ARP (Address Resolution Protocol): Complete Guide

ARP (Address Resolution Protocol) is a fundamental network protocol that maps IP addresses to MAC addresses on local networks. Understanding ARP is essential for network troubleshooting, security, and comprehending how devices communicate at the data link layer. This comprehensive guide explains everything you need to know about ARP.

What is ARP?

ARP is a protocol used to discover the MAC (Media Access Control) address associated with an IP address on a local network. When a device needs to send data to another device on the same network, it uses ARP to find the destination's physical (MAC) address.

Why ARP is Needed

The problem: - IP addresses work at Layer 3 (Network) - MAC addresses work at Layer 2 (Data Link) - Ethernet frames need MAC addresses - Devices know IP addresses but need MAC addresses

The solution: - ARP translates IP → MAC - Enables local network communication - Bridges Layer 3 and Layer 2

How Communication Works

Without ARP (impossible): Device A knows: "Send to 192.168.1.50" Device A doesn't know: MAC address of 192.168.1.50 Cannot send: Ethernet needs MAC address

With ARP: Device A: "Who has 192.168.1.50?" Device B: "192.168.1.50 is at MAC 00:11:22:33:44:55" Device A: Sends data to MAC 00:11:22:33:44:55

How ARP Works

ARP Process (Step-by-Step)

Scenario: Device A (192.168.1.10) wants to send to Device B (192.168.1.50)

Step 1: Check ARP Cache Device A checks its ARP table Looking for: 192.168.1.50 If found: Use cached MAC address If not found: Proceed to Step 2

Step 2: Send ARP Request ``` Device A broadcasts ARP request Source IP: 192.168.1.10 Source MAC: AA:BB:CC:DD:EE:FF Target IP: 192.168.1.50 Target MAC: 00:00:00:00:00:00 (unknown) Destination: FF:FF:FF:FF:FF:FF (broadcast)

Message: "Who has 192.168.1.50? Tell 192.168.1.10" ```

Step 3: All Devices Receive Broadcast reaches all devices on network Each device checks: "Is this my IP?" Device B (192.168.1.50): "Yes, that's me!" Other devices: Ignore the request

Step 4: ARP Reply ``` Device B sends unicast ARP reply Source IP: 192.168.1.50 Source MAC: 00:11:22:33:44:55 Target IP: 192.168.1.10 Target MAC: AA:BB:CC:DD:EE:FF

Message: "192.168.1.50 is at 00:11:22:33:44:55" ```

Step 5: Cache and Communicate Device A receives reply Stores in ARP cache: 192.168.1.50 → 00:11:22:33:44:55 Sends data using MAC address Future packets use cached MAC (no ARP needed)

ARP Packet Structure

ARP Request/Reply contains: Hardware Type: Ethernet (1) Protocol Type: IPv4 (0x0800) Hardware Address Length: 6 (MAC) Protocol Address Length: 4 (IPv4) Operation: Request (1) or Reply (2) Sender Hardware Address: Sender's MAC Sender Protocol Address: Sender's IP Target Hardware Address: Target's MAC (or 00:00:00:00:00:00) Target Protocol Address: Target's IP

ARP Cache/Table

What is ARP Cache?

A temporary storage of IP-to-MAC mappings to avoid repeated ARP requests.

Purpose: - Improve performance - Reduce network traffic - Speed up communication - Minimize broadcasts

Viewing ARP Cache

Windows: ```cmd arp -a

Output:

Interface: 192.168.1.10 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-11-22-33-44-55 dynamic 192.168.1.50 aa-bb-cc-dd-ee-ff dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static ```

Linux: ```bash arp -n

Or modern command

ip neighbor show

Output:

192.168.1.1 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE 192.168.1.50 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE ```

macOS: ```bash arp -a

Output:

router.local (192.168.1.1) at 00:11:22:33:44:55 on en0 ifscope [ethernet] device.local (192.168.1.50) at aa:bb:cc:dd:ee:ff on en0 ifscope [ethernet] ```

ARP Cache Entry States

Windows: - Dynamic: Learned via ARP, expires - Static: Manually added, permanent

Linux: - REACHABLE: Recently confirmed - STALE: Not recently used - DELAY: Waiting for confirmation - PROBE: Actively checking - FAILED: Unreachable - PERMANENT: Static entry

Cache Timeout

Default timeouts: - Windows: 2 minutes (dynamic) - Linux: 60-120 seconds (configurable) - macOS: 20 minutes - Cisco: 4 hours

Why timeout? - Devices may change - IP addresses reassigned - Network topology changes - Prevent stale entries

Types of ARP

ARP Request

Purpose: Find MAC address for IP

Type: Broadcast

Direction: Sender → All devices

Example: Who has 192.168.1.50? Tell 192.168.1.10

ARP Reply

Purpose: Respond with MAC address

Type: Unicast

Direction: Target → Sender

Example: 192.168.1.50 is at 00:11:22:33:44:55

Gratuitous ARP

Purpose: Announce own IP/MAC mapping

Type: Broadcast

Sender = Target: Same device

Uses: - Detect IP conflicts - Update other devices' caches - Announce IP change - Failover scenarios

Example: Device boots up Sends: "192.168.1.100 is at AA:BB:CC:DD:EE:FF" If another device has that IP: Conflict detected All devices update their ARP cache

Proxy ARP

Purpose: Router answers ARP on behalf of another network

Scenario: Device A on Network 1 ARPs for Device B on Network 2 Router intercepts ARP request Router replies with its own MAC Device A sends to router Router forwards to Device B

Use case: Connecting networks without proper routing configuration

Security concern: Can be exploited

Reverse ARP (RARP)

Purpose: Find IP address from MAC address

Direction: Opposite of ARP

Status: Obsolete (replaced by DHCP)

Use: Diskless workstations finding their IP

ARP and Network Devices

Switches and ARP

Switches (Layer 2): - Forward ARP broadcasts to all ports - Don't process ARP themselves - Learn MAC addresses from ARP traffic - Build MAC address table

Process: ARP broadcast arrives on port 1 Switch floods to all ports (except port 1) Switch learns source MAC on port 1 Updates MAC address table

Routers and ARP

Routers (Layer 3): - Use ARP for each connected network - Maintain separate ARP cache per interface - Don't forward ARP broadcasts - Act as ARP boundary

Example: ``` Router with two interfaces: - eth0: 192.168.1.1/24 - eth1: 192.168.2.1/24

ARP on 192.168.1.0/24 doesn't reach 192.168.2.0/24 Router maintains separate ARP cache for each ```

VLANs and ARP

VLANs create separate broadcast domains: ``` VLAN 10: 192.168.10.0/24 VLAN 20: 192.168.20.0/24

ARP in VLAN 10 only reaches VLAN 10 devices Separate ARP domains ```

ARP Security Issues

ARP Spoofing/Poisoning

Attack: Attacker sends fake ARP replies

Goal: Intercept or modify traffic

Process: ``` 1. Attacker sends fake ARP reply "192.168.1.1 (gateway) is at ATTACKER_MAC"

Victim updates ARP cache Gateway MAC → Attacker's MAC
Victim sends traffic to attacker Attacker intercepts all traffic
Attacker can:
Read traffic (sniffing)
Modify traffic (MITM)
Block traffic (DoS) ```

Example attack: ``` Normal: Client → Gateway (real MAC) → Internet

After ARP poisoning: Client → Attacker (fake MAC) → Gateway → Internet ↑ Attacker sees/modifies everything ```

ARP Cache Poisoning

Attack: Corrupt ARP cache with false entries

Impact: - Redirect traffic - Man-in-the-middle attacks - Denial of service - Session hijacking

Detection: ```

Unusual ARP traffic

Multiple IPs with same MAC

MAC address changes frequently

Unexpected ARP replies

```

ARP Scanning

Attack: Scan network using ARP

Purpose: - Discover live hosts - Map network - Identify targets

Tool example: ```bash

arp-scan

sudo arp-scan --interface=eth0 192.168.1.0/24

nmap with ARP

sudo nmap -sn -PR 192.168.1.0/24 ```

Why it works: - ARP requests don't require IP - Bypass some firewalls - Faster than ping scans - Works even if ICMP blocked

ARP Security Mitigations

Static ARP Entries

Manual ARP entries that don't expire:

Windows: ```cmd

Add static entry

arp -s 192.168.1.1 00-11-22-33-44-55

View

arp -a ```

Linux: ```bash

Add static entry

sudo ip neighbor add 192.168.1.1 lladdr 00:11:22:33:44:55 dev eth0 nud permanent

Or legacy

sudo arp -s 192.168.1.1 00:11:22:33:44:55 ```

Pros: - Prevents ARP spoofing for that entry - Guaranteed correct mapping - No ARP needed

Cons: - Manual management - Doesn't scale - Must update if MAC changes - Only practical for critical devices (gateway, servers)

Dynamic ARP Inspection (DAI)

Switch feature that validates ARP packets:

How it works: ``` 1. Switch maintains DHCP snooping database IP → MAC → Port mappings

ARP packet arrives
Switch checks:
Source IP matches DHCP binding?
Source MAC matches DHCP binding?
Arriving on correct port?
If valid: Forward If invalid: Drop and log ```

Configuration (Cisco): ```

Enable DHCP snooping first

ip dhcp snooping ip dhcp snooping vlan 10

Enable DAI

ip arp inspection vlan 10

Trust uplink ports

interface GigabitEthernet0/1 ip arp inspection trust ```

Benefits: - Prevents ARP spoofing - Automatic validation - No manual entries needed - Enterprise-grade protection

ARP Monitoring

Tools to detect ARP attacks:

arpwatch (Linux): ```bash

Install

sudo apt install arpwatch

Monitor

sudo arpwatch -i eth0

Logs to /var/log/arpwatch.log

Alerts on MAC changes

```

XArp (Windows): - GUI tool - Real-time monitoring - Alerts on ARP changes - Free and paid versions

Wireshark: ```

Filter for ARP

arp

Look for:

- Duplicate IP addresses

- MAC address changes

- Excessive ARP traffic

- Gratuitous ARP from unexpected sources

```

Port Security

Limit MAC addresses per switch port:

Cisco example: interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation restrict

Benefits: - Prevents MAC spoofing - Limits devices per port - Complements DAI - Additional security layer

Troubleshooting ARP Issues

Common Problems

Problem 1: Cannot communicate with device

Symptoms: Ping fails Connection timeout Device unreachable

Diagnosis: ```bash

Check ARP cache

arp -a | grep 192.168.1.50

If no entry or incomplete:

- Device may be offline

- Firewall blocking ARP

- Network issue

```

Solutions: ```bash

Clear ARP cache

Windows

arp -d

Linux

sudo ip neighbor flush all

Retry communication

ping 192.168.1.50 ```

Problem 2: Duplicate IP address

Symptoms: "IP address conflict" message Intermittent connectivity ARP cache shows changing MAC

Diagnosis: ```bash

Check for duplicate

arp -a | grep 192.168.1.50

If multiple MACs: Duplicate IP

```

Solutions: 1. Identify conflicting devices 2. Change one device's IP 3. Use DHCP to prevent conflicts 4. Implement IP address management

Problem 3: ARP cache poisoning

Symptoms: Unexpected MAC addresses Traffic redirected Man-in-the-middle attack Performance issues

Diagnosis: ```bash

Monitor ARP changes

arpwatch

Check for suspicious entries

arp -a

Look for:

- Gateway MAC changed

- Multiple IPs with same MAC

- Frequent MAC changes

```

Solutions: 1. Clear ARP cache 2. Add static ARP for gateway 3. Enable DAI on switches 4. Investigate source 5. Isolate affected devices

Diagnostic Commands

View ARP cache: ```bash

Windows

arp -a

Linux

ip neighbor show arp -n

macOS

arp -a ```

Clear ARP cache: ```bash

Windows (specific entry)

arp -d 192.168.1.50

Windows (all)

netsh interface ip delete arpcache

Linux

sudo ip neighbor flush all

macOS

sudo arp -d -a ```

Send ARP request: ```bash

Linux (arping)

sudo arping -I eth0 192.168.1.50

Count responses

sudo arping -c 4 -I eth0 192.168.1.50 ```

Capture ARP traffic: ```bash

tcpdump

sudo tcpdump -i eth0 arp

Wireshark filter

arp ```

ARP Best Practices

Monitoring

Use arpwatch
Track MAC changes
Alert on anomalies
Log ARP activity
Regular audits
Review ARP tables
Check for duplicates
Verify critical entries
Baseline normal behavior
Know typical ARP traffic
Identify unusual patterns
Set up alerts

Security

Enable DAI
On all access switches
Trust only uplinks
Log violations
Port security
Limit MACs per port
Sticky MAC learning
Violation actions
Network access control
802.1X authentication
MAC authentication
Guest VLANs

IPv6 and ARP

Neighbor Discovery Protocol (NDP)

IPv6 replacement for ARP: - Uses ICMPv6 - More efficient - Additional features - Built-in security (IPSec)

Key differences: ``` ARP (IPv4): - Broadcast-based - Separate protocol - No authentication

NDP (IPv6): - Multicast-based - Part of ICMPv6 - Can use IPSec ```

NDP messages: - Neighbor Solicitation (like ARP request) - Neighbor Advertisement (like ARP reply) - Router Solicitation - Router Advertisement - Redirect

Conclusion

ARP is a fundamental protocol that enables communication on local networks by mapping IP addresses to MAC addresses. While essential for network operation, ARP's lack of built-in security makes it vulnerable to attacks. Understanding ARP helps you troubleshoot network issues, implement security measures, and design efficient networks.

Network Fundamentals

MAC Address - Hardware addresses explained
Default Gateway - ARP for gateway
Broadcast Address - ARP uses broadcast
Subnet Mask - Local network boundaries

Protocols and Security

DHCP - IP assignment and ARP
IP Spoofing - ARP spoofing attacks
Firewall Basics - ARP protection
ICMP - Related protocol

IPv6 Comparison

IPv6 vs IPv4 - NDP replaces ARP
What is an IPv6 Address? - IPv6 neighbor discovery
IPv6 Benefits - Improved address resolution

Troubleshooting

Network Troubleshooting - ARP issues
IP Conflict - ARP cache problems
Ping and Traceroute - Testing connectivity

Explore More

Networking Basics - Essential concepts
Protocols - Internet protocols hub

Key takeaways: - ARP translates IP addresses to MAC addresses - Uses broadcast requests and unicast replies - Maintains cache to reduce network traffic - Essential for local network communication - Vulnerable to spoofing and poisoning attacks - Mitigate with DAI, static entries, and monitoring - Routers block ARP (separate domains per interface) - IPv6 uses NDP instead of ARP - Monitor ARP for security and troubleshooting - Critical for understanding Layer 2/3 interaction

Mastering ARP concepts enables you to diagnose connectivity problems, implement security controls, and understand the fundamental mechanisms that make local network communication possible.