ARP (Address Resolution Protocol)

Your computer wants to send data to 192.168.1.50. It knows the IP address. But the network hardware that actually moves bytes across cables doesn't speak IP—it speaks MAC addresses. How does your computer find out which physical device owns that IP?

It shouts.

Address Resolution Protocol (ARP) is the mechanism behind that shout. It's how devices on a local network translate IP addresses into MAC addresses, bridging the gap between the logical addressing that applications use and the physical addressing that Ethernet requires.

The Problem ARP Solves

Networking operates in layers, and those layers speak different languages.

Applications and routing work with IP addresses—logical, hierarchical, and routable across the Internet. But Ethernet frames require MAC addresses—48-bit identifiers burned into network hardware at the factory.

When your computer builds an Ethernet frame destined for 192.168.1.50, it needs to fill in the destination MAC address field. Without that, the frame can't be built. Without the frame, nothing gets sent.

Your computer knows WHERE it wants to send data. The network hardware only knows WHO is connected. ARP is the conversation that bridges that gap—every single time.

How ARP Works

ARP is embarrassingly simple. That simplicity is both its strength and its weakness.

The Request: Your computer broadcasts an ARP request to every device on the local network using the special MAC address FF:FF:FF:FF:FF:FF. The message essentially says: "Who has 192.168.1.50? Tell 192.168.1.100."

Every device on the network segment receives this broadcast. Every device examines it. Only one device—the one actually configured with 192.168.1.50—responds.

The Reply: That device sends back an ARP reply directly to your computer: "I'm 192.168.1.50, and my MAC address is AA:BB:CC:DD:EE:FF." This reply is unicast, not broadcast, because your MAC address was included in the original request.

The Cache: Your computer stores this mapping in its ARP cache so it doesn't have to ask again. The cache entry typically expires after a few minutes—long enough to avoid constant broadcasts, short enough to adapt when things change.

That's it. Broadcast a question, receive an answer, cache the result. The entire Internet depends on this.

Viewing Your ARP Cache

You can see these mappings right now:

• Windows: arp -a
• Linux: ip neighbor show or arp -n
• macOS: arp -a

Each entry shows an IP address, the corresponding MAC address, and how the entry was learned. You're looking at your device's current understanding of which physical hardware owns which logical addresses on your network.

ARP Stays Local

Here's something crucial: ARP only works within a single network segment. It doesn't cross routers.

When you browse a website, your computer doesn't ARP for the web server's IP address—that server could be anywhere on the planet. Instead, your computer recognizes the destination is remote (not in its subnet) and ARPs for its default gateway.

Your computer then builds frames with:

• Destination MAC: Your router's MAC address
• Destination IP: The web server's IP address

The router receives the frame because the MAC matches, examines the IP address, and routes accordingly. At each hop across the Internet, new frames are built with new MAC addresses—but the IP addresses stay constant end-to-end.

MAC addresses are local. IP addresses are global. ARP bridges the gap at each local segment.

Gratuitous ARP

Sometimes devices announce their IP-to-MAC mapping without being asked. This is called gratuitous ARP—a device sending an ARP request for its own IP address.

Why would a device do this?

Detecting IP conflicts: When a device joins a network or changes its IP, it sends a gratuitous ARP. If something responds, two devices are claiming the same IP—that's a problem.

Updating caches after changes: If a device's network card is replaced (new MAC address, same IP), gratuitous ARP tells everyone to update their caches immediately rather than waiting for entries to expire.

Failover scenarios: When a backup server takes over for a failed primary, gratuitous ARP announces "I'm now handling this IP" so traffic flows to the right place.

The Trust Problem

ARP has a fundamental security flaw: it trusts everyone.

When your computer receives an ARP reply, it updates its cache. It doesn't verify that the reply came from the legitimate owner of that IP address. It doesn't check credentials. It just trusts the answer.

This creates ARP spoofing (also called ARP poisoning). An attacker sends fake ARP replies claiming "I'm 192.168.1.1" (your gateway) with their own MAC address. Your computer believes it, updates its cache, and starts sending Internet-bound traffic to the attacker.

The attacker can now:

• Read your traffic (man-in-the-middle)
• Modify your traffic in transit
• Selectively drop traffic (denial of service)

This attack works because ARP was designed for a more innocent time—a time when everyone on a local network was assumed to be trustworthy.

Defending Against ARP Attacks

Static ARP entries for critical devices like gateways prevent those mappings from being poisoned. Your computer will ignore fake ARP replies for addresses with static entries. This works but doesn't scale.

Dynamic ARP Inspection (DAI) is a switch feature that validates ARP packets against a trusted database of IP-to-MAC bindings. It works with DHCP snooping, which builds the trusted database by watching DHCP assignments. Invalid ARP messages get dropped at the switch before they can poison anyone.

Network segmentation limits blast radius. Smaller broadcast domains mean fewer devices an attacker can poison from any single vantage point.

Encryption (TLS, IPsec) protects your data even if traffic gets redirected. The attacker sees the bytes but can't read or meaningfully modify them.

Proxy ARP

Proxy ARP lets a router answer ARP requests on behalf of devices on other networks.

Imagine a device with a misconfigured subnet mask that thinks a remote device is local. It sends an ARP request for that device's IP. Normally, nothing would answer—the device isn't on this segment.

With proxy ARP, the router responds with its own MAC address: "Send me traffic for that IP, and I'll route it where it needs to go."

This makes networks more forgiving of configuration errors, but it hides problems rather than fixing them. Modern networks generally disable proxy ARP in favor of correct configuration.

IPv6's Replacement: Neighbor Discovery

IPv6 replaces ARP with Neighbor Discovery Protocol (NDP). Same concept, better implementation.

NDP uses ICMPv6 messages instead of a separate protocol. Neighbor Solicitation replaces ARP requests. Neighbor Advertisement replaces ARP replies. The fundamental question—"what link-layer address corresponds to this network-layer address?"—remains identical.

The improvements:

Multicast instead of broadcast: NDP sends solicitations to a multicast group based on the target address, so only devices that might have that address need to process the message.

Security options: SEND (Secure Neighbor Discovery) uses cryptographic methods to authenticate messages, preventing the spoofing attacks that plague ARP.

Despite IPv6's improvements, the core concept survives: devices still need to resolve network addresses to hardware addresses. That problem doesn't go away—only the solution evolves.

Troubleshooting with ARP

ARP is a window into local network behavior:

Stale cache entries can cause connectivity problems. If a device's IP address moved to different hardware, your cache might point to the old MAC. Clearing the cache (arp -d on most systems, ip neighbor flush on Linux) forces fresh resolution.

Duplicate entries for different IPs mapping to the same MAC might indicate a device with multiple IPs—or might indicate spoofing.

Incomplete entries mean your device sent an ARP request but never got a reply. The target is unreachable, powered off, or blocking ARP.

Unexpected MACs for known IPs warrant investigation. If your gateway's MAC address suddenly changes, either the hardware was replaced or someone is spoofing.

The Elegance and the Risk

ARP is a protocol from 1982 that still runs on virtually every local network on Earth. Its design is so simple that it fits in a few paragraphs. Its implementation is so lightweight that even the most constrained devices can participate.

But that simplicity comes from trust—trust that everyone on the local network is who they claim to be. In the modern world of hostile networks and sophisticated attackers, that trust is a liability.

The protocol persists because it works. The vulnerabilities persist because fixing them requires either cryptographic authentication (complex, heavyweight) or careful network design (DAI, segmentation, static entries). Most networks choose the latter.

Every packet you send to a local destination starts with an ARP exchange. Every packet you send to a remote destination starts with an ARP exchange to your gateway. The protocol is invisible when it works—and painfully visible when it doesn't.