networking protocols

ARP (ARP)

arp protocols layer-2 mac-address
Plain English

IP addresses tell the network where data needs to go logically, but on a local network, devices actually communicate using hardware addresses called MAC addresses. ARP is the translator: when your computer needs to send data to 192.168.1.1, it broadcasts “Who has 192.168.1.1? Tell me your MAC address.” The device with that IP replies, and now your computer can deliver the data directly.

Technical Definition

Address Resolution Protocol (ARP), defined in RFC 826, resolves Layer 3 (IPv4) addresses to Layer 2 (MAC/Ethernet) addresses within a broadcast domain. ARP is essential for local network communication; devices must know the destination MAC address to construct an Ethernet frame.

ARP process:

  1. Host A wants to send to 192.168.1.1 but does not know its MAC address
  2. Host A broadcasts an ARP Request to ff:ff:ff:ff:ff:ff: “Who has 192.168.1.1?”
  3. The device with 192.168.1.1 sends a unicast ARP Reply: “192.168.1.1 is at aa:bb:cc:dd:ee:ff”
  4. Host A caches the mapping in its ARP table (typically 1-20 minute TTL)
  5. Host A constructs the Ethernet frame with the learned MAC address

ARP table: local cache of IP-to-MAC mappings. Avoids broadcasting for every packet. Entries expire after a timeout.

Security concern: ARP Spoofing/Poisoning: an attacker sends forged ARP replies, mapping a victim’s gateway IP to the attacker’s MAC address. All traffic intended for the gateway now flows through the attacker (man-in-the-middle). Mitigated by Dynamic ARP Inspection (DAI) on managed switches, which validates ARP packets against the DHCP snooping binding table.

Gratuitous ARP: a host announces its own IP-to-MAC mapping without being asked. Used after IP changes, NIC replacements, and for VRRP/HSRP failover to update switch MAC tables.

ARP table inspection 

# View ARP table (Linux)
$ ip neigh show
192.168.1.1 dev eth0 lladdr aa:bb:cc:dd:ee:ff REACHABLE
192.168.1.20 dev eth0 lladdr 11:22:33:44:55:66 STALE

# View ARP table (macOS/BSD)
$ arp -a
? (192.168.1.1) at aa:bb:cc:dd:ee:ff on en0 [ethernet]
? (192.168.1.20) at 11:22:33:44:55:66 on en0 [ethernet]

# Manually add a static ARP entry (prevent spoofing for critical hosts)
$ sudo arp -s 192.168.1.1 aa:bb:cc:dd:ee:ff

# Watch ARP traffic in real-time
$ sudo tcpdump -i eth0 arp -n
12:00:01 ARP, Request who-has 192.168.1.1 tell 192.168.1.10
12:00:01 ARP, Reply 192.168.1.1 is-at aa:bb:cc:dd:ee:ff
In the Wild

ARP runs silently on every IPv4 network. You rarely think about it until something breaks: “duplicate IP address detected” warnings, intermittent connectivity, or mysterious traffic redirection are all ARP-related problems. ARP spoofing is a common attack on shared networks (hotel Wi-Fi, conference networks) used to intercept traffic or redirect users to phishing pages. Enterprise switches mitigate this with Dynamic ARP Inspection (DAI) and DHCP snooping. In troubleshooting, checking the ARP table is a standard step when a device can ping its own subnet but cannot reach a specific host: if the ARP entry is missing or incorrect, that is the problem. IPv6 replaces ARP with Neighbor Discovery Protocol (NDP).

← Back to Dictionary