REGISTER | Lost password ?


file and links archive

free classifieds


logged users ::
active for last 5 minutes

Standard users

registered users:96685

select a language

quotable quotes

New Order FAQ

linking & backends
Information about how to link to NewOrder.

New Order news backend or more advanced version.

MAC Addressing and ARP Functionality
@ Articles -> Networking     Aug 14 2002 - 16:47 EST

Resolution writes:
The following paper will be on learning the usefulness of the MAC address and the inner workings of the Address Resolution Protocol on an Ethernet network. Points on how to read a numerical MAC address, how ARP caches are used, and a description of the Reverse Address Resolution Protocol will also be discussed. In addition, the paperís degree of technicality will require the reader to have a basic working knowledge of the TCP/IP protocol.

MAC Addressing and ARP Functionality / by Resolution / August 13, 2002

The Media Access Control (MAC) address, also known as an Ethernet address, is the physical/hardware address for devices that are connected to a network, usually a LAN. Each node connected to the network has itís own unique MAC address hard coded (burned) into its Network Interface Card (NIC) by the manufacturer and uses this address to find and communicate with other devices on the same network domain or wire.

The MAC address is stored in the Serial EEPROM of the Ethernet card. In addition to holding the MAC address, the EEPROM stores a backup copy of the MAC address and ID information, user configurable parameters, serial numbers for devices, checksums, type of interphase, and other bits of backed up information.

The MAC address is part of the Data-Link layer of the Open Systems Interconnection (OSI) model, which is a telecommunications standard issued by the Institute of Electrical and Electronics Engineers (IEEE). The Data-Link layer is part of layer 2 of the OSI model and serves the purpose of error detection and notification, dividing data into frames, adding headers to the frames, and ensuring that incoming data has been received successfully.

The format for a MAC address is a 6-byte (octet) hardware address consisting of 12 hexadecimal numbers, which also consist of units of 4 bits separated by a semicolon, period, or hyphen (on some occasions none). An example would be 00:04:9B:E9:C4:A8 or 00.04.9B.E9.C4.A8, or 00-04-9B-E9-C4-A8. The numbers may range from 0-9 and the letters may range from A-F (letter casing does not matter). The first 3 bytes (00:04:9B) of the MAC address are called the (OUI) or Organizationally Unique Identifier. The OUI identifies the name of the manufacturer and the last 3 bytes (E9:C4:A8) is a unique ID serial number provided by the manufacturer, which are assigned and administered by the IEEE. For this example MAC address, the vendor is Cisco Systems, Inc. You can find out the vendor for any MAC address by visiting Here you will find that the IEEE has set up a publicly accessible vendor search form for MAC OUIs. If you add the OUI of the example MAC address (00049B without the semicolons) in the search field on that link, the output should beÖ

00-04-9B (hex)              Cisco Systems, Inc.
00049B    (base 16)            Cisco Systems,Inc.                                                                          170 West Tasman Dr.
                              San Jose CA 95134
                             UNITED STATES

There are many ways to find out the MAC address of your system if you are connected to an Ethernet card. The address is normally printed on the card itself somewhere but an easier way to find out is right from your computerís GUI or shell prompt. On some systems there is more than one command to do this. Commands to look up your MAC address, however, vary from system to system so a number of different operating systems and their commands will be provided.

Operating System        Commands To Enter At The Command/Shell Prompt

1. Windows 95             Start, Run, then type WINIPCFG. In the pull-down
                            box do not choose PPP Adapter. Choose your Ethernet
                            adapter and your MAC address will be your Adapter Address.                                        
2. Windows (all)        ipconfig /all (located next to Physical Address)

3. Linux                ifconfig Ėa (located next to Hwaddr)

4. SunOS/Solaris        ifconfig Ėa (leading zeros on MAC are not printed)

5. HP-UX                lanscan (located under Address without semicolons)

6. Free/Open/NetBSD     netstat Ėi (located under Address)

Remember, if these commands do not work for your system for whatever reason, you can always look on the Ethernet card itself for the MAC address.

As stated earlier, one of the main uses for the MAC address is to uniquely identify a device that is connected to a local area network. When one computer wishes to connect to another computer on the same network, a protocol called the Address Resolution Protocol (ARP) is used to map network IP addresses to MAC addresses.

If a source computer wishes to send an IP packet to another computer on the same LAN, already knowing the destination computerís IP address, it must first find out the destination computerís MAC address. To do this, the source computer will check and see if it already has a mapping of the destination computerís MAC address already located within its ARP cache. The ARP cache holds mappings of IP addresses and MAC addresses of computers on the source computerís subnet. The command to find the subnet on Windows and *nix computers is ďarp ĖaĒ. Here is an example of an arp cache when viewed from a DOS PromptÖ

C:\WINDOWS>arp -a

Interface: on Interface 0x2000003
Internet Address     Physical Address     Type         00-04-9b-e9-c4-a8     dynamic

To add to this cache we would have to attempt to send a packet to a computer on the same subnet as the source computer. The subnet for this computer would be So any computer with the last octets being 1-254 on the subnet 68.11.226 would be temporarily added to the source computerís ARP cache. To test this we can ping a computer on the subnet to see if its IP and MAC address get added to the ARP cache. So if we ping, for instance,, it will add a mapping of that computerís IP and MAC address to the ARP cache. Now that we have pinged the address we can now check the ARP cache again.

C:\WINDOWS>arp -a

Interface: on Interface 0x2000003
Internet Address     Physical Address     Type         00-04-9b-e9-c4-a8     dynamic         00-04-5a-f5-d3-f7     dynamic

As you can see, since both computers are on the same subnet, the source computer added the destination computerís IP and MAC address to its ARP cache. Pinging then pinging will add their entries to the ARP cache as well. To check and see issue the arp Ėa command againÖ

C:\WINDOWS>arp -a

Interface: on Interface 0x2000003
Internet Address     Physical Address     Type         00-04-9b-e9-c4-a8     dynamic         00-04-5a-f5-d3-f7     dynamic         00-10-60-c1-4a-ff     dynamic         00-e0-29-9f-37-3e     dynamic

Again, the IP and MAC addresses of the two pinged addresses were added to the ARP cache. These dynamic entries are only temporary and have a set ďtime to liveĒ (TTL) period before they are erased (timeout). The TTL period varies from system to system, usually from 2 to 20 minutes, and will increase to a greater number of minutes if more data from these temporary entries is requested within the allotted TTL period. The TTL period for Windows NT has a default of two minutes, Windows 2000 has a default of 10 minutes, and Solaris has a default of 5 minutes. ARP caches of routers can be much longer which is the case with the Cisco IOS router having a cache time of 4 hours. For some computers, entries that are static usually remain on the cache table permanently or until the computer is rebooted. The TTL periods can be adjusted on most systems as well.

For security consciousness on networks, it would be best to set your ARP caches on your switches to hold static entries. However, not all that convenient for a LAN administrator, this will prevent ARP spoofing, (an intruder sending spoofed ARP packets to Host A and Host B so that the two hosts will think the intruderís computer is the intended host/router and send their data traffic through the intruderís host to allow sniffing and packet manipulation/editing) also called man-in-the-middle attacks, since static ARP tables cannot be updated, hence, making the use of spoofed arp packets useless.

The usefulness of the ARP cache comes into play when it is shown how two hosts send packets back and forth to one another on a LAN. If a source computer, on a LAN, with the IP address of wishes to send data to the destination computer with an IP of on the same local network, the source computer will first check its ARP cache to see if it has a mapping of the destination computerís MAC address. If no mapping of the address is found in the computerís cache, the source computer will then attempt to send a broadcast ARP request, with the destination IP attached to it, to all hosts on the local network. This ARP request is seen by all the hosts on the LAN and allows them to cross-reference the destination IP with entries found in their ARP cache. If the IP address of the destination computer does not match the IP address located in the ARP cache of the intended remote host, then the ARP request is discarded. If the IP matches the IP of a host on the network, then the destination host has been found and it will add the IP and MAC address of the source computer to its ARP cache and send the source computer back an ARP reply containing the MAC address of the destination computer. Once the source computer receives the ARP reply, it will then add the destination computerís IP and MAC address to its ARP cache. Now that the source computer knows the IP and the MAC address of the destination computer and vice versa, the two hosts will now be able to participate using the IP protocol method of transfer. Since both hosts have one anotherís IP and MAC addresses in their ARP caches, the next time one of these systems need to send data, it will simply search its own ARP cache for the necessary information on the other host (if no time-out has occurred), which will eliminate the need for broadcasting another ARP request throughout the network. This process can be explained better with a step-by-step diagramÖ

                                                 +3)Des. Found.     +
                                                 +4)Adds source IP, +
                                        |->->->->-+ MAC to Cache.     +    
                                     /|\        +5)Send ARP Reply to +
                                     /|\        + source.         +
Source Computer                     /|\        +--------------------+
+--------------------+                 /|\
+1)Checks Cache.     +                 /|\        +--------------------+
+2)Broadcasts ARP    +                 /|\        +3)Des. IP not found.+
+ req. to all hosts.+->->->->->->->->->|->->->->-+ Discard request. +
+6)Add Des. IP, Mac +                 \|/        +                    +
+ to Arp cache.     +                 \|/        +--------------------+
+--------------------+          \|/
                                     \|/        +--------------------+
                                     \|/        +3)Des. IP not found.+
                                        |->->->->-+ Discard request. +
                                                 +                    +

When taking an even closer look into this protocol transaction of ARP requests and replies, one will notice that the Address Resolution Protocol does not use an IP header. Instead, it has its own packet format that is encapsulated within an Ethernet frame. To further understand as to what an ARP packet is composed of and what exactly is being sent and received when a packet travels along the wire, here is a diagram of an Ethernet frame (as defined by IEEE 802.3) with an enlarged view of the encapsulated ARP request packetÖ

                             ETHERNET FRAME

|Preamble|Start | Des. |Source |Frame|             |     |        |
|7 bytes |Frame | MAC | MAC |Type | Encapsulated | Pad |Ethernet|
|        |Del. |6 bytes|6 bytes| 2B | ARP Packet | 18B | CRC |
|        | 1B |     |     |0x806| 28 bytes |     |4 bytes |
                                     \ /
                 ARP REQUEST PACKET

0         8            16                     31
|     Hardware Type     |     Protocol Type     |
+     1          |         0x806         +
|                        |                        |
|Hardware |Protocol    |                        |
+Address =6 |Address = 4 | Operation Code = 1 +
|Length     |Length     |                        |
|            Source Hardware Address             |
|            Source Protocol Address             |
|         Destination Hardware Address         |
|         Destination Protocol Address         |

The diagrams show that ARP request/reply packets are encapsulated within the Ethernet frame. The frame itself begins with a Preamble for synchronization, a Start of Frame Delimiter to signify the start of the frame, the destination and source MAC addresses, the frame type (ARP), the encapsulated ARP packet, padding incase extra data bytes need to be appended to bring the Ethernet frame to a minimized size, and a CRC (cyclical redundancy check) to provide error checking. The diagram of the ARP packet is shown to have a Hardware/MAC address type as 1 for Ethernet. The Protocol Type is 0x806, which is the value for an ARP request. If it were 0x835 then it would be for an ARP reply and if it were 0x800 it would be for an IP address. The Hardware Address Length is 6 bytes for Ethernet while the Protocol Address Length is 4 bytes for TCP/IP. The Operation code value is 1 for ARP reply and if the value was 2, then it would be for an ARP request (ARP request and ARP reply use the same packet format). The rest is self-explanatory.

There is also the Reverse Address Resolution Protocol (RARP), as outlined in RFC 903, which does the opposite of ARP in that it will allow a host to find its IP address if only its MAC address is known. This protocol uses the same packet format as the Address Resolution Protocol (except now the MAC address is the known parameter/frame instead of the IP address and the Protocol Type is 0x8036 for RARP), but is a completely different protocol all together. RARP works by allowing diskless nodes, that are connected to an Ethernet network and do not know their own IP addresses when booting up, to request their protocol addresses by broadcasting a RARP request (in the Operation Code parameter of the ARP packet diagram, a RARP request would be a value of 3) packet to special RARP servers on the network that contain databases that store mappings of MAC address to IP addresses. The RARP servers will cross-reference the MAC address found in the RARP request packet with mappings found in its database. If a match is found the RARP server will then send the IP address back to the host by using a RARP reply (in the Operation Code parameter of the ARP packet diagram, a RARP reply would be a value of 4) packet. RARP has been since superseded by the Bootstrap Protocol (BOOTP), as defined in RFC 951, where by a host would connect to a BOOTP server in the same manner it would with a RARP server, and BOOTP and RARP have both been superseded by the Dynamic Host Configuration Protocol (DHCP), which allows a device to have a different protocol address each time it connects to the network.

In closing, I would hope, by having read this, you now have a better understanding of the MAC address and the utilization of the Address Resolution Protocol. The purpose of putting this paper together was purely along the lines of a learning aspect for the reader, as well as myself, and I hope that this paper and I have succeeded in my goal of doing just that.

References and Related Documents:

(RFC 826) An Ethernet Address Resolution Protocol or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware

(RFC 903) Reverse Address Resolution Protocol

Address Resolution Protocol (ARP)

read comments (22) | write comment| views: 2100    printer-friendly version



powered by

The content on this site is (c) by particular authors and the New Order ( team.
Design is (c) by Box Network ltd.
For more informations about the New Order contact cube