This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.
- Traditional ARP
- Proxy ARP
- Gratuitous ARP
- ARP Probe and ARP Announcement
We finally come to the last iteration of ARP that this article series will discuss. They are the ARP Probe and the ARP Announcement. Both of these are used in a process known as Duplicate Address Detection.
The idea is if a host acquires and puts to use an IP address that happens to already be in use on the network, it will cause connectivity issues for both hosts. As such, it is beneficial for a host to first test an IP address before putting it to use to ensure it is indeed unique.
One such way of determining if an IP address in use is to use ARP. Or specifically, an ARP Probe.
The process is pretty straight forward, send a few ARP Probes (typically 3), and if no one responds, officially claim the IP address with an ARP Announcement.
Both the ARP Probes and the ARP Announcements are sent as Broadcast frames – using the destination MAC address of ffff.ffff.ffff
in the Ethernet header.
Both are sent without being solicited by a request, which therefore makes them “gratuitous”. But technically, they are not exactly the same as a Gratuitous ARP.
We will look at the packet structures in a moment, and they will reveal exactly how the ARP Announcements and ARP Probes are different from a Gratuitous ARP — despite often being incorrectly referred to as the same.
ARP Probe Packet Structure
The ARP Probe serves the purpose of polling the network to validate that an IP address is not already in use.
It is sent with the Opcode field set to 1
, indicating an ARP Request. The idea is if the IP address in question is already in use, the initiator of the ARP Probe will expect a Response from original owner. Hence, this ARP Probe is a request which might prompt a response.
The Sender MAC address is set to the initiator’s MAC address. The Sender IP address is set to 0.0.0.0
.
The Target MAC address is set to 0000.0000.0000
, and the Target IP Address is set to the IP address being probed.
Notice there is no complete mapping provided in the packet. The Sender IP is set to all zeros, which means it cannot map to the Sender MAC address. The Target MAC address is all zeros, which means it cannot map to the Target IP address.
This is intentional, because the reason for sending the ARP Probe is to prevent an IP conflict. If the target IP address is already in use, it would be very undesirable for other hosts on the network to inadvertently update their ARP cache based upon the contents of the ARP Probe.
This is also the primary difference between an ARP Probe and a Gratuitous ARP. A Gratuitous ARP is meant to update all the ARP caches on the network, where as an ARP Probe deliberately prevents updating of ARP caches to continue protecting against IP address conflicts.
ARP Announcement Packet Structure
If the ARP Probe does not generate a response from whomever might already be using the IP address, the initiating host will consider this IP address unique and will send an ARP Announcement to officially “claim” the IP address on the network.
The ARP Announcement is very similar to a Gratuitous ARP, with one notable exception:
The Opcode in an ARP Announcement is set to 1
, indicating a request. Typical Gratuitous ARP will have an Opcode set to 2
.
Otherwise, the packet structure is identical to the ARP Probe above, with the exception that a complete mapping exists. Both the Sender MAC address and the Sender IP address create a complete ARP mapping, and hosts on the network can use this pair of addresses in their ARP table.
Like the Gratuitous ARP, the Target MAC address is ignored, in this example it is set to 0000.0000.0000
, some implementations of the ARP Announcement use ffff.ffff.ffff
instead.
Finally, the Target IP again confirms the subject of the communication: the IP address who’s uniqueness has now been confirmed.
Once again, the ARP Announcement is very similar to the Gratuitous ARP, with their only difference being the Opcode field. They are often both simply referred to as a Gratuitous ARP — despite technically being different constructs. However, for everyday networking, this is a trivial misnomer, and a little inaccuracy can sometimes save a lengthy explanation.
This was completely new to me
Thank you
Thank you, this was actually an easy read.
By the way, the quote “a little inaccuracy can sometimes save a lengthy explanation” is I think called Dotan’s Razor, at least that’s what this guy calls it:
http://dotancohen.com/eng/britain_england_united_kingdom.html
This surely explains how ARP Probe prevents duplication within one network. What if you want to check if an IP address is available for use universally? Since the ARP Probe is a broadcast, it will not travel outside the router.
Hi Sunny.
IP Duplication outside of your network is less of a problem. Remember, the ARP Probe/Announcement checks for unintentional IP duplication, i.e. non-malicious. If there is an inadvertent IP conflict in remote networks, simple Routing would prevent the incorrect IP address from receiving any traffic — Internet routing would only route to the “correct” IP address/network.
Malicious IP conflict, however, is a whole other story, both for “in-network” and “out of network” IP conflicts… and also well outside the intended scope of this article =).
Great explanation.
Just to clarify, when Gratuitous arp is sent out, does an arp probe is sent out at the same time?
I want to understand the process when duplicate IP added to the network?
Thanks.
Hi Sandaru,
They are independent processes. If a host needs to announce its IP-to-MAC mapping, it uses a Gratuitous ARP. If a host needs to determine if an IP address is already in use, it uses an ARP Probe. There isn’t a common use case that would involve a host sending both at the same time.
Thanks Ed Harmoush for sharing very informative document, It means a switch starts to build its mac address table with ARP probe & ARP announcement frames, Please let me know if I am wrong.
Hi Naveen. A switch will build it’s MAC address table with anything it receives. If the first thing received is an ARP Probe, then yes, that is what the switch will use.
But keep in mind, not all devices perform duplicate address detection, and therefore not all devices send ARP Probes. So a direct link between populating a MAC address table and ARP Probes should not be made.
when it appears the message “windows has detected an ip address conflict” and immediately the duplicate ip is updated, is it because the “dhcp dora” process was carried out, assigned a duplicate ip and then arp probe started?
The Duplicate Address Detection (DAD) is a separate process from DHCP. Anytime your client gets an IP address (whether it was statically configured, or acquired from DHCP, it will perform the ARP Probe and Announcement process. If a duplicate is detected, then your client will try to accommodate: If the address was assigned with DHCP, the client can ask for a new IP address. If the IP address was statically assigned, the client must wait for the administrator to re-assign a new IP address.
we appreciate your effort to make things easier.
what if ARP Probes sent and if someone responds saying that he is using that IP.
what be the response message and what will be the Packet Structure?
waiting for VPNs – ISAKMP, IPSEC, and IKE (coming soon) series.
Hi Anurag,
If the IP is in use, the new client’s reaction would be different depending upon how it acquired the IP address. If it acquired the IP address using DHCP, it might try to ask for a new (unused) IP address from the DHCP server. If it acquired the IP address statically, then it simply doesn’t use the IP address and waits for the administrator to reconfigure a new IP address.
Thank you for the reminder about the VPN articles. I’m still trying to prioritize the time for them. =)
Great explanation.
Looking forward to more such information.
It seems to me that the ARP announcement is not necessary since other hosts will probe or query current host.
Hello,
I had created simple topology in GNS3, with 2 VPCS which are PC1 : 10.0.0.3/24 and PC2 : 192.168.0.3/24. Both are connected to Router R3, PC1 to Int fa0/0 : 10.0.0.2/24 and PC2 to Int fa0/1: 192.168.0.2/24.
Now when I manually provide IP to PC2 192.168.0.3 , it sends 3 gratuitous ARP packets with Opcode 1 i.e. Request, sender IP and MAC is PC2’s details. Target MAC is Broadcast and Target IP is as usual 192.168.0.3 i.e. PC2’s assigned IP. All 3 packets has same data as I mentioned above. (Packets captured on Wireshark)
My question is what type of ARP packets these are? What is purpose of these packets ?
And I found that Router R3 didn’t populate his ARP table even if above packets has clear mapping of source IP and MAC.
It appears to be a version of the ARP Announcement. In my packet captures the target MAC is all 0’s, but I’ve also seen ARP Announcements with a target MAC of all F’s (broadcast MAC).
thank you Ed Harmoush ,
could you tell if packets are ARP announcement then why R3 didn’t populate its ARP table ?
Can you clarify how the ARP probe differs from the IPDT (IP Device Tracking) Probe? IPDT sometimes causes duplicate IP 0.0.0.0 errors.
You’d have to send me a packet capture of the IPDT probes and we could compare them to the G.ARP / ARP Probe packet captures in the article series.
PS: Is this the same Robert Vogler I worked with back at Rackspace =) ?
Like the ARP Probe, does the DHCP Server also check if an IP address is already being used by another Host before offering it? For example: The DHCP Server makes a “Ping ECHO REQUEST” on the IP address before starting the DHCP Offer and after the DHCP Server sends a “DHCP ACK” the client also starts a check if the IP Address is not already being used by another device through the ARP Probe. Is there this junction of the DHCP Server testing the IP before offering it with a “Ping” and after assigning the IP Address to the client with the confirmation “DHCP ACK” the client also does a verification with the ARP Probe?
DHCP server keeps track of what is assigned. It doesn’t actively check if something is/isn’t in use, it relies on its own logs of what it has already given out and what it hasn’t.
https://www.youtube.com/watch?v=g4WJ4I6XmXE&list=PLruzrX735K0iSB4Xhirpah6K49GxiTSUi&index=4
I came across this video where Cisco packet tracker was used to demonstrate the duplicate IP address issue. In this example the packet tracker software shows that the ARP packet sent is gratuitous ARP and not the probe. Can you provide clarity on this? would really appreciate it.
Thanks
B
Without seeing a packet capture, you can’t know whether it was an ARP Probe or Gratuitous ARP. But the article above shows how to tell an ARP Probe vs Gratuitious arp, so this should be something you can test yourself.
Also, the video is using packet tracer, which is a network simulator — it doesn’t always work exactly the way real life does.
I am a certified network architect, and I can say this is the best networking article I have ever read. Not just for ARP, in general I am speaking. It is very well-organized, well-explained with practical examples (pcaps) and animations. 8 years in networking business and I feel that I really, finally, understand ARP and all its flavors. Man you are the best!!!!
This is a very nice article. Although I have a concern. Do the hosts still learn the mapping with 0.0.0.0 sender IP in the ARP probe? Obviously, this wouldn’t have any effect if it does because technically a packet will never originate from 0.0.0.0 and the cache won’t get polluted…. I just want to clarify if it adds this to the ARP cache table.