ARP
What is ARP?
ARPA link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered.
The Address Resolution Protocol is defined in RFC 826 (1982) and operates at the boundary between the link and network layers. When a host needs to send an IPv4 packet to a destination on the same subnet, it broadcasts an ARP request ("Who has 192.168.1.1?") and the owner replies with its MAC address. The mapping is cached in the ARP table for later frames.
flowchart TD H[Host A wants 192.168.1.1] -->|"broadcast: Who has .1?"| LAN[(Broadcast domain)] LAN --> GW[Gateway .1] LAN --> ATK[Attacker] GW -->|"reply: .1 is aa:bb:cc"| H ATK -->|"gratuitous reply: .1 is my MAC"| H H -.->|cache poisoned| ATK ATK -->|relay / sniff| GW
ARP has no authentication, so any host on the segment can answer or send unsolicited gratuitous replies. This enables ARP spoofing / ARP poisoning, redirecting traffic through an attacker for sniffing or manipulation — the classic on-path (man-in-the-middle) primitive automated by tools such as arpspoof (from dsniff), Ettercap, and Bettercap. Because replies overwrite cache entries with no challenge, a few packets per second are enough to maintain the hijack. Defences on managed switches include Dynamic ARP Inspection (DAI), which validates replies against the DHCP-snooping binding table, plus static ARP entries for critical hosts, port security, and segmenting trust boundaries with VLANs. IPv6 abandons ARP for Neighbor Discovery (ICMPv6, RFC 4861), whose SEND extension (RFC 3971) adds cryptographically generated addresses to resist the same spoofing class.
● Examples
- 01
Wireshark shows ARP requests and replies as a host boots and learns its default gateway's MAC.
- 02
An attacker sends gratuitous ARP replies claiming to own the gateway IP, redirecting LAN traffic.
● Frequently asked questions
What is ARP?
A link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered. It belongs to the Network Security category of cybersecurity.
What does ARP mean?
A link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered.
How do you defend against ARP?
Defences for ARP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ARP?
Common alternative names include: Address Resolution Protocol.