ARP
Address Resolution Protocol
The protocol that maps IP addresses to MAC addresses on a local network, enabling Ethernet frames to reach the correct physical device.
ARP (Address Resolution Protocol) bridges Layer 3 (IP) and Layer 2 (Ethernet). IP knows where to route a packet, but Ethernet needs a MAC address to deliver the frame to the right port on the local network. ARP supplies the translation — mapping a 32-bit IPv4 address to a 48-bit MAC address so that the switch can deliver the frame to exactly the right port.
The ARP request/reply process
When device A wants to reach device B on the same subnet and doesn't know B's MAC address:
- A broadcasts an ARP request to the Ethernet broadcast address (FF:FF:FF:FF:FF:FF): "Who has 192.168.1.50? Tell 192.168.1.10."
- Every device on the subnet receives the broadcast. All but device B discard it.
- B sends a unicast ARP reply directly to A: "192.168.1.50 is at MAC aa:bb:cc:dd:ee:ff."
- A stores the IP-to-MAC mapping in its ARP cache and uses that MAC address for all subsequent frames to that IP.
ARP only operates within a single subnet. Traffic destined for another subnet goes to the default gateway, so the sender ARPs for the gateway's MAC, not the remote host's.
ARP cache and TTL
Every device maintains an ARP cache — a table of recently learned IP-to-MAC mappings. Entries are kept for a few minutes (typically 2–20 minutes depending on the OS) to avoid broadcasting on every packet. When an entry expires, the next packet to that IP triggers a fresh ARP request. You can view the current ARP table with arp -a on Windows, macOS, or Linux. The output shows each IP address, its resolved MAC, and the interface it was learned on. On Linux, ip neigh shows the same table with state information (REACHABLE, STALE, FAILED).
ARP message types
| Type | Direction | Purpose |
|---|---|---|
| ARP Request | Broadcast | Ask who holds a given IP address |
| ARP Reply | Unicast | Respond with the holder's MAC address |
| Gratuitous ARP | Broadcast | Announce own IP/MAC mapping unprompted |
| Proxy ARP | Unicast reply | Router answers on behalf of a remote host |
Gratuitous ARP
A gratuitous ARP is an unsolicited ARP reply that a device sends to announce its own IP-to-MAC mapping. It serves two purposes. First, IP conflict detection: when a device first claims an address, it broadcasts a gratuitous ARP for that IP. If any device replies, there is a conflict. Second, failover notification: in high-availability configurations, when a standby device takes over a virtual IP, it sends a gratuitous ARP to update all neighboring ARP caches immediately, redirecting traffic to the new hardware without waiting for cache entries to expire.
ARP in IPv6: Neighbor Discovery Protocol
IPv6 does not use ARP. It replaces ARP with the Neighbor Discovery Protocol (NDP), which is part of ICMPv6. NDP uses multicast rather than broadcast — a host joins a solicited-node multicast group based on its own address, so Neighbor Solicitation messages only reach the small set of devices that share the last 24 bits of the target address. This is more efficient than ARP's broadcast-to-all approach on large subnets. NDP also handles router discovery and SLAAC address autoconfiguration, consolidating several IPv4 protocols into one.
ARP poisoning and spoofing attacks
ARP has no authentication mechanism — any device can send an unsolicited ARP reply claiming any IP-to-MAC mapping, and neighboring devices will update their caches accordingly. An attacker exploits this to insert themselves into communications between two hosts. The attack works in two steps: send a forged ARP reply to the victim claiming "the gateway's IP is at my MAC," and simultaneously send a forged ARP reply to the gateway claiming "the victim's IP is at my MAC." Both devices update their caches, and all traffic between them now flows through the attacker — a classic man-in-the-middle position. The attacker can read, modify, or drop the traffic silently.
Defenses against ARP attacks
Dynamic ARP Inspection (DAI) is the primary defense on managed switches. DAI validates ARP packets against a trusted DHCP snooping binding table — the switch knows which IP was assigned to which MAC on which port via DHCP, and drops ARP replies that contradict this. Static ARP entries for critical hosts (the default gateway, for example) prevent those entries from being poisoned, though they require manual maintenance. 802.1X port authentication ensures only authorized devices can connect to switch ports, eliminating the ability for rogue devices to send forged ARP replies in the first place.
Frequently Asked Questions
Why do devices need ARP?
IP operates at Layer 3 but Ethernet delivery requires Layer 2 MAC addresses. ARP bridges this gap — broadcasting "who has this IP?" and caching the MAC address response for future use.
What is the ARP table?
A local cache of IP-to-MAC mappings learned from ARP replies. Entries expire after a few minutes. View it with arp -a on Windows, macOS, or Linux.
What is ARP poisoning?
A man-in-the-middle attack that exploits ARP's lack of authentication. Forged ARP replies redirect traffic through the attacker's device. Mitigated by Dynamic ARP Inspection on managed switches.