Networking and Protocols

ARP

Local network protocol that maps IPv4 addresses to link layer addresses.

Where you will see it: Shows up in packet captures, network diagrams, firewall rules, and system or network logs.

What it is

ARP (Address Resolution Protocol) is used on IPv4 Ethernet networks to find the link layer address for an IP address on the same local network. IP routing decides the next hop IP. ARP finds the MAC address for that next hop so the frame can be delivered on the wire.

Key points
  • Uses broadcast requests and unicast replies on a LAN.
  • Hosts cache mappings for a while to avoid repeating lookups.
  • ARP is a common source of spoofing and man in the middle attacks on flat networks.

How it works in broad strokes

  1. A host wants to send an IP packet to a destination. If the destination is remote, the next hop is the default gateway.
  2. The host checks its ARP cache for the MAC address of the next hop IP.
  3. If missing, it broadcasts an ARP Request asking who has that IP address.
  4. The device that owns the IP replies with an ARP Reply containing its MAC address.
  5. The sender stores the mapping in its cache and sends the Ethernet frame to that MAC.
  6. Caches expire or are updated. Some devices also send gratuitous ARP to announce changes or detect conflicts.

Concrete example

Your laptop wants to reach a server on the Internet. It does not ARP for the server's IP. It ARPs for the default gateway's IP, learns the gateway's MAC, and then sends the packet to the gateway for routing.

Why it matters

Ethernet delivers frames to MAC addresses, but applications and IP routing use IP addresses. ARP bridges that gap inside a local broadcast domain.

Security angle

  • ARP is unauthenticated, so attackers can poison caches by sending fake replies.
  • Switch features like dynamic ARP inspection and DHCP snooping can reduce poisoning on managed networks.
  • Segmentation and limiting who shares a broadcast domain reduces the blast radius of ARP based attacks.

Common pitfalls

  • Assuming ARP works across routers. ARP is local to a broadcast domain.
  • Stale cache entries can cause one way connectivity or traffic going to the wrong host.
  • Duplicate IP addresses often show up as ARP flapping in logs.
  • Virtualization and failover can change MAC addresses quickly, confusing caches.
  • Blocking ARP breaks basic IPv4 communication on Ethernet.

DEEP DIVE

Why ARP exists on Ethernet networks

IP routing decides the next hop IP address, but Ethernet delivery requires a destination MAC address. On a local subnet, the next hop is often the final host itself. ARP exists to map an IPv4 address to a MAC address so a host can build an Ethernet frame that actually reaches the right machine.

This mapping is only meaningful on the local broadcast domain. If your destination IP is on another network, you do not ARP for the remote host. You ARP for your default gateway, because the gateway is the next hop on the local link. That single detail explains a lot of confusion when people expect ARP to reveal internet wide paths.

ARP is therefore a local discovery protocol. It is fast, noisy, and intentionally simple. It assumes that devices on a LAN can ask a broadcast question and that the right device will answer.

Step by step: how a host learns a MAC address

The host first checks its ARP cache. If it already has a fresh mapping for the target IP, it uses it immediately. If not, it sends an ARP request as a broadcast Ethernet frame that effectively asks: who has this IP, tell me your MAC.

Only the device that owns the IP should reply. It sends an ARP reply, usually unicast back to the requester, containing its MAC address. The requester stores the mapping in its ARP cache with an aging timer and then transmits the original IP packet inside an Ethernet frame addressed to that MAC.

Because ARP is cache driven, behavior can look strange during transitions. If a machine moves to a new NIC or a new switch port, caches can temporarily point to an old MAC. That is why many systems send gratuitous ARP messages to update neighbors when their mapping changes.

Caches, gratuitous ARP, and real network dynamics

ARP caches expire. Different operating systems use different timers, and some refresh entries when traffic flows. This is good because it lets the network adapt, but it also means silent failures can last until a cache times out and triggers a new request.

Gratuitous ARP is a message a host sends about itself without being asked. It is used to announce a new mapping, detect duplicates, and help switches learn where a MAC lives. In high availability setups, a failover IP often relies on gratuitous ARP so that neighbors quickly send traffic to the new active machine.

From a troubleshooting view, ARP explains why a ping can fail first and then succeed. The first ping triggers ARP resolution. Once the MAC is learned, subsequent packets flow normally until the cache expires or the mapping changes again.

Security: ARP trusts the local network

ARP has no authentication. Devices will often accept replies and update caches even if they did not ask, which makes ARP spoofing possible. An attacker on the same LAN can claim to be the gateway and redirect traffic through themselves.

Enterprise networks mitigate this with features like Dynamic ARP Inspection, DHCP snooping, and static bindings in sensitive segments. At a minimum, segmenting untrusted devices into separate VLANs reduces who can even participate in the same ARP broadcast domain.

The important takeaway is that ARP is designed for cooperation, not hostility. If the local network is not trusted, you have to add controls outside ARP itself.