You're correct! When IP builds a datagram, the target hardware address (MAC) is unknown. The Address Resolution Process (ARP) is used to find this information and resolve it to a known IP. It is a two-step process, (1) ARP request, and (2) ARP reply. The result of the ARP response is stored in the ARP cache for a short period of time. The time varies from vendor to vendor. Microsoft usually sets this time for 120 seconds (2 minutes). See for yourself by typing "arp ?a" at the command prompt. Here's a good explanation of the process if you'd like to learn more.
Related Q&A from Michael Gregg
Enterprise security expert, Michael Gregg answers a question regarding port 3389 issues when a user tries to open port 3389 RDP on their router to ...continue reading
Expert Michael Gregg answers a reader question about Snort and the interfaces it uses.continue reading
Security expert Michael Gregg notes the risks to enteprise security that mobile devices may cause.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.