ARP stands for Address Resolution Protocol. ARP is a protocol by which we find out the layer 2 address (link layer address or MAC address) associated with the IP address. Before we talk more about ARP, let us have a glance at the MAC address and layer 2.

Layer 2 is also known as the data link layer. It is the layer where devices such as hubs and switches operate at. The address used at this layer is called the MAC addresses. The MAC address is an ID, typically assigned by the manufacturer to some hardware. It’s a string of 6 pairs of hex digits with the pairs separated by colons, see here: “3c:97:0e:47:bf:2f”.

If you are well aware of the OSI layer, then you must also be aware that it is the MAC address which is finally responsible for the final delivery of the packet which comes down from the network layer.


Let’s say I have two packets to be sent out to different computers. Those computers are named as computer A and computer B. Computer A is a part of my subnet or Local Area Network (LAN), but computer B is residing in another location 500 miles away from me. When delivering packets to these two computers, the ARP would work something like this:

In this case, the packet has to be transferred over the subnet. In a subnet, a computer sends a packet to another computer using the MAC address. But still, let us not forget that even computers on the local area network would have an IP address associated with them.

So, in this case, my computer, through DNS, will determine the IP address of the destination computer. But, IP address is not sufficient here to send the packet. As mentioned before, my computer also needs the MAC address of the destination computer.

For getting the MAC address of the destination computer, my computer will use the cached ARP table which is stored at the switch to find the MAC address of the destination computer. If it is not able to find the MAC address, it will broadcast it to ff-ff-ff-ff-ff-ff address. The broadcast will contain an IP address; in return, the computer or machine having that particular IP address has to reply.

So, in this case, the destination computer with a particular IP address replies with its MAC address when seeing the IP address. Now, my computer has the MAC address of the machine where it wanted to send the packet. In the case of ARP on a public network, the default gateway is contacted.


ARP basics (Windows):

If you want to have a look at the ARP table, open the command prompt on your windows and type “arp -a”. This command will list out all the current entries along with internet address, physical address, and type.

You’ll notice that there are two types of “ARP type” here. One is static and another one is dynamic. Static ARP type is the one which is manually entered into the system. Dynamic one is the one which can change over the time. For a large organization, we usually prefer dynamic arp entries.

If you are still wondering, how dynamic ARP entries are created, then please refer to the “How ARP works” section above.

Another interesting thing to note here is that the physical address ff-ff-ff-ff-ff-ff is mentioned twice in front of two IP addresses. One is and another one is

Can you guess and tell in the comments below why there are two physical addresses mentioned here?

If you want to learn deeply and observe how it all happens from the scratch, then you can first delete an arp entry from the table and then you can observe the negotiations going on your system.

For the same, you have to first delete a particular ARP entry from the ARP table but remember that IP address. You can delete using “arp -d” command. Now try to ping the same IP address and also capture the packets in the background using some network monitoring and listening tools such as Wireshark. You should see some ARP packets go by after the ping initiation.

Gratuitous ARP:

Like other protocols, ARP has also seen some advancements in its working functionalities. Until now, what we have seen is any changes in the ARP scenario is on-demand or on-request. However, sometimes, it could also be user-initiated.

Gratuitous ARP is one such ARP notification advancement. It is a sort of “advance notification” which asks the other systems to update their ARP cache even before it is asked from them.

How Gratuitous ARP works?

  • When a system goes for this sort of ARP, the destination MAC address is the broadcast MAC address (ff:ff:ff:ff:ff:ff).
  • However, both source and destination IP address in the packet are the IP address of the host issuing the Gratuitous ARP.
  • Keeping the same IP address in source and destination is meant to be purposeful because this broadcast or flooding needs no reply but this would still be sent to all ports on a switch
  • This broadcast forces all the systems to update their ARP cache.

Reasons: Why Gratuitous ARP is used?

  • The first one you might have already guessed. It is to update ARP tables after a MAC address for IP changes. This could be because of new NIC card or a failover etc.
  • Update MAC address tables on L2 devices (switches)
  • When there is IP address conflict in the network.