Address Resolution Protocol (ARP) Virtual Laboratory

Interactive simulation for undergraduate communication engineering students

Welcome to the ARP Virtual Lab! This interactive laboratory provides hands-on experience with the Address Resolution Protocol, a fundamental protocol in TCP/IP networking that maps IP addresses to MAC addresses on local area networks.

🎯 Learning Objectives

Understand ARP Mechanism

Explain how ARP resolves IP addresses to MAC addresses through request-reply messaging

Analyze Packet Structure

Examine ARP packet fields including hardware type, protocol type, operation code, and addresses

Manage ARP Cache

Understand dynamic and static ARP entries, cache timeout mechanisms, and table management

Troubleshoot ARP Issues

Identify common ARP-related network problems including cache poisoning and incomplete entries

Simulate Network Scenarios

Observe ARP behavior in different network configurations including same-subnet and cross-router communication

Security Awareness

Understand ARP spoofing attacks and mitigation techniques in modern networks

📚 Theory

1. Introduction to ARP

The Address Resolution Protocol (ARP) is a communication protocol used for mapping network layer addresses (IP addresses) to link layer addresses (MAC addresses). When a device wants to communicate with another device on the same local network, it needs the destination's MAC address to construct the Ethernet frame, even though it knows the destination IP address.

Key Concept: ARP operates at the boundary between Layer 2 (Data Link) and Layer 3 (Network) of the OSI model. It is essential for IPv4 Ethernet networks but is not used in IPv6, where it is replaced by the Neighbor Discovery Protocol (NDP).

2. ARP Operation Mechanism

The ARP resolution process follows these steps:

Cache Lookup: The sender first checks its ARP cache for an existing entry corresponding to the destination IP address.
ARP Request Broadcast: If no cache entry exists, the sender generates an ARP request broadcast to all devices on the local network (destination MAC: FF:FF:FF:FF:FF:FF).
Request Processing: Every device on the LAN receives the ARP request and compares the requested IP address with its own.
ARP Reply Transmission: The device with the matching IP address sends an ARP reply as a unicast message containing its MAC address.
Cache Update: The sender stores the IP-MAC mapping in its ARP cache for future communication.

3. ARP Packet Format

An ARP packet contains the following fields:

ARP Packet Structure (28 bytes)

Hardware Type (HTYPE): 2 bytes - Network link type (1 for Ethernet)

Protocol Type (PTYPE): 2 bytes - Protocol address type (0x0800 for IPv4)

Hardware Address Length (HLEN): 1 byte - Length of MAC address (6 for Ethernet)

Protocol Address Length (PLEN): 1 byte - Length of IP address (4 for IPv4)

Operation (OPER): 2 bytes - 1 for Request, 2 for Reply

Sender Hardware Address (SHA): 6 bytes - MAC address of sender

Sender Protocol Address (SPA): 4 bytes - IP address of sender

Target Hardware Address (THA): 6 bytes - MAC address of target (00:00:00:00:00:00 in request)

Target Protocol Address (TPA): 4 bytes - IP address of target

4. ARP Cache Table

The ARP cache is a table maintained by each device containing IP-to-MAC address mappings. Key characteristics include:

Dynamic Entries: Automatically learned through ARP operations, with a typical timeout of 2-20 minutes
Static Entries: Manually configured by administrators, permanent until deleted
Incomplete Entries: Temporary entries created when an ARP request is sent but no reply received yet

5. ARP Variants

Several variants of ARP exist for specific scenarios:

Proxy ARP: A router responds to ARP requests on behalf of devices on another network segment
Reverse ARP (RARP): Maps MAC addresses to IP addresses (obsolete, replaced by BOOTP/DHCP)
Inverse ARP (InARP): Used in ATM networks to find Layer-3 addresses from Layer-2 addresses
Gratuitous ARP: Unsolicited ARP reply used for IP conflict detection or MAC address updates

6. ARP Security Considerations

ARP is vulnerable to several security threats:

ARP Spoofing/Poisoning: Attackers send fraudulent ARP messages to associate their MAC address with another device's IP address, enabling man-in-the-middle attacks. This exploits ARP's trust-based nature with no built-in verification mechanism.

🔧 Interactive Simulation

Network Topology

💻

Host A

192.168.1.10

AA:BB:CC:00:00:01

💻

Host B

192.168.1.20

AA:BB:CC:00:00:02

💻

Host C

192.168.1.30

AA:BB:CC:00:00:03

Source Host

Destination IP

Simulation Speed

[00:00:00] Simulation ready. Select source and destination to begin ARP resolution.

ARP Cache Table - Host A

IP Address	MAC Address	Type	Interface	Age	Status
ARP cache is empty. Start simulation to populate.

ARP Cache Management

Practice managing ARP cache entries. Add static entries, observe dynamic entry aging, and simulate cache timeout.

IP Address

MAC Address

Entry Type

Static vs Dynamic: Static entries remain until manually deleted and survive reboots (if saved). Dynamic entries typically expire after 2-20 minutes of inactivity to prevent stale mappings.

ARP Packet Structure Analyzer

Examine the detailed structure of ARP request and reply packets.

ARP Request Packet

Ethernet Frame Header (14 bytes)

Destination MAC: FF:FF:FF:FF:FF:FF (Broadcast)

Source MAC: AA:BB:CC:00:00:01

EtherType: 0x0806 (ARP)

ARP Payload (28 bytes)

Hardware Type: 0x0001 (Ethernet)

Protocol Type: 0x0800 (IPv4)

Operation: 0x0001 (Request)

Sender MAC: AA:BB:CC:00:00:01

Sender IP: 192.168.1.10

Target MAC: 00:00:00:00:00:00

Target IP: 192.168.1.20

ARP Reply Packet

Ethernet Frame Header (14 bytes)

Destination MAC: AA:BB:CC:00:00:01

Source MAC: AA:BB:CC:00:00:02

EtherType: 0x0806 (ARP)

ARP Payload (28 bytes)

Hardware Type: 0x0001 (Ethernet)

Protocol Type: 0x0800 (IPv4)

Operation: 0x0002 (Reply)

Sender MAC: AA:BB:CC:00:00:02

Sender IP: 192.168.1.20

Target MAC: AA:BB:CC:00:00:01

Target IP: 192.168.1.10

Key Observation: Notice that the ARP Request uses broadcast (FF:FF:FF:FF:FF:FF) while the ARP Reply uses unicast. Also observe that in the request, Target MAC is all zeros (unknown), while in the reply, all fields are populated.

ARP Spoofing Attack Simulation

Educational Purpose Only: This simulation demonstrates how ARP spoofing works to help understand network security vulnerabilities. Never use these techniques on production networks without authorization.

Simulate an ARP spoofing attack where an attacker (Host C) sends fraudulent ARP replies to intercept traffic between Host A and Host B.

Attacker Host

Target Host to Impersonate

Victim Host

[Security] ARP spoofing simulation ready. This demonstrates man-in-the-middle attack vectors.

📝 Practical Exercises

Beginner

Exercise 1: Basic ARP Resolution

Simulate Host A (192.168.1.10) pinging Host B (192.168.1.20). Observe the ARP request broadcast and reply. Document the time taken for resolution.

Beginner

Exercise 2: ARP Cache Efficiency

Send multiple packets from Host A to Host B. Verify that only the first packet triggers an ARP request; subsequent packets use cached entries. Measure the efficiency improvement.

Intermediate

Exercise 3: Cross-Subnet Communication

Configure Host A with a default gateway and attempt to reach a host on a different subnet (10.0.0.5). Observe how ARP is used to resolve the gateway's MAC address, not the final destination.

Intermediate

Exercise 4: Gratuitous ARP

Simulate a host sending gratuitous ARP to announce its presence after changing its IP address. Observe how other hosts update their caches without sending requests.

Advanced

Exercise 5: ARP Spoofing Detection

Implement a detection mechanism that monitors for unsolicited ARP replies and alerts when MAC address mappings change unexpectedly. Document detection accuracy.

Advanced

Exercise 6: Proxy ARP Configuration

Configure a router to respond to ARP requests on behalf of devices in a different subnet. Verify connectivity and document the ARP table entries on the source host.

📋 Laboratory Report Guidelines

1. Report Structure

Your laboratory report should follow this professional format:

Title Page (Course name, Experiment title, Student name, ID, Date, Instructor)
Abstract (150-200 words summarizing objectives, methods, and key findings)
Table of Contents with page numbers
List of Figures and Tables
Introduction and Objectives
Theoretical Background
Experimental Procedure
Results and Analysis (with screenshots)
Discussion and Conclusions
References (IEEE format)
Appendices (raw data, code, configurations)

2. Content Requirements

Ensure your report includes the following technical content:

Detailed explanation of ARP protocol operation with packet flow diagrams
Screenshots of ARP cache tables showing before/during/after states
Wireshark-style packet capture analysis (can be simulated from this lab)
Comparison of ARP request vs reply packet fields in hexadecimal representation
Timing analysis: measure ARP resolution time under different conditions
Cache timeout observations: document entry aging behavior
Security analysis: describe ARP spoofing vulnerability and mitigation
IPv6 comparison: explain NDP as ARP replacement

3. Data Analysis Requirements

Present your experimental data professionally:

Create tables showing ARP cache state transitions
Plot timing diagrams showing request-reply sequences
Calculate cache hit ratios for repeated communications
Analyze network efficiency with and without ARP caching
Document packet overhead: calculate bytes used for ARP vs actual data
Compare broadcast traffic volume with/without ARP optimization

4. Critical Thinking Questions

Address these questions in your discussion section:

Why does ARP use broadcast for requests but unicast for replies?
What would happen if ARP cache entries never expired?
How does ARP behave differently in a switched vs hub-based network?
Why is ARP considered a security vulnerability in modern networks?
How would you design a secure alternative to ARP?
What is the impact of ARP on network performance in large subnets?

5. Grading Rubric

Component	Weight	Criteria
Theoretical Understanding	25%	Accuracy of protocol explanation, proper use of terminology
Experimental Execution	30%	Completeness of simulations, correct procedure following
Data Analysis	25%	Quality of tables/graphs, correct calculations, insightful analysis
Critical Discussion	15%	Depth of security analysis, creative problem solving
Presentation	5%	Professional formatting, grammar, references

Submission Checklist

Report submitted as PDF (max 20 pages including appendices)
All screenshots clearly labeled with captions
Simulation logs exported and attached as text files
Peer review completed (if required by instructor)
Plagiarism check passed (similarity < 15%)
Submitted before deadline via learning management system