Undergraduate Level

Address Resolution
Protocol (ARP)

Master the fundamental protocol that bridges Layer 3 (Network) and Layer 2 (Data Link) in TCP/IP networks. Learn how IP addresses are mapped to MAC addresses for local network communication.

RFC 826
Standard Defined
Layer 2.5
OSI Position
28 Bytes
Min Packet Size
0x0806
Ethertype

What is ARP?

Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address (MAC address) associated with a given internet layer address (IP address). It is a critical component of the TCP/IP protocol suite.

ARP operates at the boundary between Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model, often referred to as Layer 2.5.

Why ARP is Necessary:

  • Ethernet frames require MAC addresses for delivery, not IP addresses
  • IP addresses are logical and can change; MAC addresses are physical and fixed
  • Enables communication between devices on the same local network segment

ARP Cache Table Dynamic

IP Address MAC Address Type TTL
192.168.1.1 00:1A:2B:3C:4D:5E Dynamic 120s
192.168.1.105 00:5E:4D:3C:2B:1A Static Permanent
192.168.1.254 00:AA:BB:CC:DD:EE Dynamic 45s

ARP tables cache mappings to reduce network traffic. Dynamic entries expire (typically 2-20 minutes).

ARP Operation & Message Flow

Host A 192.168.1.10 AA:BB:CC:00:00:0A
Knows: 192.168.1.20
Needs: MAC of .20
ARP
Local Network (Broadcast Domain)
Host B 192.168.1.20 AA:BB:CC:00:00:14
Listening for ARP
Will respond with MAC

Click "Send ARP Request" to begin the address resolution process

ARP Request (Broadcast)

  • Sender broadcasts to MAC address FF:FF:FF:FF:FF:FF
  • Contains sender's IP and MAC (for reply routing)
  • Target MAC field set to 00:00:00:00:00:00
  • All hosts on LAN receive and process the request

ARP Reply (Unicast)

  • Only target host with matching IP responds
  • Sent directly to requester's MAC address (unicast)
  • Contains target's MAC address
  • Requester updates ARP cache with new mapping

ARP Packet Format

Ethernet Frame Structure

Destination MAC
6 bytes
Source MAC
6 bytes
Type
2 bytes
ARP Payload (28 bytes)
Hardware Type
2 bytes
Protocol Type
2 bytes
HW Addr Len
1 byte
Proto Addr Len
1 byte
Operation Code (Opcode)
2 bytes (1=Request, 2=Reply)
Sender MAC
6 bytes
Sender IP
4 bytes
Target MAC
6 bytes
Target IP
4 bytes
FCS
4 bytes

Field Details

Click on a field in the packet diagram to see detailed information.

Hardware Type 0x0001 (Ethernet)
Protocol Type 0x0800 (IPv4)
Hardware Length 6 (MAC address bytes)
Protocol Length 4 (IPv4 address bytes)
Operation 1=Request, 2=Reply

Example Hex Dump (ARP Request)

# Ethernet Header (14 bytes)
ff ff ff ff ff ff
# Destination: Broadcast
00 11 22 33 44 55
# Source: 00:11:22:33:44:55
08 06
# Type: ARP (0x0806)

# ARP Payload (28 bytes)
00 01
# Hardware Type: Ethernet
08 00
# Protocol Type: IPv4
06
# Hardware Length: 6
04
# Protocol Length: 4
00 01
# Opcode: 1 (Request)
00 11 22 33 44 55
# Sender MAC
c0 a8 01 0a
# Sender IP: 192.168.1.10
00 00 00 00 00 00
# Target MAC: unknown
c0 a8 01 14
# Target IP: 192.168.1.20

ARP Variants & Special Cases

Proxy ARP

Router responds to ARP requests on behalf of hosts on other networks.

Click to expand

Gratuitous ARP

Host broadcasts ARP request for its own IP address.

Click to expand

Reverse ARP

Obsolete protocol for diskless workstations to discover IP address.

Click to expand

Inverse ARP

Used in Frame Relay and ATM networks to map DLCI to IP.

Click to expand

ARP Cache Management

Dynamic Entries
  • • Learned via ARP protocol
  • • Subject to aging (typically 2-20 min)
  • • Removed if not refreshed
  • • Vulnerable to spoofing
Static Entries
  • • Manually configured
  • • Permanent until reboot
  • • Used for security critical hosts
  • • Bypass ARP protocol
Cache Commands
# View ARP table
arp -a
ip neigh

# Add static entry
arp -s 192.168.1.1 00:11:22:33:44:55

# Delete entry
arp -d 192.168.1.1

ARP Security & Vulnerabilities

ARP Spoofing / Poisoning

Attackers send forged ARP messages to associate their MAC address with the IP address of another host (default gateway), enabling Man-in-the-Middle attacks.

Attack Vector High Risk
  • • No authentication in ARP protocol
  • • Statelessness allows easy injection
  • • Local network attacks only

Mitigation Techniques

Static ARP Entries
Bind critical IPs to MACs manually
Dynamic ARP Inspection (DAI)
Switch validates ARP packets against DHCP snooping
ARP Spoofing Detection
Tools like arpwatch, XArp monitor tables
Security Feature Mechanism Effectiveness Impact
Static ARP Manual binding High High admin overhead
DAI Switch intercept/validate Very High Requires DHCP snooping
Private VLANs Isolate layer 2 Medium Limits communication
S-ARP / Cryptography Signed ARP replies Very High Not widely deployed

Interactive ARP Tools

ARP Scope Calculator

Determine if ARP is needed or if destination is local

MAC Address Converter

Convert MAC address formats and identify OUI

Key Takeaways for Students

  • ARP resolves Layer 3 (IP) addresses to Layer 2 (MAC) addresses for local network delivery
  • ARP requests are broadcast; replies are unicast
  • ARP tables cache entries to minimize broadcast traffic (aging 2-20 minutes)
  • Gratuitous ARP updates caches and detects IP conflicts
  • Proxy ARP enables routers to respond for remote networks
  • ARP is stateless and unauthenticated, making it vulnerable to spoofing