Address Resolution Protocol
Address Resolution Protocol (ARP) performs IP address-to-media access control address resolution for outgoing packets. As each outgoing addressed IP datagram is encapsulated in a frame, source and destination MAC addresses must be added. Determining the destination MAC address for each frame is the responsibility of ARP.
As discussed in "Introduction to TCP/IP" in this book, the IP routing process for an outbound IP datagram results in the choice of an interface (a network adapter) and a forwarding IP address. ARP compares the forwarding IP address for every outbound IP datagram to the ARP cache for the network adapter over which the packet is sent. If there is a matching entry, then the MAC address retrieved from the cache is used. If not, ARP broadcasts an ARP Request frame on the local subnet, requesting that the owner of the IP address in question reply with its MAC address. When an ARP Reply is received, the ARP cache is updated with the new information, and it is used to address the packet at the data-link layer.
.gif "note-icon")
Note
The ARP process and functionality described here only applies to unicast IP traffic. Multicast IP traffic is sent to a specific multicast MAC address that depends on the multicast IP address. For more details, see "Internet Group Management Protocol" later in this chapter.
Using the ARP Tool
You can use the ARP tool to view, add, or delete entries in the ARP cache. Examples follow. Note that entries added manually are static, and are not automatically removed through ARP cache entry aging.
The arp -a command can be used to view the ARP cache, as shown here:
C:\>arp –a
Interface: 192.168.40.123
Internet Address Physical Address Type
192.168.40.1 00-00-0c-1a-eb-c5 dynamic
192.168.40.124 00-dd-01-07-57-15 dynamic
Interface: 10.57.8.190
Internet Address Physical Address Type
10.57.9.138 00-20-af-1d-2b-91 dynamic
The computer in this example is multihomed (has more than one network adapter), so there is a separate ARP cache for each interface.
In the following example, the arp -s command is used to add a static entry for the host whose IP address is 10.57.10.32 and whose MAC address is 00-60-8C-0E-6C-6A to the ARP cache for the second interface:
C:\>arp -s 10.57.10.32 00-60-8c-0e-6c-6a 10.57.8.190
C:\>arp -a
Interface: 192.168.40.123
Internet Address Physical Address Type
192.168.40.1 00-00-0c-1a-eb-c5 dynamic
192.168.40.124 00-dd-01-07-57-15 dynamic
Interface: 10.57.8.190
Internet Address Physical Address Type
10.57.9.138 00-20-af-1d-2b-91 dynamic
10.57.10.32 00-60-8c-0e-6c-6a static
Use the command arp -d to delete entries from the cache. For example, to remove the ARP cache entry for 10.57.10.32 in the example:
C:\>arp -d 10.57.10.32
C:\>arp -a
Interface: 192.168.40.123
Internet Address Physical Address Type
192.168.40.1 00-00-0c-1a-eb-c5 dynamic
192.168.40.124 00-dd-01-07-57-15 dynamic
Interface: 10.57.8.190
Internet Address Physical Address Type
10.57.9.138 00-20-af-1d-2b-91 dynamic
ARP Cache Aging
Windows 2000 adjusts the size of the ARP cache automatically to meet the needs of the system. If an entry is not used by any outgoing datagram for two minutes, the entry is removed from the ARP cache. Entries that are being referenced are given additional time, in two minute increments, up to a maximum lifetime of 10 minutes. After 10 minutes, the ARP cache entry is removed and must be rediscovered using an ARP Request frame. To adjust the time an unreferenced entry can remain in the ARP cache, change the value of the ArpCacheLife and ArpCacheMinReferencedLife registry entries (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters).
Static entries added with the arp -s command are not expired from the cache. The ARP cache is erased upon initialization of the TCP/IP protocol. To make static ARP cache entries persistent each time the computer is started, create a command file with the ARP commands and place a shortcut to the command file in the Startup folder.
Updating Entries in the ARP Cache
In addition to creating an ARP cache entry through the receipt of an ARP Reply, ARP cache entries are updated if the mapping is received through an ARP Request. In other words, if the IP address of the sender of an ARP Request is in the cache, update the entry with the sender's MAC address. This way, nodes that have static or dynamic ARP cache entries for the sender are updated with the ARP Request sender's current MAC address. A node whose interface and MAC address changes updates the ARP caches containing an entry for the node the next time the node sends an ARP Request.
ARP and UDP Messages
ARP queues only one outbound IP datagram for a given destination address while that IP address is being resolved to a MAC address. If a UDP-based application sends multiple IP datagrams to a single destination address without any pauses between them, some of the datagrams might be dropped if there is no ARP cache entry present. An application can compensate for this by calling the Iphlpapi.dll routine SendArp() to establish an arp cache entry, before sending the stream of packets. See the platform Software Development Kit (SDK) for additional information.