TCP/IP Networking from the Wire Up

We often have customers who want to better understand the resolution to their networking support issue and why what we did fixed their issue. Depending on the issue, this explanation may be quite involved and complex. This would be like asking the pilot on the way off the airplane to quickly and briefly explain the aerodynamics, electronics, hydraulics etc that went into landing the plane and how they all work together. Since there is no brief explanation of the in-depth workings of how computer networks do all the things they do I will be covering this topic in a series of blog posts in which I hope give at least a basic understanding of network protocols and architecture. My intention here is to lay a foundation from which a deeper understanding of Windows networking can be gained. We will discuss IPv4 over Ethernet only, and will not be delving into IPv6 or other physical network topologies.

In order to continue we need to at least mention the 7 Layers of the International Standards Organization/Open System Interconnect (OSI) model. This is the model where we get the reference for Layer 2 and Layer 3 when referring to types of switches and routers, for example.

This model consists of the following seven layers:

  • Layer 7: Application
  • Layer 6: Presentation
  • Layer 5: Session
  • Layer 4: Transport
  • Layer 3: Network
  • Layer 2: Data Link
  • Layer 1: Physical

Layer 1 is the Physical layer and this consists of the Network Interface Card (NIC) and other components that allow a system to physically and logically connect to a network. This is as deep as we need to go into Layer 1 for this discussion.

We will focus more on Layer 2 in this blog post, specifically starting with Layer 2 routing, and then get into Layer 3 routing in the next blog entry.

For more information on the OSI model and Window Network Architecture see the following:

Windows Network Architecture and the OSI Model

TCP/IP Architecture


The first thing we will need in order to communicate on a computer network is some method for structuring what is being sent. This will be important not only for the computer itself but also allows other devices on the network such as routers and switches to be able to properly handle network traffic. The two standards we are using to accomplish this for TCP/IP, are Ethernet II and IEEE 802.3, and they are found in Layer 2 of the OSI model. These standards define what is included when data is “framed” to be sent so, data sent on a network will often be referred to as frames. For more in-depth discussion on how this is structured and the inner workings of Windows networking the following books are excellent references:

“Microsoft® Windows® Server 2003 TCP/IP Protocols and Services Technical Reference”

“Windows Server® 2008 TCP/IP Protocols and Services”

Media Access Control (MAC)

Now that we have a standard for constructing a frame to put on the wire, we will need a way to determine where we are going to send the frame. In order to communicate with other computers on the network a system or “Node” must have a way of identifying itself and other systems within the local subnet or “Broadcast Domain”, a Broadcast Domain being the network that is reachable by broadcast. This identification is done using the MAC address of the network adapter. A MAC address may also be referred to as an Ethernet Address or Physical Address. This address is assigned by the manufacturer at the time the network adapter, also known as the Network Interface Controller (NIC), is created. It is possible to find NICs that allow the MAC address to be changed manually but care should be taken in doing this as this could cause addressing problems on the local subnet.

A MAC address consists of 6 Bytes, the first 3 of which are used for the Organizationally Unique Identifier (OUI) which is unique to the manufacturer of the NIC.

You can determine the manufacturer of your NIC by running an IPConfig /all on your system from a command prompt. Next take the first 3 bytes of the Physical Address and plug them into the “Search For” under “Search the public OUI listing” at the following link:

The last 3 bytes of the MAC are specific to the NIC. Together they provide a unique local address.

As I mentioned, this gives a system a way to identify itself and other systems on the local network. However, for this to be useful we need a way to discover what the MAC address of other systems are, as well as to allow that address to be discovered by other systems. To this end, Address Resolution Protocol (ARP) was developed, and is described in RFC 826.

IP Address

So that sounds pretty good, you might say. I have my MAC address. I’m all set to talk on the network. You would be mostly correct. From a layer 2 stand point you do have everything you need to communicate, however, most operating systems, including the Windows operating systems, allow communication to take place with systems beyond the Broadcast Domain. For this reason we have Layer 3, the Internet Protocol Layer, where we have Internet Protocol (IP) addresses. This is significant because the system cannot just always assume that traffic will be on the local subnet. The concept I want you to grasp here is that MAC addresses are for “local” routing and IP addresses are for “global” routing. This is a bit over simplified but let’s run with this for now and it will all get clearer as we get farther into IP routing. For now, we just need to know that each system will have both an IP address as well as a MAC address. In order to communicate with other systems, we will need a way to match the IP address of the system we want to communicate with to its MAC address. In addition, the source system will want to share its own MAC and IP address so that the target node will know how to communicate back. In order to accomplish this matching of MAC to IP addresses we use Address Resolution Protocol (ARP).

Address Resolution Protocol (ARP)

You will notice as we discuss ARP that the requests are structured a certain way. This is because we are conforming to standards such as RFC 826 which defines ARP. ARP is used to resolve the next hop IP address of a node to its corresponding MAC address. This is significant because the next hop IP address is not necessarily the destination IP address. Remember the concept I mentioned earlier that the IP address can allow for global routing.

When looking at the ARP in a network capture you will see that there are four fields used to identify the source and target IP and MAC address.

In the ARP Request the fields are filled in as follows:

  1. Source Hardware Address (SHA) – MAC address of the requesting system.
  2. Source Protocol Address (SPA) – Protocol Address, this is the IP Address of the sending system.
  3. Target Hardware Address (THA) – MAC address of the system with the Target IP, for ARP request this will be since this is the address we are trying to discover.
  4. Target Protocol Address (TPA) – Protocol Address, will be the destination IP address that we are trying to discover the MAC address for.

ARP1 (2)

When the broadcast ARP request is received on Node 2, Node 2 updates its ARP cache with the information it received in the request. In the ARP reply, notice that the SHA and SPA are updated to match the correct information for the sending system. This is the information used by Node 1 to update its ARP cache. Once this is done, both systems will have the MAC and IP information it needs to communicate with the other node.

Once an address gets put in the ARP cache it is maintained for a set amount of time. The default behavior is a two minute timer that is reset every time the destination MAC is used for a total of 10 minutes. After 10 minutes of use the destination MAC address is discarded and must be resolved again with a new ARP request. If after two minutes the destination MAC has not been used it is discarded.

It is important to remember that in order for ARP to work, the requester must already have a destination IP address that it will request the MAC address for. The IP address for the destination may be entered manually or may be discovered through name resolution.

Note that starting with Windows Vista we no longer refer the cache as ARP cache, we will discuss this further, later in the this blog post.

Address conflict detection (Gratuitous ARP)

ARP is also used to detect IP address conflicts. Address conflict detection is used to insure that a system that is brought up on the network or that is assigned a new IP address does not have an address that conflicts with a system already on the network.

In address conflict detection, we use what is known as a Gratuitous ARP. When a system is configured with an IP address either manually or by DHCP it will send a Gratuitous ARP to insure that another node on the network is not already configured with this IP address. In the case of a conflict the two nodes are defined as follows. The Offending Node is the node that is sending the gratuitous ARP, and the Defending Node is a system already configured with the IP Address in question. The contents of this request and how this affects the ARP cache on other systems on the network differs depending on the OS.

XP and 2003

In Windows XP and Windows Server 2003 the Gratuitous ARP request is sent with the Senders MAC filled in with the MAC of the sending system and the Target MAC set to 0’s, but the Senders and Target IP address are both set to the address of the sending system. If a conflict is detected then the defending system replies with its IP and MAC address.



The problem with this method is that all the nodes that receive this broadcast and have an ARP cache entry for this IP address will update their ARP cache with invalid data. So the defending node will now need to send its own Gratuitous ARP to correct the cache on the other systems on the network. Because of this, starting with Windows Vista the Gratuitous ARP is handled differently.

Vista and 2008

In Windows Vista and Windows Server 2008, ARP Cache is now known as Neighbor Cache. The ARP -a command will still display the legacy ARP Cache and we can still add static ARP entries.

Neighbor Cache

The contents of the neighbor cache can be displayed with the following netsh command.

netsh interface ipv4 show neighbors

When this command is run you will notice that we have different states for neighbors. The following states are possible:

  • Incomplete – Address resolution is in progress. This would indicate that an ARP request has been made but the node has not received the response yet.
  • Reachable – The ARP reply has been received.
  • Unreachable – The node did not receive a response to the address resolution request.
  • Stale – The reachable time has elapsed. This indicates that a frame has not been sent to the neighbor within the time out period. The entry will remain in this state until a frame is sent to this neighbor.
  • Probe – Reachability confirmation is in progress for a neighbor cache entry that was in a stale state.
Duplicate Address Detection

In Windows Vista and Windows Server 2008 there are some built in protections that reduce the chance of the Neighbor cache getting updated with incorrect information. This also helps keep the requesting system from incorrectly updating other systems.


Changes to ARP cache updating

First, a Windows Vista or Windows Server 2008 will not update the Neighbor cache if an ARP broadcast is received unless it is part of a broadcast ARP request for the receiver. What this means is that when a gratuitous ARP is sent on a network with Windows Vista and Widows Server 2008, these systems will not update their cache with incorrect information if there is an IP address conflict.

Additionally, when a gratuitous ARP is sent by a Windows Vista or Windows Server 2008, the following change has been made –  the SPA field in the initial request is set to This way the ARP or neighbor caches of systems receiving this request are not updated. So, if there is a duplicate IP address, the receivers do not need to have their cache corrected.

Proxy ARP

There will be times when a system needs to resolve the MAC address of a system that is not reachable within the Broadcast Domain. When this happens, we can use another device on the network to answer the ARP request, this is known as Proxy ARP. Proxy ARP is the answering of ARP Requests on behalf of another system. One example of this is when a Remote client connects to Windows Routing and Remote Access (RRAS) server. When the client connects to a RAS server it is assigned an IP address from the server and the server keeps track of which client was assigned the IP address. When clients on the internal network and remote clients attempt to communicate with each other the RAS server will use Proxy ARP to reply with its own MAC address. As far as the client sending the ARP request is concerned it has successfully resolved the IP to the MAC of the remote client. In the example, the LAN client is sending an ARP request for the IP of the Remote Access Client. Notice that the ARP reply comes from the RAS server using its own MAC.


  • As we mentioned, there must be a framework to structure data sent on the wire. By default in a Windows OS, ARP requests are sent using the Ethernet II frame format described in RFC 894.
  • MAC addresses are layer 2 addresses and ARP is used to match this address to the IP or layer 3 address of a system.
  • Gratuitous ARP is used to detect IP address conflicts on the local network.
  • Starting with Windows Vista, we changed the contents of the Gratuitous ARP so that the SPA is now set to all 0’s this prevents other nodes from incorrectly updating their cache.
  • Proxy ARP is the answering of ARP Requests on behalf of another system. There are several instances when this may be used, but one example is a Windows RAS server.

Next time we will discuss IP routing and get deeper into IP addresses.

– Clark Satter