Introduction
IP addresses let routers direct traffic across the internet. But once a packet reaches the local network segment, IP alone is not enough. Ethernet frames need a MAC address, a hardware address, to reach the right device on that segment. ARP, the Address Resolution Protocol, is the glue between these two worlds. It answers a simple question: given an IP address, what is the MAC address of the device that owns it?
How ARP Works
ARP is straightforward. When a host needs to send a packet to an IP address on the same local subnet, it first checks its ARP cache, a small table mapping IP addresses to MAC addresses. If the mapping is there and still valid, it uses it. If not, it sends an ARP request.
An ARP request is broadcast to every device on the local network. It essentially asks: "Who has IP address X? Tell me your MAC address." Every device receives this broadcast, but only the one that owns that IP address responds. It sends an ARP reply directly back to the requester with its MAC address. The requester stores that mapping in its ARP cache and uses it to address future frames.
Host A -> ARP Request (broadcast): "Who has 192.168.1.10?"
Host B -> ARP Reply (unicast): "192.168.1.10 is at aa:bb:cc:dd:ee:ff"The ARP Cache
ARP entries do not live forever. They expire after a timeout, typically a few minutes, and are refreshed the next time the mapping is needed. This dynamic nature is what makes ARP vulnerable to certain attacks, as entries can be overwritten by new replies.
On Windows, you can view the current ARP cache with arp -a. On Linux, the same command works or you can use ip neigh. The table shows IP addresses alongside their resolved MAC addresses and the state of each entry.
ARP and the Default Gateway
ARP only works within a local subnet. When a host needs to send traffic to a destination outside its subnet, it sends it to the default gateway instead. The host ARPs for the gateway's MAC address, wraps the packet in a frame addressed to the gateway, and lets the router handle the rest. From the IP packet's perspective, the source and destination IP addresses do not change as the packet crosses the network, only the layer 2 MAC addresses change at each hop.
ARP Spoofing
ARP has no authentication. Any device can send an ARP reply claiming any IP address. ARP spoofing takes advantage of this by sending unsolicited ARP replies that poison the caches of other hosts on the network. An attacker can announce "I am the default gateway" to every host on a subnet, causing all traffic to flow through their machine before being forwarded on. This is a man-in-the-middle position.
From there, the attacker can passively intercept and read traffic, actively modify it before forwarding, or perform further attacks like SSL stripping. Since ARP operates at layer 2, this works even against encrypted protocols, the encryption only protects the content, not the routing.
Defense comes from dynamic ARP inspection on managed switches, which validates ARP packets against a trusted database of IP-to-MAC mappings (usually built from DHCP snooping records) and drops packets that do not match.
Gratuitous ARP
A gratuitous ARP is an ARP reply that a host sends without being asked. A device might send one when it first comes online, when its IP address changes, or to update the caches of other hosts. It is a broadcast that says "here is my IP and here is my MAC, update your caches."
Gratuitous ARPs are legitimate and useful, for example, clustered servers use them to move a virtual IP address to a different physical host during failover. But they are also the mechanism attackers use for ARP spoofing, since there is nothing stopping a malicious host from sending one with false information.
ARP Scanning
Because ARP responses only come from devices that are actually up and reachable on the local subnet, ARP scanning is the most reliable way to find active hosts on a local network. Tools like arp-scan or nmap with the -PR flag send ARP requests to every address in a subnet and collect the replies. Unlike ICMP ping sweeps, ARP scanning cannot be blocked by host firewalls, a device must respond to ARP requests to participate in the network at all.
Conclusion
ARP is small, simple, and essential. Without it, IP packets would have no way to become Ethernet frames on the local segment. Its simplicity is also its weakness, no authentication, no verification, and full trust in whatever replies it receives. For anyone doing network analysis or security work, understanding ARP is fundamental to understanding what happens at the layer just below IP.