ARP resolves an IP address to a MAC address on a LAN so that the frame can be delivered to the appropriate host. Now, let's step through why this is important.

When data travels through different networks, packets use a logical address or IP address along with routing to get data to its final destination. The IP provides addressing and routing to get data to its final destination. Once the data is at the desired network, the IP address is no longer needed. The reason is that on a LAN, the data link layer uses the MAC address of the destination machine, rather than the IP address.

Therefore, to deliver the data to its final destination, a MAC or physical address is needed to place in the frame header. The device will first check its local cache, and if there is no entry, the device issues an ARP request (broadcast) and will wait for a reply.

As shown in the following diagram, Host A needs the MAC address for the gateway (which is the router interface for the LAN). Host A issues an ARP broadcast that asks who has the IP address 10.40.10.101, tells 10.40.10.109, and waits for a reply. The gateway then sends an ARP reply that lets the host know that 10.40.10.101 is at MAC address BB:20:62:C4:57:23. 

To see an example of an ARP request and reply so that you can follow along, go to https://crnetpackets.files.wordpress.com/2015/08/arptrace.zip, download the file, extract it, and open it in Wireshark, as shown here:

In the ARP trace file, the first two packets are the ARP request/reply:

• In frame 1, the device sends an ARP request. The source MAC address is 00:15:5d:0f:49, which is the MAC address of the device requesting the resolution. The destination MAC address is ff:ff:ff:ff:ff:ff, which is a broadcast address. As a result, when this ARP broadcast was sent, every host on the network received the frame. However, only one will respond.

• In frame 2, the device identifies itself with an ARP reply. The source MAC address is d4:be:d9:af:3e:4d, which is the device with the IP address 172.16.2.27, and the destination MAC address is 00:15:5d:0f:49, which is the MAC address of the device requesting the resolution.

When doing a capture in Wireshark, it is normal to see several ARP broadcasts before seeing an ARP reply.

We now know that ARP resolves an IP address to a MAC (or physical) address so the device has a MAC address that can be placed in the frame header in order for the data to be delivered. So that the device is able to quickly retrieve the MAC address of a device on the network, it holds the IP address to MAC address pairings in a temporary holding area called the ARP cache. The next section explains an ARP cache, how it's used, and how long the table entries remain.