Reference notes.
ARP (Address Resolution Protocol) maps Layer 3 IP addresses to Layer 2 MAC addresses on a local network. When a device needs to send a frame to an IP on its subnet, it must first discover the destination’s MAC address.
How ARP Works
1. Device A wants to send to 192.168.1.5
2. A checks its ARP cache — no entry
3. A broadcasts: "Who has 192.168.1.5? Tell 192.168.1.1" (ARP Request)
→ Sent to ff:ff:ff:ff:ff:ff (broadcast MAC)
4. Device at 192.168.1.5 responds: "192.168.1.5 is at aa:bb:cc:dd:ee:ff" (ARP Reply)
→ Sent unicast back to A
5. A caches the mapping and sends the frame
ARP only works within a broadcast domain (same VLAN/subnet). For destinations on other subnets, the device ARPs for the default gateway’s MAC address instead, then the router handles forwarding at Layer 3.
ARP Cache
Every device maintains a table of recently resolved IP-to-MAC mappings.
# View ARP cache
arp -a # macOS, Linux, Windows
ip neigh show # Linux (modern)
# Clear a specific entry
arp -d 192.168.1.5 # macOS, Linux
ip neigh del 192.168.1.5 dev eth0 # LinuxCache entries typically expire after 1-20 minutes (OS-dependent) to accommodate MAC address changes.
ARP Packet Structure
| Field | Size | Description |
|---|---|---|
| Hardware type | 2 bytes | 1 = Ethernet |
| Protocol type | 2 bytes | 0x0800 = IPv4 |
| Hardware size | 1 byte | 6 (MAC address length) |
| Protocol size | 1 byte | 4 (IPv4 address length) |
| Opcode | 2 bytes | 1 = Request, 2 = Reply |
| Sender MAC | 6 bytes | Source hardware address |
| Sender IP | 4 bytes | Source protocol address |
| Target MAC | 6 bytes | Destination hardware address |
| Target IP | 4 bytes | Destination protocol address |
Special ARP Types
Gratuitous ARP
A device broadcasts an ARP reply for its own IP address, unsolicited. Used to:
- Announce presence on the network (e.g., after boot)
- Update other devices’ ARP caches after a MAC address change
- Detect IP conflicts (if someone else replies, there’s a conflict)
- Failover in high-availability setups — the new active node sends a gratuitous ARP so traffic switches to its MAC
Proxy ARP
A router answers ARP requests on behalf of devices on another subnet. Makes devices on different subnets appear to be on the same network. Generally discouraged — better to use proper routing and subnetting.
ARP Security
ARP Spoofing / Poisoning
ARP has no authentication. Any device can claim any IP-to-MAC mapping. An attacker sends forged ARP replies to associate their MAC with another device’s IP (typically the gateway), enabling:
- Man-in-the-middle — Intercept and inspect traffic between victim and gateway
- Denial of service — Route traffic to a non-existent MAC
- Session hijacking — Capture authentication tokens
Mitigations
- Dynamic ARP Inspection (DAI) — Switch validates ARP packets against a DHCP snooping binding table. Drops invalid ARP.
- Static ARP entries — Manually set critical mappings (gateway). Doesn’t scale.
- 802.1X — Port-based authentication prevents untrusted devices from connecting
- VPN/encryption — Renders intercepted traffic useless even if ARP is spoofed
IPv6: NDP Replaces ARP
IPv6 does not use ARP. Instead, Neighbour Discovery Protocol (NDP) handles address resolution using ICMPv6:
- Neighbour Solicitation (NS) — Equivalent to ARP request (sent to solicited-node multicast, not broadcast)
- Neighbour Advertisement (NA) — Equivalent to ARP reply
- NDP also handles router discovery, SLAAC, and duplicate address detection
- SEND (Secure Neighbour Discovery) — Cryptographically signed NDP messages, though rarely deployed
See Also
- IP Addressing — The Layer 3 addresses that ARP resolves
- VLANs — ARP operates within a single VLAN/broadcast domain
- DHCP — DHCP snooping tables feed Dynamic ARP Inspection