ARP (Address Resolution Protocol): Complete Guide
ARP (Address Resolution Protocol) is a fundamental network protocol that maps IP addresses to MAC addresses on local networks. Understanding ARP is essential for network troubleshooting, security, and comprehending how devices communicate at the data link layer as defined in RFC 826. This comprehensive guide explains everything you need to know about ARP.
What is ARP?
ARP is a protocol used to discover the MAC (Media Access Control) address associated with an IP address on a local network. When a device needs to send data to another device on the same network, it uses ARP to find the destination's physical (MAC) address.
Why ARP is Needed
The problem: - IP addresses work at Layer 3 (Network) - MAC addresses work at Layer 2 (Data Link) - Ethernet frames need MAC addresses - Devices know IP addresses but need MAC addresses
The solution: - ARP translates IP → MAC - Enables local network communication - Bridges Layer 3 and Layer 2
How Communication Works
Without ARP (impossible):
Device A knows: "Send to 192.168.1.50"
Device A doesn't know: MAC address of 192.168.1.50
Cannot send: Ethernet needs MAC address
With ARP:
Device A: "Who has 192.168.1.50?"
Device B: "192.168.1.50 is at MAC 00:11:22:33:44:55"
Device A: Sends data to MAC 00:11:22:33:44:55
How ARP Works
ARP Process (Step-by-Step)
Scenario: Device A (192.168.1.10) wants to send to Device B (192.168.1.50)
Step 1: Check ARP Cache
Device A checks its ARP table
Looking for: 192.168.1.50
If found: Use cached MAC address
If not found: Proceed to Step 2
Step 2: Send ARP Request
Device A broadcasts ARP request
Source IP: 192.168.1.10
Source MAC: AA:BB:CC:DD:EE:FF
Target IP: 192.168.1.50
Target MAC: 00:00:00:00:00:00 (unknown)
Destination: FF:FF:FF:FF:FF:FF (broadcast)
Message: "Who has 192.168.1.50? Tell 192.168.1.10"
Step 3: All Devices Receive
Broadcast reaches all devices on network
Each device checks: "Is this my IP?"
Device B (192.168.1.50): "Yes, that's me!"
Other devices: Ignore the request
Step 4: ARP Reply
Device B sends unicast ARP reply
Source IP: 192.168.1.50
Source MAC: 00:11:22:33:44:55
Target IP: 192.168.1.10
Target MAC: AA:BB:CC:DD:EE:FF
Message: "192.168.1.50 is at 00:11:22:33:44:55"
Step 5: Cache and Communicate
Device A receives reply
Stores in ARP cache: 192.168.1.50 → 00:11:22:33:44:55
Sends data using MAC address
Future packets use cached MAC (no ARP needed)
ARP Packet Structure
ARP Request/Reply contains:
Hardware Type: Ethernet (1)
Protocol Type: IPv4 (0x0800)
Hardware Address Length: 6 (MAC)
Protocol Address Length: 4 (IPv4)
Operation: Request (1) or Reply (2)
Sender Hardware Address: Sender's MAC
Sender Protocol Address: Sender's IP
Target Hardware Address: Target's MAC (or 00:00:00:00:00:00)
Target Protocol Address: Target's IP
ARP Cache/Table
What is ARP Cache?
A temporary storage of IP-to-MAC mappings to avoid repeated ARP requests.
Purpose: - Improve performance - Reduce network traffic - Speed up communication - Minimize broadcasts
Viewing ARP Cache
Windows:
arp -a
# Output:
Interface: 192.168.1.10 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-11-22-33-44-55 dynamic
192.168.1.50 aa-bb-cc-dd-ee-ff dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Linux:
arp -n
# Or modern command
ip neighbor show
# Output:
192.168.1.1 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE
192.168.1.50 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
macOS:
arp -a
# Output:
router.local (192.168.1.1) at 00:11:22:33:44:55 on en0 ifscope [ethernet]
device.local (192.168.1.50) at aa:bb:cc:dd:ee:ff on en0 ifscope [ethernet]
ARP Cache Entry States
Windows: - Dynamic: Learned via ARP, expires - Static: Manually added, permanent
Linux: - REACHABLE: Recently confirmed - STALE: Not recently used - DELAY: Waiting for confirmation - PROBE: Actively checking - FAILED: Unreachable - PERMANENT: Static entry
Cache Timeout
Default timeouts: - Windows: 2 minutes (dynamic) - Linux: 60-120 seconds (configurable) - macOS: 20 minutes - Cisco: 4 hours
Why timeout? - Devices may change - IP addresses reassigned - Network topology changes - Prevent stale entries
Types of ARP
ARP Request
Purpose: Find MAC address for IP
Type: Broadcast
Direction: Sender → All devices
Example:
Who has 192.168.1.50? Tell 192.168.1.10
ARP Reply
Purpose: Respond with MAC address
Type: Unicast
Direction: Target → Sender
Example:
192.168.1.50 is at 00:11:22:33:44:55
Gratuitous ARP
Purpose: Announce own IP/MAC mapping
Type: Broadcast
Sender = Target: Same device
Uses: - Detect IP conflicts - Update other devices' caches - Announce IP change - Failover scenarios
Example:
Device boots up
Sends: "192.168.1.100 is at AA:BB:CC:DD:EE:FF"
If another device has that IP: Conflict detected
All devices update their ARP cache
Proxy ARP
Purpose: Router answers ARP on behalf of another network
Scenario:
Device A on Network 1 ARPs for Device B on Network 2
Router intercepts ARP request
Router replies with its own MAC
Device A sends to router
Router forwards to Device B
Use case: Connecting networks without proper routing configuration
Security concern: Can be exploited
Reverse ARP (RARP)
Purpose: Find IP address from MAC address
Direction: Opposite of ARP
Status: Obsolete (replaced by DHCP)
Use: Diskless workstations finding their IP
ARP and Network Devices
Switches and ARP
Switches (Layer 2): - Forward ARP broadcasts to all ports - Don't process ARP themselves - Learn MAC addresses from ARP traffic - Build MAC address table
Process:
ARP broadcast arrives on port 1
Switch floods to all ports (except port 1)
Switch learns source MAC on port 1
Updates MAC address table
Routers and ARP
Routers (Layer 3): - Use ARP for each connected network - Maintain separate ARP cache per interface - Don't forward ARP broadcasts - Act as ARP boundary
Example:
Router with two interfaces:
- eth0: 192.168.1.1/24
- eth1: 192.168.2.1/24
ARP on 192.168.1.0/24 doesn't reach 192.168.2.0/24
Router maintains separate ARP cache for each
VLANs and ARP
VLANs create separate broadcast domains:
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
ARP in VLAN 10 only reaches VLAN 10 devices
Separate ARP domains
ARP Security Issues
ARP Spoofing/Poisoning
Attack: Attacker sends fake ARP replies
Goal: Intercept or modify traffic
Process:
1. Attacker sends fake ARP reply
"192.168.1.1 (gateway) is at ATTACKER_MAC"
2. Victim updates ARP cache
Gateway MAC → Attacker's MAC
3. Victim sends traffic to attacker
Attacker intercepts all traffic
4. Attacker can:
- Read traffic (sniffing)
- Modify traffic (MITM)
- Block traffic (DoS)
Example attack:
Normal:
Client → Gateway (real MAC) → Internet
After ARP poisoning:
Client → Attacker (fake MAC) → Gateway → Internet
↑ Attacker sees/modifies everything
ARP Cache Poisoning
Attack: Corrupt ARP cache with false entries
Impact: - Redirect traffic - Man-in-the-middle attacks - Denial of service - Session hijacking
Detection:
# Unusual ARP traffic
# Multiple IPs with same MAC
# MAC address changes frequently
# Unexpected ARP replies
ARP Scanning
Attack: Scan network using ARP
Purpose: - Discover live hosts - Map network - Identify targets
Tool example:
# arp-scan
sudo arp-scan --interface=eth0 192.168.1.0/24
# nmap with ARP
sudo nmap -sn -PR 192.168.1.0/24
Why it works: - ARP requests don't require IP - Bypass some firewalls - Faster than ping scans - Works even if ICMP blocked
ARP Security Mitigations
Static ARP Entries
Manual ARP entries that don't expire:
Windows:
# Add static entry
arp -s 192.168.1.1 00-11-22-33-44-55
# View
arp -a
Linux:
# Add static entry
sudo ip neighbor add 192.168.1.1 lladdr 00:11:22:33:44:55 dev eth0 nud permanent
# Or legacy
sudo arp -s 192.168.1.1 00:11:22:33:44:55
Pros: - Prevents ARP spoofing for that entry - Guaranteed correct mapping - No ARP needed
Cons: - Manual management - Doesn't scale - Must update if MAC changes - Only practical for critical devices (gateway, servers)
Dynamic ARP Inspection (DAI)
Switch feature that validates ARP packets:
How it works:
1. Switch maintains DHCP snooping database
IP → MAC → Port mappings
2. ARP packet arrives
3. Switch checks:
- Source IP matches DHCP binding?
- Source MAC matches DHCP binding?
- Arriving on correct port?
4. If valid: Forward
If invalid: Drop and log
Configuration (Cisco):
# Enable DHCP snooping first
ip dhcp snooping
ip dhcp snooping vlan 10
# Enable DAI
ip arp inspection vlan 10
# Trust uplink ports
interface GigabitEthernet0/1
ip arp inspection trust
Benefits: - Prevents ARP spoofing - Automatic validation - No manual entries needed - Enterprise-grade protection
ARP Monitoring
Tools to detect ARP attacks:
arpwatch (Linux):
# Install
sudo apt install arpwatch
# Monitor
sudo arpwatch -i eth0
# Logs to /var/log/arpwatch.log
# Alerts on MAC changes
XArp (Windows): - GUI tool - Real-time monitoring - Alerts on ARP changes - Free and paid versions
Wireshark:
# Filter for ARP
arp
# Look for:
# - Duplicate IP addresses
# - MAC address changes
# - Excessive ARP traffic
# - Gratuitous ARP from unexpected sources
Port Security
Limit MAC addresses per switch port:
Cisco example:
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
Benefits: - Prevents MAC spoofing - Limits devices per port - Complements DAI - Additional security layer
Troubleshooting ARP Issues
Common Problems
Problem 1: Cannot communicate with device
Symptoms:
Ping fails
Connection timeout
Device unreachable
Diagnosis:
# Check ARP cache
arp -a | grep 192.168.1.50
# If no entry or incomplete:
# - Device may be offline
# - Firewall blocking ARP
# - Network issue
Solutions:
# Clear ARP cache
# Windows
arp -d
# Linux
sudo ip neighbor flush all
# Retry communication
ping 192.168.1.50
Problem 2: Duplicate IP address
Symptoms:
"IP address conflict" message
Intermittent connectivity
ARP cache shows changing MAC
Diagnosis:
# Check for duplicate
arp -a | grep 192.168.1.50
# If multiple MACs: Duplicate IP
Solutions:
1. Identify conflicting devices
2. Change one device's IP
3. Use DHCP to prevent conflicts
4. Implement IP address management
Problem 3: ARP cache poisoning
Symptoms:
Unexpected MAC addresses
Traffic redirected
Man-in-the-middle attack
Performance issues
Diagnosis:
# Monitor ARP changes
arpwatch
# Check for suspicious entries
arp -a
# Look for:
# - Gateway MAC changed
# - Multiple IPs with same MAC
# - Frequent MAC changes
Solutions:
1. Clear ARP cache
2. Add static ARP for gateway
3. Enable DAI on switches
4. Investigate source
5. Isolate affected devices
Diagnostic Commands
View ARP cache:
# Windows
arp -a
# Linux
ip neighbor show
arp -n
# macOS
arp -a
Clear ARP cache:
# Windows (specific entry)
arp -d 192.168.1.50
# Windows (all)
netsh interface ip delete arpcache
# Linux
sudo ip neighbor flush all
# macOS
sudo arp -d -a
Send ARP request:
# Linux (arping)
sudo arping -I eth0 192.168.1.50
# Count responses
sudo arping -c 4 -I eth0 192.168.1.50
Capture ARP traffic:
# tcpdump
sudo tcpdump -i eth0 arp
# Wireshark filter
arp
ARP Best Practices
Network Design
- Segment networks
- Use VLANs
- Smaller broadcast domains
-
Limit ARP scope
-
Implement security
- Enable DAI
- Use port security
-
Monitor ARP traffic
-
Static entries for critical devices
- Gateway
- DNS servers
- Important servers
Monitoring
- Use arpwatch
- Track MAC changes
- Alert on anomalies
-
Log ARP activity
-
Regular audits
- Review ARP tables
- Check for duplicates
-
Verify critical entries
-
Baseline normal behavior
- Know typical ARP traffic
- Identify unusual patterns
- Set up alerts
Security
- Enable DAI
- On all access switches
- Trust only uplinks
-
Log violations
-
Port security
- Limit MACs per port
- Sticky MAC learning
-
Violation actions
-
Network access control
- 802.1X authentication
- MAC authentication
- Guest VLANs
IPv6 and ARP
Neighbor Discovery Protocol (NDP)
IPv6 replacement for ARP: - Uses ICMPv6 - More efficient - Additional features - Built-in security (IPSec)
Key differences:
ARP (IPv4):
- Broadcast-based
- Separate protocol
- No authentication
NDP (IPv6):
- Multicast-based
- Part of ICMPv6
- Can use IPSec
NDP messages: - Neighbor Solicitation (like ARP request) - Neighbor Advertisement (like ARP reply) - Router Solicitation - Router Advertisement - Redirect
Conclusion
ARP is a fundamental protocol that enables communication on local networks by mapping IP addresses to MAC addresses. While essential for network operation, ARP's lack of built-in security makes it vulnerable to attacks. Understanding ARP helps you troubleshoot network issues, implement security measures, and design efficient networks.
Related Articles
Network Fundamentals
- MAC Address - Hardware addresses explained
- Default Gateway - ARP for gateway
- Broadcast Address - ARP uses broadcast
- Subnet Mask - Local network boundaries
Protocols and Security
- DHCP - IP assignment and ARP
- IP Spoofing - ARP spoofing attacks
- Firewall Basics - ARP protection
- ICMP - Related protocol
IPv6 Comparison
- IPv6 vs IPv4 - NDP replaces ARP
- What is an IPv6 Address? - IPv6 neighbor discovery
- IPv6 Benefits - Improved address resolution
Troubleshooting
- Network Troubleshooting - ARP issues
- IP Conflict - ARP cache problems
- Ping and Traceroute - Testing connectivity
Explore More
- Networking Basics - Essential concepts
- Protocols - Internet protocols hub
Key takeaways: - ARP translates IP addresses to MAC addresses - Uses broadcast requests and unicast replies - Maintains cache to reduce network traffic - Essential for local network communication - Vulnerable to spoofing and poisoning attacks - Mitigate with DAI, static entries, and monitoring - Routers block ARP (separate domains per interface) - IPv6 uses NDP instead of ARP - Monitor ARP for security and troubleshooting - Critical for understanding Layer 2/3 interaction
Mastering ARP concepts enables you to diagnose connectivity problems, implement security controls, and understand the fundamental mechanisms that make local network communication possible.
