Packet Tracing Example
Consider the following segment: 
Host A, Host B, and Host DNS are all connected from left to right on segment 2.
| Host Names | A | B | DNS |
|---|---|---|---|
| IP Addresses | 128.194.45.110 | 128.194.45.93 | 128.194.45.254 |
| MAC Addresses | EA | EB | ED |
Let's assume that:
- All hosts on this network are running correctly and that Telnet accepts connections on each host.
- Initially, the ARP caches of the Host A and DNS host are empty while the ARP cache for Host B contains 128.194.45.110 (Host A).
- The user types on Host B the command:
telnet 128.194.45.110.
| Seg. | MAC D. | MAC S. | Type | IP D. | IP S. | Prot # | Port D. | Port S. | Flags |
|---|---|---|---|---|---|---|---|---|---|
| 2 | EA | EB | IP | 128.194.45.110 | 128.194.45.93 | 6 | 23 | X | SYN |
| 2 | 0xFF | EA | ARP Req | 128.194.45.93 | 128.194.45.110 | N/A | N/A | N/A | N/A |
| 2 | EA | EB | ARP Res | 128.194.45.110 | 128.194.45.93 | N/A | N/A | N/A | N/A |
| 2 | EB | EA | IP | 128.194.45.93 | 128.194.45.110 | 6 | X | 23 | SYN/ACK |
| 2 | EA | EB | IP | 128.194.45.110 | 128.194.45.93 | 6 | 23 | X | ACK |
So what's happening? In a step-by-step format, the following is happening:
- SYN from Host B to Host A:
- Host B initiates a Telnet session to Host A.
- Host B already knows Host A's MAC address (from its ARP cache), so it sends a SYN packet directly to Host A for the TCP three-way handshake. This packet contains Host B's IP and MAC addresses as the source, and Host A's IP and MAC addresses as the destination.
- ARP Request from Host A:
- Upon receiving the SYN packet, Host A needs to respond. However, Host A's ARP cache does not contain an entry for Host B's MAC address.
- As a result, Host A sends out an ARP request to resolve Host B's MAC address. This ARP request is broadcasted to all hosts on the segment.
- ARP Response from Host B:
- Host B receives the ARP request from Host A and replies with an ARP response. This response contains Host B's MAC address.
- Host A receives this ARP response and updates its ARP cache with Host B's MAC address.
- SYN/ACK from Host A to Host B:
- Now that Host A knows Host B's MAC address, it can send a response to the initial SYN packet.
- Host A sends a SYN/ACK packet to Host B. This packet travels directly to Host B, as Host A now has the necessary MAC address.
- ACK from Host B to Host A:
- Host B receives the SYN/ACK packet and completes the TCP three-way handshake by sending an ACK packet back to Host A.
- This ACK packet signifies that the Telnet session can be established, and Host B is ready to communicate.
A reasonable question is, "why include step 2 and 3"? It seems natural that if Host A gets a SYN segment from Host B, then Host A should automatically add Host B to its ARP cache.
The receipt of a TCP SYN packet does not automatically update the ARP cache. The ARP cache is specifically updated in response to ARP requests and responses.