LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's special about the Target MAC address 00:00:00:00:00:00 (or the broadcast ff:ff:ff:ff:ff:ff) in an ARP Request?

ARP Request can't fill in the target MAC because finding it is the whole point — so the Ethernet frame is broadcast (ff:ff:...), and the ARP-internal target MAC is set to all zeros.

The two MAC fields:

ARP Requests have two MAC slots, in different headers:

Header Source MAC Destination MAC
Ethernet (outer) Sender's MAC ff:ff:ff:ff:ff:ff (broadcast)
ARP (inner) Sender's MAC 00:00:00:00:00:00 (unknown)

Why the Ethernet broadcast:

The sender doesn't know who has the IP. The only way to ask "everyone, which of you is 192.168.1.5?" is to broadcast — every device on the LAN segment receives it.

Why the ARP target field is zeros:

It's a placeholder. The whole protocol exists to discover that field. The replier fills in the answer in their ARP Reply.

The reply packet is unicast:

The ARP Reply goes back as a regular unicast frame, addressed directly to the requester. The replier uses the requester's source MAC (which was in the request).

EtherType for ARP:

0x0806 — distinguishes ARP from IPv4 (0x0800) and IPv6 (0x86DD) at the Ethernet layer. This 2-byte field tells the receiver "this frame's payload is ARP, not IP."

Tip: ARP-spoofing attacks abuse this trust — anyone on the LAN can answer with a forged MAC and redirect traffic. Defense: dynamic ARP inspection (DAI) on switches or static ARP entries for critical hosts.

Go deeper:

From Quiz: INTROL / Protocol Analysis | Updated: Jul 14, 2026