I would like to ask, with ARP request I got to believe that the destination MAC address was in all situations a broadcast address. Yet I got across a wireshark capture:
I just cannot understand the 3rd request from my router. Why is the destination MAC address of the request set to my NIC and not as broadcast? The last ARP request from the router is exactly how I would assume it to be (i.e. MAC is a broadcast).
( .1 is a router, .100 my PC, .103 second PC )
Best Answer
In an attempt to refresh an expired, or expiring, ARP entry, many Client OS's will issue a "targeted" ARP query to the MAC address they already expect. Most of the time, this prompts a response from the intended target and allows the entry to be refreshed without sending a broadcast to the entire network.
This will be the first time I've seen it with a Router, but it isn't too big of a stretch to think a Router vendor somewhere will have implemented ARP in the same way.
Nearly a Year Later Edit: I found a quote in RFC 1122 that describes this behavior: