Before we can explore how data crosses continents and bounces between hyperscale data centers, we need to start with the smallest piece of the puzzle: your local network.

Every device on the internet is part of a smaller network first — your phone connected to Wi-Fi, your laptop plugged into Ethernet, or even a server inside a data center rack. These local networks are the foundations of the global internet. Without them, nothing moves.

At the heart of these small networks is the same problem: how does one device know how to send data to another? That’s where networking begins.

---

ARP – The First Step in Talking to Your Router

So everything starts with a basic ARP request, a process that tools like arp-scan are built to exploit. The primary purpose of ARP (Address Resolution Protocol) is to map an IP address to its corresponding MAC address so that communication can actually happen at the data link (Ethernet) layer.

Step 1: Subnet Masking on the Source Machine

• When your computer wants to send a packet, it first compares the destination IP with its own IP and subnet mask.

  • How IP masking works:

    1. Your computer performs a bitwise AND between its own IP and the subnet mask to get the network address.

    2. It also performs a bitwise AND between the target IP and the same subnet mask.

    3. If the resulting network addresses are equal, the IP is in the same subnet. Otherwise, it’s outside your local network.

• This determines if the destination is on the same local network (on-link) or off-network (needs a gateway).

---

Step 2a: Destination is On-Link

• If the destination is in the same subnet:

  1. The OS knows it can reach the host directly.

  2. It checks the ARP cache for the MAC of the destination IP.

  3. If the MAC isn’t in the cache, it sends an ARP request:
     "Who has IP X? Tell me your MAC!"

  4. The destination machine replies with its MAC.

  5. Packet is wrapped in an Ethernet frame with:

     • Destination MAC = target machine’s MAC

     • Destination IP = target machine’s IP

• Packet is sent directly to the destination.

# ARP scan to check available hosts in local network.
[nix-shell:~]$ sudo arp-scan --localnet
Interface: wlp0s20f3, type: EN10MB, MAC: 94:b6:09:66:b8:27, IPv4: 192.168.1.111
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.137    40:e1:e4:0e:0a:81    Nokia Solutions and Networks GmbH & Co. KG
192.168.1.81    96:94:6c:ea:3b:3f    (Unknown: locally administered)
192.168.1.130    70:08:94:3b:9e:51    (Unknown)
192.168.1.124    a0:b3:39:62:0c:cd    (Unknown)
192.168.1.254    c8:9c:bb:52:bc:80    (Unknown)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.970 seconds (129.95 hosts/sec). 5 responded

# Check entries in arp cache
[nix-shell:~]$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
172.19.0.2               ether   02:42:ac:13:00:02   C                     br-bd6d6f551404
172.18.0.2               ether   02:42:ac:12:00:02   C                     br-5d681ffed7e7
192.168.1.254            ether   c8:9c:bb:52:bc:80   C                     wlp0s20f3

# Ping one of the device in the localnetwork
[nix-shell:~]$ ping 192.168.1.137
PING 192.168.1.137 (192.168.1.137) 56(84) bytes of data.
64 bytes from 192.168.1.137: icmp_seq=1 ttl=64 time=4.92 ms
64 bytes from 192.168.1.137: icmp_seq=2 ttl=64 time=3.09 ms
^C
--- 192.168.1.137 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.087/4.002/4.918/0.915 ms

# Check the ARP cache. You can find the newly pinged device.
[nix-shell:~]$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
172.19.0.2               ether   02:42:ac:13:00:02   C                     br-bd6d6f551404
172.18.0.2               ether   02:42:ac:12:00:02   C                     br-5d681ffed7e7
192.168.1.137            ether   40:e1:e4:0e:0a:81   C                     wlp0s20f3
192.168.1.254            ether   c8:9c:bb:52:bc:80   C                     wlp0s20f3

---

Step 2b: Destination is Off-Link

• If the destination is outside the local subnet:

  1. The OS consults the routing table (ip route show).

  2. If there’s a specific route for the network, the packet is sent to the next hop specified there.

  3. Otherwise, it uses the default route (usually your router/gateway).

  4. The OS performs ARP for the gateway IP, finds the router’s MAC, and wraps the packet in an Ethernet frame with:

     • Destination MAC = router MAC

     • Destination IP = actual target IP

  5. Packet is sent to the router.

# Get the IP address
[nix-shell:~]$ dig +short google.com
172.217.26.46

# Check the Route table
[nix-shell:~]$ ip route show
default via 192.168.1.254 dev wlp0s20f3 proto dhcp src 192.168.1.111 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-5d681ffed7e7 proto kernel scope link src 172.18.0.1 
172.19.0.0/16 dev br-bd6d6f551404 proto kernel scope link src 172.19.0.1 
172.20.0.0/16 dev br-b46a2861832b proto kernel scope link src 172.20.0.1 linkdown 
192.168.1.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.1.111 metric 600 
192.168.49.0/24 dev br-5ca7647dd12d proto kernel scope link src 192.168.49.1 linkdown 

# No specific route for google's IP. So arp the default route
[nix-shell:~]$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
172.19.0.2               ether   02:42:ac:13:00:02   C                     br-bd6d6f551404
172.18.0.2               ether   02:42:ac:12:00:02   C                     br-5d681ffed7e7
192.168.1.137            ether   40:e1:e4:0e:0a:81   C                     wlp0s20f3
192.168.1.254            ether   c8:9c:bb:52:bc:80   C                     wlp0s20f3

# here we can see the MAC address of the router to be c8:9c:bb:52:bc:80

---

Step 3: Routers Along the Path

• Each router repeats the same process:

  1. Checks its routing table for the next hop.

  2. If the next hop is on a connected network, ARPs for the MAC.

  3. If not, forwards to another router toward the destination.

• At each hop, the MAC addresses change, but the IP addresses remain unchanged.

[nix-shell:~]$ dig +short google.com 
172.217.26.46

[nix-shell:~]$ traceroute 172.217.26.46
traceroute to 172.217.26.46 (172.217.26.46), 30 hops max, 60 byte packets
 1  * _gateway (192.168.1.254)  3.753 ms  3.743 ms
 2  27.34.24.1 (27.34.24.1)  6.681 ms  9.079 ms  8.718 ms
 3  be-82-8.45.gwc-ndc-core-01.wlink.com.np (202.79.45.8)  10.175 ms  10.165 ms  10.156 ms
 4  ae-20-136.41.gwj-htda-core-01.wlink.com.np (202.79.41.136)  10.077 ms  10.860 ms  10.851 ms
 5  ae-21-139.41.gwj-btwl-core-01.wlink.com.np (202.79.41.139)  12.951 ms  12.941 ms  12.932 ms
 6  ae52-ipt-bhwa-01.wlink.com.np (72.9.128.67)  12.908 ms  11.520 ms  11.491 ms
 7  * * *
 8  142.250.174.2 (142.250.174.2)  30.058 ms  24.876 ms  31.027 ms
 9  192.178.83.35 (192.178.83.35)  38.327 ms 192.178.83.245 (192.178.83.245)  37.036 ms 192.178.83.35 (192.178.83.35)  31.181 ms
10  142.251.49.121 (142.251.49.121)  30.083 ms 142.251.49.115 (142.251.49.115)  30.032 ms 142.251.49.121 (142.251.49.121)  30.047 ms
11  nrt12s17-in-f46.1e100.net (172.217.26.46)  23.404 ms  26.114 ms  20.930 ms

• Hop 1 – Your home router (default gateway). The packet leaves your local network.

• Hops 2–6 – Routers inside ISP’s network (wlink.com.np) forwarding the packet toward the global internet.

• Hop 7 – No response (* * *), a router that blocks traceroute probes. But packets passes through.

• Hops 8–10 – Global internet routers, moving the packet toward Google. Multiple IPs indicate load balancing.

• Hop 11 – Final destination: the Google server (172.217.26.46), where the packet arrives successfully.

---

Step 4: Destination Network

• When the packet finally reaches the router directly connected to the destination network:

  1. The router performs subnet masking to see the destination IP is on its local subnet.

  2. It performs ARP to find the MAC of the actual destination machine.

  3. Wraps the packet with that MAC and sends it to the server.

• At this point, the packet has reached the actual host, and the process is complete.

Next Steps: Building the Networks

Our traceroute gave us a direct glimpse inside the infrastructure of an ISP, wlink.com.np, and the global backbone of Google. This raises a crucial question: What elevates a network from a simple collection of routers to an official Internet Service Provider? How does an entity like WorldLink get the authority to manage its own segment of the internet, with its own unique identifiers and blocks of public IP addresses?

In the next part of this series, we will answer that question. We’ll move from analyzing packets to building the networks that carry them, providing a practical, step-by-step checklist on how to build your own ISP from the ground up.

If you want a proper tutorial by a professional, you can check out Hussein Nassar’s Network Routing video. This video was one of the inspiration for creating this blog series.