Thursday, February 13, 2014

ARP : Address resolution protocol

Address resolution protocol (arp) , arp is a protocol used to map IP network address to the hardware address. The term address resolution actually means to a process of finding the address of a computer in a network. So consider when we run a ping command on a remote machine, the ARP request message like “who is X.X.X.X tell Y.Y.Y.Y” is sent using the Ethernet broadcast address. The remote machine with the IP address responds to the message by sending back a ARP response like “X.X.X.X is hh:hh:hh:hh:hh:hh” and sends to the requesting machine.

The response obtained is stored in a file /proc/net/arp for a shorter period to avoid the need to continuously re-establish the mapping between the Hardware Ethernet address and the actual IP address.

A broadcast address is an IP address that is used to target all systems on a specific subnet network instead of single hosts. This can be calculated, if the IP address is 192.168.12.220 and subnet mask as 255.255.255.128 then broadcast address can be deduced in following manner.

 IP Address:               11000000.10101000.00001100.11011100
 Reverse Mask:           00000000.00000000.00000000.01111111
Bitwise OR                 ----------------------------------------------------------
Broadcast Address:     11000000.10101000.00001100.11111111

Ethernet address or also called as MAC (Media access address) like  802.11a/b/g wireless or the more traditional CAT5/CAT6 wired networks .every Ethernet device has a unique six-byte ID in it.

  • Ethernet address, also called MAC address, is a 48-bit number used to uniquely identify each computer in a network. The address is usually written in hexadecimal form. An IP address is the identifier for a computer or device on a TCP/IP network. In computer networking a Media Access Control address (MAC address) serves as an identifier for a particular network adapter. Thus network cards  in two different computers will have different MAC 
  • Mac addresses are not the same. MAC (Media access control) address is a unique id of a network interface. The most commonly used network interface is Ethernet and hence called as Ethernet address.
Find Your system MAC address

[root@vx111a ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 78:AC:C0:B1:7B:BD
          inet addr:172.16.101.68  Bcast:172.16.255.255  Mask:255.255.254.0
          inet6 addr: fe80::7aac:c0ff:feb1:7bbd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3090 errors:0 dropped:0 overruns:0 frame:0
          TX packets:165 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:339816 (331.8 KiB)  TX bytes:16361 (15.9 KiB)
          Interrupt:20 Memory:fe500000-fe520000 

The arp command in linux allows to examine the mapping. When we execute the command arp , we see

[root@vx111a ~]# arp -n
Address                  HWtype   HWaddress           Flags Mask            Iface
172.16.100.254           ether   02:17:c5:98:7c:f0   C                       eth0

This tells that the hardware address mapped to the IP address 172.16.100.254 is 02:17:c5:98:7c:f0. As we said earlier that arp mapping are saving for a short period and hence we see only 1 mapping here. Consider if you ping a IP address like,
 
[root@vx111a ~]# ping -c 1 172.16.100.212
PING 172.16.100.212 (172.16.100.212) 56(84) bytes of data.
64 bytes from 172.16.100.212: icmp_seq=1 ttl=128 time=1.91 ms

--- 172.16.100.212 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 1.919/1.919/1.919/0.000 ms

And now when we run arp command again, we see

[root@vx111a ~]# arp -n
Address                  HWtype    HWaddress           Flags Mask            Iface
172.16.100.212           ether   40:61:86:f0:b1:9f   C                        eth0
172.16.100.254           ether   02:17:c5:98:7c:f0   C                        eth0

The arp search are saved for a shorter period.By caching an ARP record for a short time, a new request should not be necessary during most client/server application sessions. Consider if we do a ping for google.com,

[root@vx111a ~]# ping -c 1 google.com
PING google.com (74.125.236.161) 56(84) bytes of data.
64 bytes from maa03s16-in-f1.1e100.net (74.125.236.161): icmp_seq=1 ttl=57 time=24.9 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 94ms
rtt min/avg/max/mdev = 24.975/24.975/24.975/0.000 ms

And check arp command again, we don’t see any listing for google.com

[root@vx111a ~]# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
172.16.100.212           ether   40:61:86:f0:b1:9f   C                       eth0
172.16.100.254           ether   02:17:c5:98:7c:f0   C                      eth0

Because even though google.com is reachable but it is configured on a different network and hence the mappings are not added to the arp table in the local network.

More to Come , Happy learning
Read More