Practical Networking .net

ARP Probe and ARP Announcement

This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.


Address Resolution Protocol

We finally come to the last iteration of ARP that this article series will discuss. They are the ARP Probe and the ARP Announcement. Both of these are used in a process known as Duplicate Address Detection.

The idea is if a host acquires and puts to use an IP address that happens to already be in use on the network, it will cause connectivity issues for both hosts. As such, it is beneficial for a host to first test an IP address before putting it to use to ensure it is indeed unique.

One such way of determining if an IP address in use is to use ARP. Or specifically, an ARP Probe.

The process is pretty straight forward, send a few ARP Probes (typically 3), and if no one responds, officially claim the IP address with an ARP Announcement. - ARP Probe and ARP Announcement

Both the ARP Probes and the ARP Announcements are sent as Broadcast frames – using the destination MAC address of ffff.ffff.ffff in the Ethernet header.

Both are sent without being solicited by a request, which therefore makes them “gratuitous”. But technically, they are not exactly the same as a Gratuitous ARP.

We will look at the packet structures in a moment, and they will reveal exactly how the ARP Announcements and ARP Probes are different from a Gratuitous ARP — despite often being incorrectly referred to as the same.


ARP Probe Packet Structure

The ARP Probe serves the purpose of polling the network to validate that an IP address is not already in use. - ARP ProbeIt is sent with the Opcode field set to 1, indicating an ARP Request. The idea is if the IP address in question is already in use, the initiator of the ARP Probe will expect a Response from original owner. Hence, this ARP Probe is a request which might prompt a response.

The Sender MAC address is set to the initiator’s MAC address. The Sender IP address is set to

The Target MAC address is set to 0000.0000.0000, and the Target IP Address is set to the IP address being probed.

Notice there is no complete mapping provided in the packet. The Sender IP is set to all zeros, which means it cannot map to the Sender MAC address. The Target MAC address is all zeros, which means it cannot map to the Target IP address.

This is intentional, because the reason for sending the ARP Probe is to prevent an IP conflict. If the target IP address is already in use, it would be very undesirable for other hosts on the network to inadvertently update their ARP cache based upon the contents of the ARP Probe.

This is also the primary difference between an ARP Probe and a Gratuitous ARP. A Gratuitous ARP is meant to update all the ARP caches on the network, where as an ARP Probe deliberately prevents updating of ARP caches to continue protecting against IP address conflicts.

ARP Announcement Packet Structure

If the ARP Probe does not generate a response from whomever might already be using the IP address, the initiating host will consider this IP address unique and will send an ARP Announcement to officially “claim” the IP address on the network. - ARP Announcement

The ARP Announcement is very similar to a Gratuitous ARP, with one notable exception:

The Opcode in an ARP Announcement is set to 1, indicating a request. Typical Gratuitous ARP will have an Opcode set to 2.

Otherwise, the packet structure is identical to the ARP Probe above, with the exception that a complete mapping exists. Both the Sender MAC address and the Sender IP address create a complete ARP mapping, and hosts on the network can use this pair of addresses in their ARP table.

Like the Gratuitous ARP, the Target MAC address is ignored, in this example it is set to 0000.0000.0000, some implementations of the ARP Announcement use ffff.ffff.ffff instead.

Finally, the Target IP again confirms the subject of the communication: the IP address who’s uniqueness has now been confirmed.


Once again, the ARP Announcement is very similar to the Gratuitous ARP, with their only difference being the Opcode field. They are often both simply referred to as a Gratuitous ARP — despite technically being different constructs. However, for everyday networking, this is a trivial misnomer, and a little inaccuracy can sometimes save a lengthy explanation.

You can download the packet capture of the ARP Probe and ARP Announcement process here. It can be studied using Wireshark.



Series Navigation<< Gratuitous ARP


  1. This was completely new to me

    Thank you

  2. Thank you, this was actually an easy read.

    By the way, the quote “a little inaccuracy can sometimes save a lengthy explanation” is I think called Dotan’s Razor, at least that’s what this guy calls it:

  3. This surely explains how ARP Probe prevents duplication within one network. What if you want to check if an IP address is available for use universally? Since the ARP Probe is a broadcast, it will not travel outside the router.

    • Hi Sunny.

      IP Duplication outside of your network is less of a problem. Remember, the ARP Probe/Announcement checks for unintentional IP duplication, i.e. non-malicious. If there is an inadvertent IP conflict in remote networks, simple Routing would prevent the incorrect IP address from receiving any traffic — Internet routing would only route to the “correct” IP address/network.

      Malicious IP conflict, however, is a whole other story, both for “in-network” and “out of network” IP conflicts… and also well outside the intended scope of this article =).

  4. Great explanation.
    Just to clarify, when Gratuitous arp is sent out, does an arp probe is sent out at the same time?
    I want to understand the process when duplicate IP added to the network?


    • Hi Sandaru,

      They are independent processes. If a host needs to announce its IP-to-MAC mapping, it uses a Gratuitous ARP. If a host needs to determine if an IP address is already in use, it uses an ARP Probe. There isn’t a common use case that would involve a host sending both at the same time.

  5. Naveen Kumar says

    Thanks Ed Harmoush for sharing very informative document, It means a switch starts to build its mac address table with ARP probe & ARP announcement frames, Please let me know if I am wrong.

    • Hi Naveen. A switch will build it’s MAC address table with anything it receives. If the first thing received is an ARP Probe, then yes, that is what the switch will use.

      But keep in mind, not all devices perform duplicate address detection, and therefore not all devices send ARP Probes. So a direct link between populating a MAC address table and ARP Probes should not be made.

  6. when it appears the message “windows has detected an ip address conflict” and immediately the duplicate ip is updated, is it because the “dhcp dora” process was carried out, assigned a duplicate ip and then arp probe started?

    • The Duplicate Address Detection (DAD) is a separate process from DHCP. Anytime your client gets an IP address (whether it was statically configured, or acquired from DHCP, it will perform the ARP Probe and Announcement process. If a duplicate is detected, then your client will try to accommodate: If the address was assigned with DHCP, the client can ask for a new IP address. If the IP address was statically assigned, the client must wait for the administrator to re-assign a new IP address.

  7. we appreciate your effort to make things easier.

    what if ARP Probes sent and if someone responds saying that he is using that IP.
    what be the response message and what will be the Packet Structure?

    waiting for VPNs – ISAKMP, IPSEC, and IKE (coming soon) series.

    • Hi Anurag,

      If the IP is in use, the new client’s reaction would be different depending upon how it acquired the IP address. If it acquired the IP address using DHCP, it might try to ask for a new (unused) IP address from the DHCP server. If it acquired the IP address statically, then it simply doesn’t use the IP address and waits for the administrator to reconfigure a new IP address.

      Thank you for the reminder about the VPN articles. I’m still trying to prioritize the time for them. =)

  8. Akanksha gupta says

    Great explanation.
    Looking forward to more such information.

  9. It seems to me that the ARP announcement is not necessary since other hosts will probe or query current host.

Speak Your Mind