The ARP Protocol
An IP address is a numerical label for a networked device. It’s used as an address so the appropriate network traffic arrives at the correct device. But most devices on local area networks have dynamic IP addresses. That is, their IP address might well change the next time they’re booted up.
To be able to correctly route network traffic to the appropriate device, a scheme has to be employed that maps IP addresses to Media Access Control (MAC) addresses. The MAC address is a unique identity established at the point of manufacture of a device. An IP address is a logical address. The MAC address is a physical address.
The Address Resolution Protocol is the middleman that maps IP addresses to MAC addresses. The device responsible for marshaling and directing network packets in your network—usually, the router—builds and maintains an ARP table that ties IP addresses to MAC addresses.
If the router needs to route data to a device it doesn’t know about, it makes an ARP request to obtain the MAC address for the new device.
When a new device is connected to your network it is assigned an IP address, but that isn’t enough to actually route traffic to it. The router needs to obtain the MAC address which is the missing piece of the jigsaw. But because the IP address on its own isn’t enough information to route packets to the device, the Catch-22 is it can’t use the IP address to query the hardware to get the MAC address.
The Open Systems Interconnection model groups the technologies that make up a working network as a series of layers. Higher layers cannot operate without the lower layers. There are seven layers in the OSI model.
Layer 7 is the top-most layer, the application layer. It provides information to the computer user and receives information back from them. Layer 6 is the presentation layer. This makes sure the data is in the right format or state as it moves to and from the network format. Encryption and decryption take place at this layer. Layer 5 is the session layer. A session is a network connection between two or more devices. This layer involves itself with such matters as the initiation of a connection, handshaking, timeouts, and the breaking of connections that are no longer required. Layer 4 is the transport layer. This is the layer that moves data around the network in a coordinated way. This layer is concerned with such things as transfer rates and data volumes. The Transmission Control Protocol—the TCP in TCP/IP—operates at this layer. Layer 3 is the network layer. This is where routing and packet forwarding takes place. It’s the layer that the Internet Protocol—the IP in TCP/IP—operates at. Layer 2 is the data link layer. It is used to send packets between directly-addressable devices using broadcasts to every device or unicasts to specific MAC addresses. Layer 1 is the physical layer. This is concerned with the physical infrastructure including cabling, routers, and network switches. The radio waves used in Wi-Fi would also fall into this category.
When the router receives a packet for an IP address that isn’t in its table it sends a broadcast packet to the entire network. It effectively asks “Who has this IP address?” This is a layer two message so it doesn’t rely on IP routing.
The device with the matching address responds by sending back its MAC Address. That device’s IP address and MAC address can be added to the mapping table. Regular IP traffic can now be routed to the device because the relationship between its IP address and its MAC address has been established and recorded.
RELATED: The Foundation of the Internet: TCP/IP Turns 40
The arping Command
All of the clever ARP stuff goes on automatically in the background, building and maintaining the ARP table. The arping command brings some of the functionality of the ARP query to the terminal window. It operates at OSI layer two and it can solicit a response from a device when ping does not.
On Fedora 36, arping was already installed, but we needed to install it on Manjaro 21 and Ubuntu 22.04.
On Ubuntu the command is:
On Manjaro you need to type:
The simplest way to use arping is with an IP address. This must be the address of a directly-addressable device, connected to the local network. Because arping operates at layer two, no routing is possible. You’ll need to use sudo with arping.
Press Ctrl+C to stop. The information returned is the MAC address of the responding device, the index number of the arping request, and the round-trip time for the arping request to be completed.
Compare the output to that from the ping command, below. The ping command returns more information about the timing of the network packet round-trip. The arping command gives you fewer timing stats, but it does include the device’s MAC Address.
You can also use the network name of the device with arping.
You can use the -c (count) option to tell arping to stop after a set number of requests. This command tells arping to try twice and then stop.
If you have multiple network interfaces in your computer, you can use the -I (interface) option to tell arping which interface to use.
You can use the ip link command to list your network interfaces.
This computer has three interfaces. The lo virtual interface is used as a loopback for internal connections between software on the same computer. It isn’t of use to us here. We can use either the ethernet connection enp3s0 or the wireless interface wlan0.
This command tells arping to use the interface we choose, and not to make its own selection.
Using arping In Scripts
By wrapping arping in a loop in a script, we can get it to work over a range of IP addresses. Copy the text from this script and save it to a file called “scan-range.sh.”
You’ll need to edit the script and replace all occurrences of 192.168.1 with the IP address of your network.
The script accepts two command line parameters. These are used as the last octet of the IP addresses of the range you want to use arping on. So, if you pass 20 and 30 to the script, the loop would begin at 192.168.1.20 and would terminate after using IP address 192.168.1.30.
The parameters are accessed inside the script as $1 and $2. These are used in a C-style for loop. At each spin of the for loop, $device is set to the next IP address in the range.
The script uses the same arping -c format we’ve already seen, but this time we’re only asking for a single ARP request to be sent to each device in the range.
The output from the arping command is piped through grep.
The grep syntax can be simplified in your script. grep is looking for one of two strings, either “1 response” or “1 packets received.” This is because the test computers had different versions of arping on them and they use different terminology. If grep finds either of these phrases, its exit value will be zero.
When you know which of the phrases your version of arping uses, you can simplify the grep syntax by removing the other phrase.
The if statement tests $?—a variable that holds the exit code of the last process that ended—to see if it is zero. If it is, it uses echo to print a message of success to the terminal window. If the test fails then grep did not find either of the strings, meaning the ARP request failed.
Make your script executable by using the chmod command and the +x option.
We’ll run it and scan the IP range from 15 to 20. Some of these addresses do not have devices attached, so we should see some failures. Remember to use sudo . We’ll also try to ping the device at 192.168.1.15.
We get a mixture of successes and failures, as you would on any network. But notice that although the device at 192.168.1.15 responds to the layer two ARP request, it doesn’t respond to the layer three ping request.
If you had pinged the device and noted the failure you’d probably be inclined to check that it was plugged in, online, and whether you could ping out of device 192.168.1.15.
But with arping you can verify that it is connected, online, and network-accessible. That would guide your troubleshooting to start looking into routing and ARP table issues.
A Deeper Insight
There are many layers to the networking onion. If ping doesn’t get you anywhere, drop down a layer and see what arping can tell you.
RELATED: How to Manage Linux Wi-Fi Networks With Nmtui