When data moves across a Local Area Network (LAN), the network needs a way to deliver it to the correct device. ARP is what makes this possible.
Address Resolution Protocol (ARP) maps an IP address to a device’s MAC address, allowing data to be delivered to the right hardware on the local network. At the data link layer, devices only recognize MAC addresses, which is why ARP is needed to link them together. It translates between the Network Layer (Layer 3) and the Data Link Layer (Layer 2) in the OSI Model, ensuring that devices on the same network can communicate with each other.
In simple terms, ARP acts as the bridge that allows devices on an IPv4 network to find and communicate with one another. ARP does this by broadcasting an ARP request. This message is sent across the network to ask: “Who has this IP address?”
When a device responds with an ARP reply, the result is stored in an ARP cache (or ARP table), allowing the network to deliver data between those devices more quickly from then on.
Keep reading to learn what ARP is in more detail, how ARP works, and why it is an essential part of the network stack.
What is ARP (Address Resolution Protocol)?
ARP is a translation protocol that allows a network to connect two different types of addresses. This ensures that data sent across a network, or internally between devices on the same network, reaches the correct device.
The important thing to remember is that while the internet and routers use public and private IP addresses to route traffic, Local Area Networks still need to convert IP address data into a Media Access Control address (MAC).
This can feel confusing when you first start learning about networking, because the private IP address feels like it should be enough for the router to send traffic back to individual devices on the network.
The reality is that Ethernet and wifi don’t deliver data using IP addresses. Instead, they rely on ARP to map an IP address to a MAC address so the data can be delivered correctly on the local network.
A MAC address is unique to the Network Interface Card (NIC) on a connected device. Every device on a network has a NIC, including laptops, desktop computers, tablets, smartphones, and smart home or IoT devices. This individuality is why the MAC is used to identify devices within a LAN.
Key takeaway: At the physical level (the Data Link Layer), devices only recognize each other by their MAC addresses. This is why the private IP address alone is not enough to deliver data between devices.
How does ARP work? Address Resolution Protocol explained
When a device (such as a router, computer, or smartphone) wants to send data to another device on the same network, this is what happens:
- Device checks the ARP cache (aka ARP table). This table stores known relationships between IP addresses and MAC addresses. The cache helps speed up communication on a LAN and is maintained by each device on the network.
- ARP request. If the IP address is not in the ARP table, the device broadcasts a message to all devices on the network: “Who has the IP address 192.168.1.X?”
- MAC address response. Every device on the LAN receives the broadcast. The device that owns that IP address responds with its MAC address. All other devices ignore the request.
- Mapping is stored. When the ARP reply arrives, the originating device stores the IP-to-MAC mapping in its ARP cache.
From this point on, the device knows where to send data on the LAN without repeating the process. ARP is used again only when the entry expires, is cleared, or a new device appears on the network.
What information does an ARP message contain?
For ARP to successfully map an IP address to a MAC address, it includes a specific set of fields. I have included each of the fields in an ARP message below:
| ARP Field | What it means |
|---|---|
| Hardware type | Identifies the type of network technology being used (such as Ethernet). This ensures devices interpret the MAC address format correctly. |
| Protocol type | Specifies the network protocol tied to the address, most commonly IPv4 in standard ARP operations. |
| Hardware length | Indicates the size (in bytes) of the MAC address used in the message. |
| Protocol length | Defines the length of the IP address included in the ARP packet. |
| Operation (opcode) | Shows whether the message is an ARP request (asking for a MAC address) or an ARP reply (providing one). |
| Sender hardware address | The MAC address of the device sending the ARP message. |
| Sender protocol address | The IP address of the device that initiated the ARP request or reply. |
| Target hardware address | The MAC address of the destination device. In an ARP request, this field is empty because the sender is trying to discover it. |
| Target protocol address | The IP address of the device being queried. This tells the network which device should respond. |
What is an ARP Cache Timeout?
Once an ARP message has linked an IP address to a MAC address, each device stores that information in its ARP cache. This speeds up communication between devices on the network.
However, the ARP table doesn’t store this information indefinitely. Each IP-to-MAC mapping will eventually expire. This is known as an ARP cache timeout.
When this happens, ARP must be used again to broadcast a new ARP request to the network, allowing the process to start over.
Why does the ARP cache timeout so quickly?
An ARP table is constantly being updated, which means that ARP messages are being sent more often than you might realize. The primary reason for this is that networks are dynamic. Devices can join or leave, and IP-to-MAC mappings can change over time.
To ensure that data is always delivered to the correct hardware within a LAN, entries in the ARP cache expire and are removed after a few minutes if they are not used. In other words, the cache only keeps mappings between devices that have recently communicated with each other.
If devices stop communicating for a period of time (usually just a few minutes), the mapping is cleared. This ensures that a new ARP request is sent when communication resumes, allowing the network to maintain an up-to-date, accurate mapping between devices.
Can ARP broadcast across the Internet?
No. ARP is a protocol that works locally within a LAN. Routers use IP addresses to route data across the Internet. These addresses allow data to be sent between networks.
ARP is only needed for the final step, where an IP address must be mapped to a MAC address on the local network (the link between Layer 3 and Layer 2 in the OSI Model). As a result, ARP is never involved in sending data between different networks.
What are the different types of ARP? Why do they differ?
Standard ARP only works when a device knows the IP address it is looking for, and the target is on the same subnet. In the real world, networks are not all identical, and different network architectures may require variations of ARP or closely related protocols.
For example, larger organizations often split their networks into multiple subnets, which means a device may not be able to discover the MAC address of the destination directly. In these cases, ARP is used to resolve the router’s MAC address instead, and the router forwards the data to the destination IP.
In some cases, devices may also need to check for address conflicts, announce their presence, or discover missing information. These situations require different approaches to address resolution, which is where variations of ARP come in.
Proxy ARP
Proxy ARP is a version of ARP that allows a router to act on behalf of another device.
When a device sends an ARP request for an IP address that is not actually on the local network, Proxy ARP enables the router to respond with its own MAC address instead. This makes it appear as though the devices are on the same subnet, even though the traffic is actually being handled by the router.
This approach lets devices communicate across a larger network, even if they are technically located on different subnets of the same network.
Gratuitous ARP
Gratuitous ARP is a version of the protocol that sends ARP messages without being asked. In this case, a device broadcasts its IP-to-MAC mapping to the entire network.
This helps detect IP conflicts and ensures that other devices update their ARP cache with the correct information, allowing communication across the network to remain efficient.
Reverse ARP (RARP)
Reverse ARP (RARP) is an older ARP variant that was used in situations where a device knew its MAC address but did not know its own IP address. It sends a RARP request to a dedicated server, which responds with the correct IP address.
This protocol is now largely obsolete and only used in a few legacy systems. It was originally designed for devices that could not store their own network settings and needed a server to assign an IP address. In modern networks, DHCP performs this role automatically when devices connect.
Inverse ARP (InARP)
Inverse ARP (InARP) is similar to RARP, but is used to request another device’s IP address. It is used in specialized network environments where a device already has a connection to another device but does not know the other device’s IP address.
What are the security risks of ARP?
The primary risk of ARP is that it lacks built-in authentication. This means that malicious devices can send false ARP messages to manipulate how traffic is routed on a network. ARP spoofing can allow attackers to redirect traffic, intercept data, or disrupt communication between devices.
What is ARP spoofing?
ARP spoofing (also known as ARP poisoning) is a type of attack where adversaries send forged ARP replies over the local network. This causes network-connected devices to associate the attacker’s MAC address with a legitimate IP address.
As ARP only operates within a local network, an attacker must have access to that network to carry out this attack. Hackers often gain this access by compromising a device within the network. However, it can also happen if an attacker connects directly to the target network, for example, by being given the wifi password as a guest.
A key risk of ARP spoofing is that it can act as a precursor to more serious attacks, including:
- Impersonation attacks (session hijacking). Attackers may hijack active sessions by stealing session identifiers, allowing them to impersonate users on websites or services.
- DoS attacks. Attackers can use their position within the network to overwhelm devices with excessive traffic. This causes disruption or denial-of-service (DoS) conditions.
- Man-in-the-middle (MITM) attacks. Attackers position themselves between two devices to monitor, intercept, or modify traffic.
What is a Man-in-the-Middle (MITM) attack?
A Man-in-the-Middle (MITM) attack occurs when an attacker intercepts data passing between two devices, either on a local network or over the internet. In the context of ARP spoofing, it involves monitoring or modifying data as it passes between devices on the same LAN.
MITM attacks can be used to steal sensitive information such as login credentials, session data, or private communications.
How to detect ARP spoofing
The most basic way to detect ARP spoofing is to check a device’s ARP cache. On most computers, you can open the command line and run the arp -a command to view current IP-to-MAC mappings.
If you notice multiple IP addresses linked to the same MAC address, or mappings that change unexpectedly, this can be a sign of suspicious activity. On larger networks, administrators often use tools such as Wireshark, Arpwatch, or XArp to spot unusual ARP traffic patterns.
It’s worth noting that this kind of behavior isn’t always malicious. For example, routers, proxy devices, and load balancers can legitimately map multiple IP addresses to a single MAC address. Because of this, unusual mappings should be investigated rather than treated as an attack immediately.
How to prevent ARP spoofing
Network administrators use a combination of network controls and security practices to reduce the risk of ARP spoofing. These controls are usually implemented at the switch or network infrastructure level.
Dynamic ARP Inspection (DAI) validates ARP messages against trusted data, such as DHCP records. This allows administrators to block forged responses before they affect other devices on the network.
Static ARP entries can also be used to lock IP-to-MAC mappings in place. Because these mappings are fixed, they cannot be overwritten by malicious ARP replies. However, static entries are difficult to manage at scale, so they are typically only used in controlled environments.
Other measures include segmenting networks into smaller subnets, restricting access to network ports, and monitoring traffic for unusual behavior. These steps do not eliminate the risk, but they limit how far an attack can spread laterally.
Use a VPN to protect against ARP spoofing
If you’re worried about ARP spoofing on public wifi networks, a VPN provides an effective layer of protection. A VPN encrypts your internet traffic, which means that even if an attacker intercepts your data, they will not be able to read sensitive information.
While a VPN does not prevent ARP spoofing itself, it significantly reduces the risk by protecting your data from being exposed. This makes it one of the simplest and most effective ways to stay secure on public wifi, where attacks such as ARP poisoning, MITM attacks, and rogue hotspots are more common. Learn more in our guide to using a VPN on public wifi.
ARP vs DHCP vs DNS. What’s the difference?
These protocols all play a role in how devices join a network, locate each other, and communicate with services, either locally or across the internet. However, ARP, DHCP, and DNS each serve a different purpose in that process.
- ARP (Address Resolution Protocol) links an IP address to a MAC address, allowing devices to communicate effectively over local networks.
- DHCP (Dynamic Host Configuration Protocol) assigns IP addresses and other network settings to devices when they connect.
- DNS (Domain Name System) translates human-readable domain names, such as websites, into IP addresses that devices use to connect to services.
What is Neighbor Discovery Protocol (NDP)?
ARP is used to map IP addresses to MAC addresses on IPv4 networks, but it is not suitable for the same task on IPv6. This is where Neighbor Discovery Protocol (NDP) comes in. NDP allows devices on an IPv6 network to locate each other and communicate effectively. Like ARP, NDP works within the local network and does not transmit data across the Internet.
That said, NDP is more advanced than ARP. In addition to resolving link-layer addresses, it can also be used to discover nearby devices, identify routers, and support overall network connectivity.
ARP protocol explained: FAQs
Is ARP still used today?
Yes. ARP is still widely used on IPv4 networks to map IP addresses to MAC addresses. However, in IPv6 environments, it has been replaced by the Neighbor Discovery Protocol (NDP), which performs a similar role with additional features.
What happens if the ARP cache is wrong?
If a device stores an incorrect IP-to-MAC mapping, data can be sent to the wrong destination. This can cause connection issues, failed communication, or, in some cases, allow attackers to intercept traffic.
How long do ARP entries last?
ARP entries are stored temporarily in a device’s ARP cache and expire after a short period of time. This helps ensure that outdated mappings are removed and replaced with accurate information when devices communicate again.
Can ARP be used to detect duplicate IP addresses?
Yes. Techniques such as Gratuitous ARP allow devices to broadcast their IP-to-MAC mapping without being asked. This can help identify IP conflicts if another device responds or if duplicate mappings are detected on the network.