ARP
What is ARP?
ARPA link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered.
The Address Resolution Protocol is defined in RFC 826 and operates at the boundary between the link and network layers. When a host needs to send an IPv4 packet to a destination on the same subnet, it broadcasts an ARP request (Who has 192.168.1.1?) and the owner replies with its MAC address. The mapping is cached in the ARP table for later frames. ARP has no authentication, so any host on the segment can answer or send unsolicited (gratuitous) replies. This enables ARP spoofing / ARP poisoning, redirecting traffic through an attacker for sniffing or manipulation. IPv6 replaces ARP with Neighbor Discovery (ICMPv6, RFC 4861), which supports SEND for cryptographic protection.
● Examples
- 01
Wireshark shows ARP requests and replies as a host boots and learns its default gateway's MAC.
- 02
An attacker sends gratuitous ARP replies claiming to own the gateway IP, redirecting LAN traffic.
● Frequently asked questions
What is ARP?
A link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered. It belongs to the Network Security category of cybersecurity.
What does ARP mean?
A link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered.
How does ARP work?
The Address Resolution Protocol is defined in RFC 826 and operates at the boundary between the link and network layers. When a host needs to send an IPv4 packet to a destination on the same subnet, it broadcasts an ARP request (Who has 192.168.1.1?) and the owner replies with its MAC address. The mapping is cached in the ARP table for later frames. ARP has no authentication, so any host on the segment can answer or send unsolicited (gratuitous) replies. This enables ARP spoofing / ARP poisoning, redirecting traffic through an attacker for sniffing or manipulation. IPv6 replaces ARP with Neighbor Discovery (ICMPv6, RFC 4861), which supports SEND for cryptographic protection.
How do you defend against ARP?
Defences for ARP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ARP?
Common alternative names include: Address Resolution Protocol.
● Related terms
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- network-security№ 637
MAC Address
A 48-bit hardware identifier (IEEE 802) burned into a network interface and used for delivery within a single link-layer segment.
- network-security№ 553
IP Address
A numeric identifier assigned to a network interface for routing across IP networks: 32 bits in IPv4 (RFC 791) or 128 bits in IPv6 (RFC 8200).
- network-security№ 1113
Subnet
A contiguous range of IP addresses that share a common prefix, defining a single broadcast domain and routing boundary on a network.
- network-security№ 1206
VLAN
A virtual LAN (IEEE 802.1Q) groups switch ports into separate broadcast domains by tagging Ethernet frames with a 12-bit VLAN ID.
- network-security№ 508
ICMP
A network-layer control and diagnostics protocol (RFC 792 for IPv4, RFC 4443 for IPv6) used by hosts and routers to report errors and signal path conditions.
● See also
- № 311DHCP