on the server, and it is not a protocol over IP but a standalone protocol at the same level. It is defined in RFC 903.
Diky za clanok, skoro som uz zabudol na toto arp-ovatko , prave som instaloval nmap ale vdaka clanku som si este spomenul na mladi, dik ;-)
jezis marja,,,ja fekt nejsem odbornik,,,zni to tady zajimave...ale moc mi to nepomohlo,,,me totiz zajima jak prakticky (nejenom teoreticky)jak tu MAC adresu ziskam,,,jedna se totiz o to ze mam routr u nehoz tuto vecicku nemuzu nikde najit ..original stitek je jaksi osoupany a necitelny,,,takze bych potreboval poradit pokud to jde,jakym prikazem (nejspis v dos radku) tuto informaci ziskam,,diky ,,pokud nekdo poradite budu rad,,,,,,,,,
respond to [2]STANDA-CHEB: V článku je popsaná i praktická možnost zjištění MAC adresy pod Windows. Jinak pro ten router je řada možností, ale asi nejjednodušší bude to co je v článku. Je potřeba, aby router běžel a znát jeho IP adresu. Pak ve Windows v příkazové řádce zadáme ping ip-adresa-routeru, následně zadat arp -a. Ve výpisu se najde řádek s danou IP adresou a k ní je vidět MAC adresa.
Díky za skvělé články, vše je přehledné a srozumitelné! ;-)
Parádní články...podané srozumitelnou formou ...jen tak dál ;-)
Děkuji za super IT článek napsaný lidskou s srozumitelnou formou. Moc mi to pomohlo. Přelouskám si i ostatní články.
respond to [3]Samuraj: bohužel pokud to někdy fungovalo, tak už to nefunguje...
respond to [7]Vitas: ale funguje a spolehlive
Super články, všem doporučuji, díky. ;-)
respond to [8]Ondras: Myslím že chtěl říct že nefunguje ten router....