Skip to content
Practical TLS - October Sale
October is my birthday month, which makes for a good excuse to discount my most popular course: Practical TLS.

Use code OctBDAY2024b to get the course for $58 (originally $297).

Purchase here. Or, for more info on the top rated course on TLS, click here.

Code expires Oct 14, 2024.

ARP Probe and ARP Announcement

    ARP Probe and ARP Announcement

    This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.

     

    Address Resolution Protocol

    We finally come to the last iteration of ARP that this article series will discuss. They are the ARP Probe and the ARP Announcement. Both of these are used in a process known as Duplicate Address Detection.

    The idea is if a host acquires and puts to use an IP address that happens to already be in use on the network, it will cause connectivity issues for both hosts. As such, it is beneficial for a host to first test an IP address before putting it to use to ensure it is indeed unique.

    One such way of determining if an IP address in use is to use ARP. Or specifically, an ARP Probe.

    The process is pretty straight forward, send a few ARP Probes (typically 3), and if no one responds, officially claim the IP address with an ARP Announcement.

    Pracnet.net - ARP Probe and ARP Announcement

    Both the ARP Probes and the ARP Announcements are sent as Broadcast frames – using the destination MAC address of ffff.ffff.ffff in the Ethernet header.

    Both are sent without being solicited by a request, which therefore makes them “gratuitous”. But technically, they are not exactly the same as a Gratuitous ARP.

    We will look at the packet structures in a moment, and they will reveal exactly how the ARP Announcements and ARP Probes are different from a Gratuitous ARP — despite often being incorrectly referred to as the same.

    ARP Probe Packet Structure

    The ARP Probe serves the purpose of polling the network to validate that an IP address is not already in use.

    Pracnet.net - ARP ProbeIt is sent with the Opcode field set to 1, indicating an ARP Request. The idea is if the IP address in question is already in use, the initiator of the ARP Probe will expect a Response from original owner. Hence, this ARP Probe is a request which might prompt a response.

    The Sender MAC address is set to the initiator’s MAC address. The Sender IP address is set to 0.0.0.0.

    The Target MAC address is set to 0000.0000.0000, and the Target IP Address is set to the IP address being probed.

    Notice there is no complete mapping provided in the packet. The Sender IP is set to all zeros, which means it cannot map to the Sender MAC address. The Target MAC address is all zeros, which means it cannot map to the Target IP address.

    This is intentional, because the reason for sending the ARP Probe is to prevent an IP conflict. If the target IP address is already in use, it would be very undesirable for other hosts on the network to inadvertently update their ARP cache based upon the contents of the ARP Probe.

    This is also the primary difference between an ARP Probe and a Gratuitous ARP. A Gratuitous ARP is meant to update all the ARP caches on the network, where as an ARP Probe deliberately prevents updating of ARP caches to continue protecting against IP address conflicts.

    ARP Announcement Packet Structure

    If the ARP Probe does not generate a response from whomever might already be using the IP address, the initiating host will consider this IP address unique and will send an ARP Announcement to officially “claim” the IP address on the network.

    Pracnet.net - ARP Announcement

    The ARP Announcement is very similar to a Gratuitous ARP, with one notable exception:

    The Opcode in an ARP Announcement is set to 1, indicating a request. Typical Gratuitous ARP will have an Opcode set to 2.

    Otherwise, the packet structure is identical to the ARP Probe above, with the exception that a complete mapping exists. Both the Sender MAC address and the Sender IP address create a complete ARP mapping, and hosts on the network can use this pair of addresses in their ARP table.

    Like the Gratuitous ARP, the Target MAC address is ignored, in this example it is set to 0000.0000.0000, some implementations of the ARP Announcement use ffff.ffff.ffff instead.

    Finally, the Target IP again confirms the subject of the communication: the IP address who’s uniqueness has now been confirmed.

    Once again, the ARP Announcement is very similar to the Gratuitous ARP, with their only difference being the Opcode field. They are often both simply referred to as a Gratuitous ARP — despite technically being different constructs. However, for everyday networking, this is a trivial misnomer, and a little inaccuracy can sometimes save a lengthy explanation.

    You can download the packet capture of the ARP Probe and ARP Announcement process here. It can be studied using Wireshark.

    Series Navigation

    Gratuitous ARP >>

    Tags:
    4.8 8 votes
    Article Rating
    Subscribe
    Notify of

    25 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    This was completely new to me

    Thank you

    Thank you, this was actually an easy read.

    By the way, the quote “a little inaccuracy can sometimes save a lengthy explanation” is I think called Dotan’s Razor, at least that’s what this guy calls it:
    http://dotancohen.com/eng/britain_england_united_kingdom.html

    This surely explains how ARP Probe prevents duplication within one network. What if you want to check if an IP address is available for use universally? Since the ARP Probe is a broadcast, it will not travel outside the router.

    Great explanation.
    Just to clarify, when Gratuitous arp is sent out, does an arp probe is sent out at the same time?
    I want to understand the process when duplicate IP added to the network?

    Thanks.

    Thanks Ed Harmoush for sharing very informative document, It means a switch starts to build its mac address table with ARP probe & ARP announcement frames, Please let me know if I am wrong.

    when it appears the message “windows has detected an ip address conflict” and immediately the duplicate ip is updated, is it because the “dhcp dora” process was carried out, assigned a duplicate ip and then arp probe started?

    we appreciate your effort to make things easier.

    what if ARP Probes sent and if someone responds saying that he is using that IP.
    what be the response message and what will be the Packet Structure?

    waiting for VPNs – ISAKMP, IPSEC, and IKE (coming soon) series.

    Great explanation.
    Looking forward to more such information.

    It seems to me that the ARP announcement is not necessary since other hosts will probe or query current host.

    Hello,
    I had created simple topology in GNS3, with 2 VPCS which are PC1 : 10.0.0.3/24 and PC2 : 192.168.0.3/24. Both are connected to Router R3, PC1 to Int fa0/0 : 10.0.0.2/24 and PC2 to Int fa0/1: 192.168.0.2/24.

    Now when I manually provide IP to PC2 192.168.0.3 , it sends 3 gratuitous ARP packets with Opcode 1 i.e. Request, sender IP and MAC is PC2’s details. Target MAC is Broadcast and Target IP is as usual 192.168.0.3 i.e. PC2’s assigned IP. All 3 packets has same data as I mentioned above. (Packets captured on Wireshark)

    My question is what type of ARP packets these are? What is purpose of these packets ?
    And I found that Router R3 didn’t populate his ARP table even if above packets has clear mapping of source IP and MAC.

    thank you Ed Harmoush ,
    could you tell if packets are ARP announcement then why R3 didn’t populate its ARP table ?

    Can you clarify how the ARP probe differs from the IPDT (IP Device Tracking) Probe? IPDT sometimes causes duplicate IP 0.0.0.0 errors.

    Like the ARP Probe, does the DHCP Server also check if an IP address is already being used by another Host before offering it? For example: The DHCP Server makes a “Ping ECHO REQUEST” on the IP address before starting the DHCP Offer and after the DHCP Server sends a “DHCP ACK” the client also starts a check if the IP Address is not already being used by another device through the ARP Probe. Is there this junction of the DHCP Server testing the IP before offering it with a “Ping” and after assigning the IP Address to the client with the confirmation “DHCP ACK” the client also does a verification with the ARP Probe?

    https://www.youtube.com/watch?v=g4WJ4I6XmXE&list=PLruzrX735K0iSB4Xhirpah6K49GxiTSUi&index=4

    I came across this video where Cisco packet tracker was used to demonstrate the duplicate IP address issue. In this example the packet tracker software shows that the ARP packet sent is gratuitous ARP and not the probe. Can you provide clarity on this? would really appreciate it.

    Thanks
    B

    I am a certified network architect, and I can say this is the best networking article I have ever read. Not just for ARP, in general I am speaking. It is very well-organized, well-explained with practical examples (pcaps) and animations. 8 years in networking business and I feel that I really, finally, understand ARP and all its flavors. Man you are the best!!!!

    This is a very nice article. Although I have a concern. Do the hosts still learn the mapping with 0.0.0.0 sender IP in the ARP probe? Obviously, this wouldn’t have any effect if it does because technically a packet will never originate from 0.0.0.0 and the cache won’t get polluted…. I just want to clarify if it adds this to the ARP cache table.