Protocol Deep Dive: ARP


The Address Resolution Protocol (ARP) allows for conversion from a network layer address to a hardware layer address (e.g. from the IP address to the MAC address).  It is defined by RFC 826, and is a layer 2 protocol in the OSI model.  For simplicity, this article will refer to IP address resolutions in examples.


    • Two systems that each know their own IP address and MAC address
    • A usable network layer path between the two systems
    • The sending system must know the IP address of the destination system

The sending system wants to communicate with the destination system, but only knows the IP address of the target. Communications at the hardware layer require a MAC address (or similar). To find the hardware layer address the sending system uses ARP.

The sending system transmits an ARP request that basically says “I’m MY.NET.ADD.RSS and I’m looking for the hardware address of SOM.NET.ADD.RSS. What is your hardware address?” Each system that receives the ARP packet then looks and sees if they match the requested address. If they do, they respond with their hardware address.

Note: The examples above show ARP being used to resolve IPv4 addresses, but technically it can support other protocols.  For this reason, ARP requires defining the characteristics of the protocol being queried.  We’ll see that  bit further down when we have “Protocol Size” and “Protocol Address” entries.

Bit Breakout

Note that the breakout below only covers the ARP portion of a packet itself.  In an actual ARP packet there would also be an Ethernet wrapper around it.  Also note that the example below shows an IPv4 capture for simplicity, but if another protocol was being resolved the Sender Protocol Address and Target Protocol Address could vary in length (as defined by the Protocol Size value).  The same goes for the Sender Hardware Address and Target Hardware Address (although they are defined by the Hardware Size value).

Bits 0-7 Bits 8-15 Bits 16-23 Bits 24-31
Hardware Type Protocol Type
Hardware Size Protocol Size Operation
Sender Hardware Address
Sender Hardware Address Sender Protocol Address
Sender Protocol Address Target Hardware Address
Target Hardware Address
Target Protocol Address


Notes On Fields

  • Hardware Type is most commonly “00 01” (or “1”), which specifies Ethernet, but some less common but still seen options are “00 0F” (or “15”) for frame relay or “00 1F” (or “31”) for an IPSec Tunnel.
  • Protocol Type is most commonly “08 00” (or “8”), which specifies IPv4.
  • Hardware size is the total size of the hardware in octets.  For Ethernet this is “06” (6 octets, or 48 bits).
  • Protocol size is the total size of the protocol address in octets.  For IPv4 this is “04” (4 octets, or 32 bits).
  • Operation is what type of activity is being requested.  The most common are “00 01” (or “1”), which specifies a REQUEST operation, and “00 02” (or “2”), which specifies a REPLY operation.
  • Sender Hardware Address is the hardware address of the system from which the packet originates.  For Ethernet this is the MAC address.
  • Sender Protocol Address is the protocol address (IP based on the example shown here).
  • Target Hardware Address is the hardware address of the system being queried (if known).  If not known, this is set to all zeroes.  Most REQUEST operations use all zeroes for the request.
  • Target Protocol Address is the protocol address (again, IP being shown here).