Why Two Addresses? IP vs MAC
Every device on a network has two kinds of addresses that serve different purposes. An IP address operates at Layer 3 (the internet layer) and is used to route packets across networks worldwide — it is logical, hierarchical, and can change when a device moves to a different network. A MAC address operates at Layer 2 (the link layer) and is used to deliver frames within a single local network segment — it is flat, hardware-burned, and globally unique (in principle).
When your computer wants to send data to another device on the same local network, it knows the destination's IP address (perhaps from a DNS lookup), but Ethernet and Wi-Fi frames are addressed using MAC addresses, not IP addresses. Before the first frame can be sent, your computer must discover which MAC address corresponds to that IP address. This translation is the job of ARP — the Address Resolution Protocol.
ARP is only relevant within a single local network segment. If the destination is on a different network (routed traffic), your device sends the frame to its default gateway's MAC address and lets the router handle forwarding from there. ARP never crosses router boundaries.
The ARP Request/Reply Process
ARP works through a simple broadcast-and-reply mechanism. When device A needs to send a packet to IP address 192.168.1.50 and does not know its MAC address, it broadcasts an ARP Request to the entire local network segment:
"Who has 192.168.1.50? Tell 192.168.1.10."
The ARP Request is sent as an Ethernet broadcast — to the destination MAC address FF:FF:FF:FF:FF:FF — so every device on the segment receives it. All devices check the target IP against their own IP address. The device that owns 192.168.1.50 responds with a unicast ARP Reply:
"192.168.1.50 is at 00:1A:2B:3C:4D:5E."
Device A receives the reply, records the IP-to-MAC mapping, and can now address Ethernet frames directly to that MAC address. The entire exchange typically takes less than a millisecond on a healthy local network.
The ARP Cache
Sending an ARP Request for every single packet would be wasteful — if you are downloading a large file, thousands of packets go to the same destination, and each would trigger a separate ARP broadcast. Instead, devices maintain an ARP cache (also called an ARP table): a short-term memory of recently learned IP-to-MAC mappings.
When an ARP Reply is received, the mapping is stored in the cache with a timer. On most systems, dynamic ARP cache entries expire after a few minutes (typically 2–20 minutes depending on the OS). Before that expiry, packets to that IP address are sent directly without triggering a new ARP Request.
You can view your ARP cache at any time. On Windows, run arp -a in Command Prompt. On macOS or Linux, run arp -n in Terminal. The output shows all current IP-to-MAC mappings, the interface they were learned on, and whether they are dynamic (learned via ARP) or static (manually configured and permanent).
Gratuitous ARP
A gratuitous ARP is an ARP Reply that a device sends without having received a corresponding ARP Request. It is an unsolicited announcement: "I am at this IP address and this MAC address — update your caches accordingly." Devices send gratuitous ARPs in several situations:
- When a device comes online for the first time, to populate caches on the local segment
- When a device's IP address changes, to update other devices' cached mappings
- When a network interface is brought up after being down
- In high-availability setups, when a standby server takes over a virtual IP from a failed primary
Gratuitous ARPs are an entirely normal and useful part of network operation. They also happen to be the mechanism that ARP spoofing exploits, since ARP has no way to verify whether a gratuitous ARP is legitimate or malicious.
ARP Spoofing: The Security Risk
ARP has no authentication. Any device on a local network segment can send an ARP Reply claiming to be any IP address. ARP spoofing (also called ARP poisoning) exploits this by having a malicious device send unsolicited ARP Replies that associate the attacker's MAC address with the IP address of another device — most commonly the default gateway.
Once victim devices update their ARP caches with the poisoned entry, they send all traffic intended for the gateway to the attacker's MAC address instead. The attacker receives the traffic, can read or modify it, and then forwards it to the real gateway so the connection appears to work normally. This is a man-in-the-middle attack. If the traffic is not encrypted (plain HTTP, for example), the attacker sees all of it.
Defenses include Dynamic ARP Inspection (DAI) on managed switches, which validates ARP packets against a trusted DHCP binding database and drops packets with mismatched mappings. Using encrypted protocols (HTTPS, SSH) limits the damage of a successful ARP spoof since the attacker can intercept the traffic but cannot read it. Static ARP entries for critical devices like gateways eliminate the vulnerability for those specific hosts but are impractical to maintain at scale.
IPv6's Replacement: Neighbor Discovery Protocol
IPv6 does not use ARP. Instead, it uses Neighbor Discovery Protocol (NDP), defined in RFC 4861 and operating through ICMPv6 messages. NDP performs the same address resolution function using Neighbor Solicitation (ICMPv6 Type 135) and Neighbor Advertisement (Type 136) messages. Rather than Ethernet broadcasts, NDP uses IPv6 multicast addresses, which are more efficient — only the device that owns the solicited IP address is in the relevant multicast group.
NDP also handles router discovery (finding the default gateway automatically), prefix advertisement (learning the subnet prefix for stateless address configuration), and Duplicate Address Detection (confirming a new IPv6 address is not already in use before claiming it). These are functions that required multiple separate protocols in IPv4. NDP includes some additional security provisions over ARP, and Secure Neighbor Discovery (SEND) adds cryptographic verification, though SEND has seen limited deployment.
Frequently Asked Questions
What does ARP stand for?
ARP stands for Address Resolution Protocol. It is defined in RFC 826 (1982) and operates at the boundary between the internet layer (Layer 3) and the link layer (Layer 2). Its purpose is to resolve an IPv4 address into the MAC address of the device that holds that IP on the local network segment.
What is a MAC address?
A MAC (Media Access Control) address is a 48-bit hardware identifier assigned to a network interface at manufacture, written as six pairs of hexadecimal digits like 00:1A:2B:3C:4D:5E. The first three bytes identify the manufacturer; the last three are unique to the device. MAC addresses are used for communication within a local network segment and are not routable across the internet.
How do I view my ARP cache?
On Windows, run arp -a in Command Prompt. On Mac or Linux, run arp -n in Terminal. The output lists IP addresses alongside their resolved MAC addresses and the network interface. Entries marked "dynamic" were learned through ARP; entries marked "static" were manually configured and do not expire.
What is ARP poisoning?
ARP poisoning (ARP spoofing) is an attack in which a malicious device sends unsolicited ARP Reply messages associating its own MAC address with another device's IP address — typically the default gateway. Devices that accept this update send traffic intended for the gateway to the attacker instead, enabling man-in-the-middle interception. Because ARP has no authentication, any device on the local network can send these spoofed replies.
Does IPv6 use ARP?
No. IPv6 replaces ARP with Neighbor Discovery Protocol (NDP), defined in RFC 4861. NDP uses ICMPv6 Neighbor Solicitation (Type 135) and Neighbor Advertisement (Type 136) messages to perform address resolution, using multicast rather than broadcast. NDP also handles router discovery and stateless address autoconfiguration.
What is a gratuitous ARP?
A gratuitous ARP is an ARP Reply sent by a device without having received an ARP Request — it announces its IP-to-MAC mapping unprompted. Devices send gratuitous ARPs when they come online or when their IP or MAC changes, so other devices update their caches immediately. This legitimate mechanism is also what ARP spoofing exploits, since ARP cannot distinguish a genuine gratuitous ARP from a malicious one.