Networks are built on layers, and the invisible plumbing between those layers is what keeps packets flowing. At the boundary between the network layer and the link layer sits a deceptively simple, but critically important, mechanism: the address resolution protocol. When an IPv4 host needs to send a packet to another host on the same local network, it must know the destination’s MAC address. That mapping from an IP address to a MAC address is the primary job of the ARP protocol.
This post goes beyond the textbook definition. It explains how Address Resolution Protocol ARP functions in real networks, how it’s implemented in operating systems and switches, the subtle failure modes that appear in production, and the practical steps network engineers and sysadmins use to troubleshoot and harden their environments against an ARP attack. Expect command examples, packet-level reasoning, and configuration tips you can use today.
The address resolution protocol is a protocol used in IPv4 networks to translate 32-bit IP addresses into 48-bit MAC (hardware) addresses. ARP operates at the boundary of OSI Layer 2 (Data Link) and Layer 3 (Network). The reason it exists is practical: Ethernet frames are delivered using MAC addresses, but applications, routing logic, and IP packets are all concerned with IP addresses. ARP bridges that gap.
Every time a host needs to send an IPv4 packet to another machine on the same local network segment and it doesn’t have the MAC address cached, it broadcasts an ARP request asking, “Who has IP X.X.X.X?” The host that owns that IP responds with an ARP reply containing its MAC address. The sender caches this mapping so future packets go straight to the right hardware address.
ARP underpins every local IPv4 conversation. Without a reliable mapping service, IP packets would never be encapsulated into Ethernet frames correctly, and trivial tasks like retrieving a web page on your LAN or sending a DHCP renewal would fail. ARP is often invisible during normal operations, but when it malfunctions or is manipulated, the effects are immediate and disruptive.
Key roles of ARP in networking include:
Because of how common ARP traffic is and how essential correct mappings are, the arp in the networking world is both a performance consideration (ARP cache size, timeout) and a security surface that attackers can exploit.
When Host A wants to send to Host B’s IP but does not know Host B’s MAC:
This mechanism keeps ARP simple, efficient, and compatible with Ethernet’s broadcast domain model.
ARP packets are small. The typical format contains fields for hardware type (Ethernet), protocol type (IPv4), hardware and protocol address lengths, an operation code (request or reply), and the sender and target addresses.
A request is always a broadcast (destination MAC ff:ff:ff:ff:ff:ff), so all nodes on the local link can see it. A reply is typically a unicast from the target to the requester. Some implementations also allow gratuitous ARP (explained below), where a host announces its IP-to-MAC mapping by broadcasting an ARP reply without a preceding request.
Example ARP packet in Wireshark:
Every modern host maintains an ARP cache (or ARP table), a simple key-value store mapping IP addresses to MAC addresses. Caches speed up communications by avoiding a broadcast for every packet.
Typical cache behaviours:
You can view and manipulate ARP caches using OS tooling:
Example: ip neigh show output
192.0.2.10 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE
Careful cache management reduces ARP churn and can mitigate some types of attacks when combined with other controls.
Ethernet and ARP are a natural pairing because Ethernet supports broadcast frames that ARP uses for discovery. On a switch-based LAN, ARP requests are limited to the originating VLAN; switches don’t forward ARP broadcasts between VLANs unless a router or bridge is configured to do so. For routing between subnets, ARP is used to find the MAC of the local router’s interface, not of the final destination.
ARP allows devices to build adjacency relationships dynamically. For example, when a host wants to talk to an outside IP, it ARPs for the gateway’s MAC address, then sends packets framed with that MAC. Routers, in turn, use ARP to forward to next hops on the outgoing interface.
Network appliances, load balancers, NAT devices, and firewalls also rely on ARP to bind virtual IPs to physical MACs and to accept traffic destined for shared IPs. This is where techniques like Gratuitous ARP and Proxy ARP come into play.
Without ARP caching and sensible timeouts, every packet would force a broadcast and increase latency. By caching mappings and scoping broadcasts, ARP helps conserve bandwidth and keeps local latency low. That said, misconfigured ARP cache timeouts or frequent IP changes can increase broadcast storms and cause packet loss.
An ARP attack often refers to spoofing, where an attacker poisons ARP caches by sending forged ARP replies, associating the attacker’s MAC with the IP of another host (typically a gateway). This causes victims to send packets to the attacker instead of the legitimate host, enabling man-in-the-middle (MitM) interception, session hijacking, and data exfiltration.
The steps an attacker uses in a typical ARP spoofing scenario:
ARP cache poisoning is the result of accepting malicious ARP replies. Protecting against poisoning requires both network controls and host-level hardening:
In extreme cases, attackers can flood a switch or host with many spoofed ARP entries, causing ARP table exhaustion and exhausting switch CAM/TABLE memory. This can lead to degraded forwarding performance or fail-open behaviour where traffic is flooded, further weakening the network.
Mitigations include access control lists (ACLs), rate limiting ARP packets, and switch features that limit the number of MAC addresses on a port.
Proxy ARP allows a router to respond to ARP requests on behalf of another host. It’s useful in scenarios where a host believes its neighbour is on the same subnet, while it’s actually reachable via another router. While proxy ARP can simplify certain setups, it complicates troubleshooting and can introduce security concerns if misused.
Example use case: Legacy IP address migration where a router temporarily answers ARP for old IPs while traffic is translated.
Reverse ARP (RARP) is an older protocol used by diskless machines to discover their IP address by providing their MAC address to a RARP server. RARP has largely been superseded by DHCP, which offers far more control and features.
Inverse ARP (INARP) is a protocol used primarily in Frame Relay and other non-broadcast multi-access networks to dynamically discover the IP address associated with a virtual circuit. It’s less common in modern Ethernet-based LANs.
ARP resolves IP to MAC on a local link. DNS resolves human-readable domain names to IP addresses globally. They operate at different layers and solve different problems. ARP is local and immediate; DNS is hierarchical and global.
DHCP assigns IP addresses and network configuration to a host, while ARP maps those IP addresses to MAC addresses once they are in use. DHCP and ARP interact indirectly: DHCP manages IP lifecycle (which affects what ARP should return), and DHCP snooping provides the basis for switch-level ARP protections.
IPv6 replaces ARP with the Neighbor Discovery Protocol (NDP), which operates via ICMPv6 and provides richer functionality: duplicate address detection, address resolution, router discovery and prefix discovery. NDP addresses some limitations of ARP but also brings its own security concerns, which are handled via Secure Neighbor Discovery (SEND) and other mitigations.
ARP is intrinsic to IPv4; IPv6 uses NDP. In mixed environments, administrators must pay careful attention to both protocols. The practical reality is that legacy IPv4 systems persist, and many cloud or virtualized environments still rely on ARP for intra-tenant communications.
In SDN, the control plane is centralized. The controller can proactively program flows or respond to ARP requests on behalf of hosts, reducing broadcast traffic and speeding up resolution. SDN also allows for centralized ARP inspection and anomaly detection, which can enhance defenses against ARP-based attacks.
Virtual switches emulate ARP behaviour for virtual machines. Providers and hypervisors may implement optimizations like proxy ARP at the hypervisor level or ARP suppression to reduce broadcast storms when many VMs share an IP address space. Overlay networks (VXLAN, GRE) introduce additional mapping challenges because ARP resolution may need to happen across encapsulation boundaries.
If you suspect stale or poisoned entries, clearing the ARP cache helps:
Clearing caches is a diagnostic step, not a security fix. If an ARP attack is active, the entries will reappear.
Symptoms of ARP issues include intermittent connectivity, traffic appearing to be redirected, or an excessive number of ARP requests. Steps to diagnose:
Example tcpdump capture to see ARP:
sudo tcpdump -ni eth0 arp
Useful commands and tools:
These tools help you map behaviour to cause and remediate quickly.
Mitigation strategies:
Static ARP entries prevent hosts from accepting fraudulent ARP replies for a pinned IP. On Linux, for example:
sudo ip neigh add 192.0.2.1 lladdr 00:aa:bb:cc:dd:ee dev eth0 nud permanent
Static entries are best for routers, critical appliances, and management interfaces. They don’t scale well for large dynamic networks but are valuable for high-value assets.
Tools like ARPWatch and XArp monitor ARP traffic and alert on IP-MAC changes. Centralized logging and SIEM correlation can highlight suspicious patterns, e.g., multiple hosts seeing different MACs for the same IP, prompting immediate investigation.
IPv6’s NDP replaces ARP and includes additional features such as Router Advertisements and Duplicate Address Detection. NDP was designed to be more feature-rich, but it too faced security challenges that led to extensions like SEND. The long-term decline of ARP parallels IPv6 adoption, but ARP will remain with IPv4 for many years, especially within private enterprise networks and certain cloud deployments.
Emerging paradigms, overlay networks, SDN, and service meshes alter how address resolution is performed. Controllers and hypervisors can centralize mappings, reduce broadcasts, and offer more resilient resolution mechanisms. Still, the basic need to map logical addresses to link-layer identifiers persists, so ARP’s conceptual model will remain instructive even as implementations evolve.
The address resolution protocol might be old, but it’s not obsolete. Its simplicity is both its strength and a source of fragility. In daily operations, ARP keeps LAN communications functional and fast. In hostile environments, the same simplicity exposes a vector for arp attack tactics.
Network engineers must therefore treat ARP as a first-class operational concern: monitor mappings, protect critical endpoints, apply switch-level safeguards, and prefer encrypted application protocols to limit the impact of MitM attacks. When building new architectures, consider how ARP will interact with virtualization, SDN controllers, and cloud overlays.
The purpose of the Address Resolution Protocol is to map IPv4 addresses to link-layer (MAC) addresses so that Ethernet frames can be correctly addressed on a local network.
ARP translates an IP address that a host understands at Layer 3 into a MAC address required by Layer 2. Without this mapping, Ethernet frames cannot be delivered to the correct physical interface.
An ARP cache stores recent IP-to-MAC mappings to avoid the need for repeated broadcasts. It improves performance and reduces network load. However, stale or poisoned entries can cause connectivity and security issues.
Primary risks include ARP spoofing and ARP cache poisoning, which attackers use to intercept, modify, or redirect traffic on a local network. ARP table exhaustion is another attack vector that impacts switch performance.
Use switch features like Dynamic ARP Inspection, DHCP snooping, and port security. Consider static ARP entries for critical systems, monitor ARP traffic for anomalies, and rely on encrypted end-to-end protocols to protect data even if MitM occurs.
ARP resolves IP to MAC addresses for local delivery. DHCP assigns IP addresses and other network configuration data to hosts. They operate at different stages of host network configuration and operation.
