Understanding ARP

Address Resolution Protocol — A Beginner's Guide

How computers find each other on a local network

Covers: What ARP is | How it works | ARP Cache | Security Risks | Hands-on Lab

Networking Fundamentals Series

Understanding ARP Networking Fundamentals

Table of Contents

1. What is ARP?

2. IP vs MAC — Why Two Addresses?

3. How ARP Works Step-by-Step

4. The ARP Cache

5. ARP Packet Structure

6. Types of ARP

7. ARP Security Risks

8. Hands-On Lab: Watch ARP in Action

Page 2
Understanding ARP Networking Fundamentals

1. What is ARP?
ARP stands for Address Resolution Protocol. It is a fundamental networking protocol defined in RFC
826 (1982) that solves a simple but essential problem: how does a device on a local network find out the
physical address of another device when it only knows that device's logical address?

Analogy: Imagine you are at a party and you only know someone's name (IP address), but you need to
physically hand them a letter. You shout their name to the whole room and wait for them to raise their hand
(reply with their face — the MAC address). That is exactly what ARP does on a network.

Key Facts at a Glance

Property Detail

Full name Address Resolution Protocol

Defined in RFC 826 (November 1982)

Layer Operates between Layer 2 (Data Link) and Layer 3 (Network)

Purpose Maps an IP address to a MAC address on a LAN

Scope Local network only (does not cross routers)

Protocol number EtherType 0x0806

Page 3
 Understanding ARP Networking Fundamentals

2. IP vs MAC — Why Two Addresses?

To understand ARP, you first need to understand why two different types of addresses exist in networking.
Every device on a network has both an IP address and a MAC address, and each serves a different
purpose.

IP Address MAC Address

What it is Logical / software address Physical / hardware address

Example [Link] A4:C3:F0:85:AC:2D

Assigned by Network admin / DHCP server Manufacturer (burned in)

Can change? Yes (dynamic or reconfigured) No (permanent on NIC)

Used for Routing across networks (Layer 3) Delivery on local LAN (Layer 2)

Length 32-bit (IPv4) / 128-bit (IPv6) 48-bit (6 bytes)

Why can't we just use IP addresses for everything? IP addresses are great for routing traffic across the internet,
but when a packet finally arrives on your local network, the switch needs to know the PHYSICAL port to send it
out of. Switches work with MAC addresses, not IPs. ARP is the bridge between these two worlds.

Page 4
Understanding ARP Networking Fundamentals

3. How ARP Works — Step by Step

Let's walk through a real scenario. Your laptop ([Link]) wants to send data to a printer
([Link]) on the same network. Your laptop knows the printer's IP but does not know its MAC
address yet.

Step 1 Cache Check Before sending any ARP message, your laptop first checks its own ARP
cache (a local table). If it already has an entry for [Link], it uses
that and skips steps 2-4.

Step 2 ARP Request If no cache entry exists, your laptop creates an ARP Request packet and
(Broadcast) broadcasts it to every device on the LAN. The destination MAC is
FF:FF:FF:FF:FF:FF (broadcast). The message says: 'Who has IP
[Link]? Tell [Link]'

Step 3 All Devices Every device on the local network receives this broadcast. Each one
Receive the inspects the target IP address. If it does not match their own IP, they
Broadcast
silently discard the packet.

Step 4 ARP Reply The printer ([Link]) recognises its own IP and responds directly
(Unicast) (unicast) to your laptop with an ARP Reply: 'I have [Link]! My
MAC is B8:27:EB:12:34:56'

Step 5 Cache Update Your laptop stores the IP-to-MAC mapping in its ARP cache for future
use (typically cached for a few minutes). No more broadcasts needed for
subsequent packets to the printer.

Step 6 Data Sent Now your laptop can wrap the data in an Ethernet frame addressed to the
printer's MAC address and send it. The switch delivers it to the correct
port.

Page 5
Understanding ARP Networking Fundamentals

4. The ARP Cache

The ARP cache (also called the ARP table) is a short-term memory table stored in RAM on every
networked device. It maps IP addresses to MAC addresses so that ARP broadcasts are not needed for
every single packet.

Viewing the ARP Cache

Windows:
arp -a

Linux/macOS:
arp -n OR ip neigh show

Sample ARP Table Output

Internet Address Physical Address Type

[Link] a4:c3:f0:85:ac:2d dynamic

[Link] b8:27:eb:12:34:56 dynamic

[Link] ff:ff:ff:ff:ff:ff static

ARP Entry Types

Type Description Expires?

Dynamic Learned via ARP request/reply. Most entries are this type. Yes (1–20 min typically)

Static Manually added by an admin. Cannot be altered by ARP traffic. No (permanent)

Incomplete ARP request was sent but no reply received yet. After a short timeout

Page 6
Understanding ARP Networking Fundamentals

5. ARP Packet Structure

An ARP packet is 28 bytes long (for Ethernet + IPv4). Understanding its fields helps you read packet
captures in tools like Wireshark.

Field Size Value / Meaning

Hardware Type 2 bytes 1 = Ethernet

Protocol Type 2 bytes 0x0800 = IPv4

Hardware Addr Length 1 byte 6 (MAC is 6 bytes)

Protocol Addr Length 1 byte 4 (IPv4 is 4 bytes)

Operation (Opcode) 2 bytes 1 = Request, 2 = Reply

Sender MAC Address 6 bytes MAC of the device sending the ARP

Sender IP Address 4 bytes IP of the device sending the ARP

Target MAC Address 6 bytes FF:FF:FF:FF:FF:FF (Request) / Real MAC (Reply)

Target IP Address 4 bytes IP being looked up

In Wireshark, you can filter ARP traffic with the display filter: arp To see only ARP requests: [Link] == 1 To
see only ARP replies: [Link] == 2 This is very useful when troubleshooting duplicate IP address warnings.

Page 7
Understanding ARP Networking Fundamentals

6. Types of ARP

Standard ARP The classic request/reply process described above. A device asks who
owns a specific IP, and that device responds with its MAC address.

Gratuitous ARP A device sends an ARP request for its OWN IP address. No one is
(GARP) expected to reply. Used to: (1) announce a new IP/MAC mapping to the
network, (2) detect IP conflicts (if someone replies, there's a duplicate IP),
and (3) update other devices' ARP caches after a failover event (e.g.
HSRP/VRRP switchover).

Proxy ARP A router responds to ARP requests on behalf of devices that are on a
different network segment. The router essentially 'pretends' to be the target
device so traffic is forwarded correctly. Common in some VPN and NAT
scenarios.

Reverse ARP The opposite of ARP — a device knows its own MAC address but needs to
(RARP) find its IP address. Now obsolete, replaced by BOOTP and then DHCP.

Inverse ARP Used in Frame Relay and ATM networks. A device knows the remote
(InARP) DLCI/VCI identifier but needs to find the corresponding IP address. Rarely
seen today.

Page 8
Understanding ARP Networking Fundamentals

7. ARP Security Risks

ARP was designed in 1982 with no built-in security or authentication. Any device on the LAN can send
fake ARP packets and the network will believe them. This has led to several well-known attacks.

ARP Spoofing / An attacker sends fake ARP Replies to associate Impact:

Poisoning their MAC address with a legitimate IP (e.g. the Man-in-the-Middle,
eavesdropping, traffic
gateway). Victims update their ARP cache with interception
the attacker's MAC. All traffic meant for the
gateway now goes to the attacker's machine
instead.

ARP Cache Similar to spoofing but specifically targets the Impact: Persistent
Poisoning ARP cache of devices. The attacker continuously interception, credential
theft
sends spoofed Gratuitous ARPs to keep the
cache entries poisoned.

ARP Flooding / DoS An attacker sends thousands of ARP requests, Impact: Denial of Service
overwhelming the network and CPU of devices (DoS)

that must process each one. Can cause network

slowness or device crashes.

MAC Spoofing Combined with ARP manipulation, an attacker Impact: Bypassing

changes their NIC MAC address to impersonate MAC-based access
control
another device on the network.

Defences Against ARP Attacks

• Dynamic ARP Inspection (DAI) on managed switches validates ARP packets against a DHCP
snooping binding table.
• Static ARP entries for critical devices (default gateway) prevent poisoning of those entries.
• VLAN segmentation limits the blast radius of any ARP-based attack to a single VLAN.
• 802.1X port authentication ensures only authorised devices can send traffic.
• Network monitoring tools (Wireshark, Arpwatch) can detect unusual ARP activity.
• HTTPS and TLS encryption means that even if traffic is intercepted via ARP poisoning, it cannot be
read.

Page 9
Understanding ARP Networking Fundamentals

8. Hands-On Lab: Watch ARP in Action

This beginner-friendly project uses only tools already installed on Windows or Linux. No extra software
required except Wireshark (free). Total time: approximately 15–20 minutes.

What You Will Learn

• How to view your current ARP cache
• How to clear and repopulate the ARP cache
• How to observe ARP request and reply packets live in Wireshark
• How to read an ARP packet's fields

Requirements
Item Notes

A PC or laptop Windows 10/11 or Linux (Ubuntu/Kali)

Connected to a LAN WiFi or wired — must have other devices on same network

Wireshark Free download: [Link] — install with default options

Admin/root access Needed to clear ARP cache and capture packets

Lab Procedure
Step 1 — View Your Current ARP Cache
Open Command Prompt (Windows) or Terminal (Linux) as administrator.
Windows:
arp -a

Linux:
ip neigh show

You will see IP addresses and their corresponding MAC addresses. Note how many entries are already
there from recent network activity.

Step 2 — Clear the ARP Cache

Now delete all the current ARP entries so we can watch them rebuild.
Windows (Admin CMD):
netsh interface ip delete arpcache

Linux (root):
ip -s -s neigh flush all

Run arp -a again. The table should now be empty or nearly empty.

Step 3 — Start Capturing in Wireshark

Open Wireshark. Select your active network interface (e.g. Ethernet or Wi-Fi). In the display filter bar at the
top, type: arp and press Enter. Click the blue shark-fin 'Start' button to begin capturing.

Wireshark is now watching for all ARP packets on your network.

Page 10
Understanding ARP Networking Fundamentals

Step 4 — Generate ARP Traffic

In your Command Prompt / Terminal, ping a device on your network:
Windows/Linux:
ping [Link]

Replace [Link] with your default gateway IP (run ipconfig or ip route to find it). Before the ping can
send ICMP packets, your OS must first resolve the MAC address via ARP.

Step 5 — Observe the ARP Packets

Switch back to Wireshark. You should see ARP packets appear. Look for:

What to Look For What It Means

Info column says "Who has [Link]? Tell 192.168.1.x" This is the ARP Request broadcast from your machine

Info column says "[Link] is at xx:xx:xx:xx:xx:xx" This is the ARP Reply from your gateway

Destination MAC = ff:ff:ff:ff:ff:ff Confirms this is a broadcast (all devices receive it)

Opcode field = 1 Confirms this is a Request packet

Opcode field = 2 Confirms this is a Reply packet

Step 6 — Verify the ARP Cache Was Updated

Run arp -a (Windows) or ip neigh show (Linux) again. You should now see the gateway's IP and MAC
address in the table. Your OS learned this from the ARP Reply you just captured in Wireshark.
Congratulations — you just watched ARP work in real time!

Bonus challenge: Try pinging 5 different devices on your network, then view your ARP cache. You will see all 5
MAC addresses have been learned and cached. Wait 10 minutes and check again — some entries may have
expired.

Page 11
Understanding ARP Networking Fundamentals

Quick Reference Cheat Sheet

Command OS What It Does

arp -a Windows Show full ARP cache

arp -d * Windows Delete all ARP entries

arp -s [Link] AA:BB:CC:DD:EE:FF Windows Add a static ARP entry

ip neigh show Linux Show ARP/neighbour table

ip -s -s neigh flush all Linux Flush all ARP entries

Linuxeth0 nud Add

ip neigh add [Link] lladdr AA:BB:CC dev permanent static entry
permanent

arping [Link] Linux Send ARP request (like ping but at Layer 2)

arp -n macOS/Linux Show ARP table (no DNS lookup)

Key Terms Glossary

ARP Address Resolution Protocol — maps IP to MAC on a local network

MAC Address Media Access Control — unique 48-bit hardware identifier on every NIC

IP Address Internet Protocol address — logical Layer 3 address (IPv4 or IPv6)

Broadcast A packet sent to all devices on a network (FF:FF:FF:FF:FF:FF)

Unicast A packet sent to one specific device

ARP Cache Local table storing recently resolved IP-to-MAC mappings

Gratuitous ARP ARP request for one's own IP, used for announcements/conflict detection

ARP Spoofing Attack that poisons ARP caches with false IP-to-MAC mappings

DAI Dynamic ARP Inspection — switch feature that validates ARP packets

GARP Gratuitous ARP — see above

Page 12