For the safety reasons, I will hide all the MAC addresses.
On my Mac, using arp -a to show the ARP caches.
YuqiaoZengs-MacBook-Air:~ yuqiaozeng$ arp -a ? (192.168.199.1) at MY_ROUTER_ADDRESS on en0 ifscope [ethernet] ? (184.108.40.206) at HIDE_MAC_ADDRESS on en0 ifscope permanent [ethernet]
In the above codes, 192.168.199.1 is the IP address of my router, and MY_ROUTER_ADDRESS is its MAC address. 220.127.116.11 is about Bonjour / mDNS requests which we will not talk about here. Since I use a router, all of my network requests have my route as the next hop.
Using WireShark to Sniff the ARP Request
Since the ARP cache will be valid for 20 minutes and on BSD systems they will be reset to 20 minutes every time they are accessed, we need to manually delete the record using arp -d hostname command, which needs the super user permission.
YuqiaoZengs-MacBook-Air:~ yuqiaozeng$ sudo arp -d 192.168.199.1 Password: 192.168.199.1 (192.168.199.1) deleted
Since there is a lot of background process needs to access the Internet, the record for 192.168.199.1 will reappear nearly immediately after the deletion. And now we can go to WireShark to analyze the packets.
WireShark ARP Packets Analyze
The struct of the ARP packet:
The first two ARP packets are:
4261 201.230420 Apple_ae:72:54 Broadcast ARP 42 Who has 192.168.199.1? Tell 192.168.199.240 4262 201.240078 Hiwifi_41:9c:48 Apple_ae:72:54 ARP 42 192.168.199.1 is at MY_ROUTER_ADDRESS
The total length of the first packet is 42 Bytes. The exact content of the first packet is:
ff ff ff ff ff ff XX XX XX XX XX XX 08 06 00 01 08 00 06 04 00 01 XX XX XX XX XX XX c0 a8 c7 f0 00 00 00 00 00 00 c0 a8 c7 01
The first 6 Bytes are the address of broadcast which means tell all others that I need to get the MAC of the 192.168.199.1. Then XX XX XX XX XX XX is the MAC address of my Mac. Then the 08 06 means this frame is an ARP request. The 00 01 after is my hardware type, which is Hardware type: Ethernet (1). Then 08 00 means this is of IP type. Then 06 if the length of the hardware address, 04 is the length of the protocol. The 00 01 after means this is an ARP request, which is an opcode. Then again is my Mac's MAC address. Then c0 a8 c7 f0 is the IP address of my Mac. Then 00 00 00 00 00 00 c0 a8 c7 01 are the MAC and IP addresses of the router. Note that the 00 00 00 00 00 00 will be filled by the router and send back.
The exact content of the second packet is:
XX XX XX XX XX XX YY YY YY YY YY YY 08 06 00 01 08 00 06 04 00 02 YY YY YY YY YY YY c0 a8 c7 01 XX XX XX XX XX XX c0 a8 c7 f0
For the second packet, much of the meanings are obvious. But the opcode is 00 02, which means this is an ARP reply. And YY YY YY YY YY YY is the MAC address of my router.