ARP Request with Unicast MAC – Network Behavior Explained

arpwireshark

I would like to ask, with ARP request I got to believe that the destination MAC address was in all situations a broadcast address. Yet I got across a wireshark capture:

I just cannot understand the 3rd request from my router. Why is the destination MAC address of the request set to my NIC and not as broadcast? The last ARP request from the router is exactly how I would assume it to be (i.e. MAC is a broadcast).

( .1 is a router, .100 my PC, .103 second PC )

Best Answer

In an attempt to refresh an expired, or expiring, ARP entry, many Client OS's will issue a "targeted" ARP query to the MAC address they already expect. Most of the time, this prompts a response from the intended target and allows the entry to be refreshed without sending a broadcast to the entire network.

This will be the first time I've seen it with a Router, but it isn't too big of a stretch to think a Router vendor somewhere will have implemented ARP in the same way.

Nearly a Year Later Edit: I found a quote in RFC 1122 that describes this behavior:

2.3.2  Address Resolution Protocol -- ARP
   2.3.2.1  ARP Cache Validation
      An implementation of the Address Resolution Protocol (ARP)
      MUST provide a mechanism to flush out-of-date cache
      entries.  If this mechanism involves a timeout, it SHOULD be

      ...

      IMPLEMENTATION:
           Four mechanisms have been used, sometimes in
           combination, to flush out-of-date cache entries.

           ...

           (2)  Unicast Poll -- Actively poll the remote host by
                periodically sending a point-to-point ARP Request
                to it, and delete the entry if no ARP Reply is
                received from N successive polls.  Again, the
                timeout should be on the order of a minute, and
                typically N is 2.

Related Solutions

ARP Destination Address in Internetworking

You're almost 100% correct. Slight corrections bolded below:

HostE will send an ARP Request with a target address of Router2's IP address. The destination MAC address of the ARP packet will be ffff.ffff.ffff, which would indeed make it a broadcast. Router2 responds unicst with its MAC address, and HostE generates the packet with a Source and Destination IP of 192.168.3.1 and 192.168.1.1, and a Source and Destination MAC of 7777.7777.7777 and 8888.8888.8888 (respectively).
Router 2 will receive the packet, and consult its Route Table to determine the Next Hop for the 192.168.1.0/24. If Router2 doesn't already know Router1's MAC address, it will issue a broadcast ARP Request for it. Once it learns it, it will then forward the packet leaving the Source/Destination IP unchanged, and encapsulating the IP packet with a Layer 2 header with a Source and Destination MAC of 5555.5555.5555 and 3333.3333.3333.
Router1 receives the packet and consults its Route Table to determine the destination Network is directly connected. Router1 sends a Broadcast ARP Request for the IP 192.168.1.1 to learn HostA's MAC address, and then finally forward the packet to the final destination.

And to answer your last question. Whether HostE gets its address from DHCP or not, the process flow would appear as above if HostE did not have an entry in its ARP Cache for Router2's MAC address.

IF, Router2 was the DHCP Server (which it doesn't have to be). And Router2 just assigned HostE its address. Then theoretically, HostE would know Router2's MAC address. But ARP entries don't last forward, particularly on clients. For example, my Windows 7 laptop keeps ARP entries for only 34.5 seconds (see below).

So even if Router2 was the DHCP server, and gave HostE its IP address, sooner or later HostE's ARP cache would time out, and it would have to run the broadcast ARP request all over again, just like if HostE had always only had a static IP assigned.

C:\Users\eddie>netsh interface ipv4 show interfaces 20

Interface Local Area Connection Parameters
----------------------------------------------
IfLuid                             : ethernet_11
IfIndex                            : 20
State                              : connected
Metric                             : 20
Link MTU                           : 1500 bytes
Reachable Time                     : 34500 ms     <-----
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 3
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : dhcp
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

ARP Broadcast vs Default Route – Understanding the Difference

Every time a hosts needs to send a layer-3 packet on a layer-2 LAN, it must resolve the layer-3 address to a layer-2 address in order to be able to build the layer-2 frame to encapsulate the layer-3 packet. That is what ARP (Address Resolution Protocol) does.

A host will first determine if the destination address is in the same network as the host itself. If it is, then it will look in its ARP table to see if it already has the resolution. ARP tables begin empty, and ARP table entries time out, except for statically defined resolutions. If it finds the entry in its ARP table, then it has the layer-2 address to use to build a frame.

If the layer-3 address is not in the ARP table, the host will send an ARP request to find the layer-2 address. If the target does not respond in a certain time period, the layer-3 packet will be dropped, and an ICMP message saying the host could not be found will be sent to the application.

If the destination layer-3 address is on a different network, the host will use the above procedure to get the layer-2 address of its configured gateway. Most likely, the host already has the layer-3 address and layer-2 resolution in its ARP table, so it doesn't need to send an ARP request, but it will if the entry has timed out.

Best Answer

Related Solutions

ARP Destination Address in Internetworking

ARP Broadcast vs Default Route – Understanding the Difference

Related Topic