Link Layer Protocol · RFC 826
🔍

Address Resolution Protocol

ARP maps known IPv4 addresses to unknown MAC addresses on a local network segment. It is the essential bridge between the Network Layer (Layer 3) and the Data Link Layer (Layer 2), operating only within a single broadcast domain and never crossing IP routers.

1982
RFC 826 Published
Eth 0x0806
EtherType
28 bytes
Header Size
Op 1/2
Request / Reply
📦
ARP Header Fields Click any field to expand its description and see values
ARP Packet Structure (28 bytes)
↙ Click a field to inspect it
Row 1 — Bits 0–31 (32 bits)
🔌 Hardware Type
Ethernet = 1 16 bits
🌐 Protocol Type
IPv4 = 0x0800 16 bits
Row 2 — Bits 32–63 (32 bits)
📏 HLen
Ethernet = 6 8 bits
📐 PLen
IPv4 = 4 8 bits
Operation
1 = Request · 2 = Reply 16 bits
Row 3–4 — Bits 64–111 (48 bits)
🖥️ Sender Hardware Address (SHA)
MAC address of the sender — e.g. AA:BB:CC:DD:EE:01 48 bits (6 bytes)
Row 5 — Bits 112–143 (32 bits)
📍 Sender Protocol Address (SPA)
IP address of sender — always known 32 bits (4 bytes)
Row 6–7 — Bits 144–191 (48 bits)
🎯 Target Hardware Address (THA)
00:00:00:00:00:00 in request (unknown) · filled in reply 48 bits (6 bytes)
Row 8 — Bits 192–223 (32 bits)
✉️ Target Protocol Address (TPA)
IP address being resolved — what we're looking up 32 bits (4 bytes)

Values / Example
🔄
ARP Request / Reply Exchange How a host resolves an IP address to a MAC address before sending a frame
💻
Host A
(Requester)
IP: 192.168.1.10
MAC: AA:BB:CC:DD:EE:01
1
ARP Request (broadcast FF:FF:FF:FF:FF:FF) — "Who has 192.168.1.20? Tell 192.168.1.10"
2
All devices receive request — only 192.168.1.20 responds
ARP Reply (unicast) — "192.168.1.20 is at AA:BB:CC:DD:EE:02"
3
4
Host A caches IP→MAC mapping · begins sending frames to AA:BB:CC:DD:EE:02
🖥️
Host B
(Responder)
IP: 192.168.1.20
MAC: AA:BB:CC:DD:EE:02
Broadcast (all devices receive)
Requester action
Unicast reply
ARP Cache Simulator Send ARP requests, observe cache lookups, and simulate ARP cache poisoning attacks
ARP Cache — Host: 192.168.1.10 (AA:BB:CC:DD:EE:01)
Local subnet: 192.168.1.0/24
🗂️ ARP Cache Table
IP AddressMAC AddressTypeTTLInterface
📋 ARP Transaction Log
No transactions yet — send an ARP request to begin
🔒
ARP Security Considerations ARP has no authentication — making it a common target for network attacks
☠️
Threat
ARP Cache Poisoning / Spoofing
An attacker sends gratuitous ARP replies associating their MAC address with a legitimate IP (e.g., the gateway). Victims update their ARP cache and send traffic to the attacker instead. Enables man-in-the-middle attacks, traffic interception, and denial of service.
Legitimate: 192.168.1.1 → AA:BB:CC:DD:EE:FF (real gateway)
Poisoned: 192.168.1.1 → DE:AD:BE:EF:00:01 (attacker MAC)
🌊
Threat
ARP Flood (DoS)
Flooding a network with ARP requests can overwhelm switches and hosts, causing them to process excessive broadcast traffic. Can also be used to fill a switch's MAC address table (CAM table overflow), forcing it to flood all traffic like a hub — enabling passive sniffing.
Attack rate: thousands of ARP requests/sec
Result: switch behaves as hub — all traffic visible
Tool: arpspoof, ettercap, Scapy
🛡️
Defense
Dynamic ARP Inspection (DAI)
A Cisco switch feature that intercepts ARP packets and validates them against a DHCP snooping binding table (IP-to-MAC-to-port mappings). Packets that don't match the binding table are dropped. Trusted ports (uplinks) bypass inspection; untrusted ports (access) are inspected.
Trusted port: ARP passes through unchecked
Untrusted port: ARP validated vs DHCP table
Config: ip arp inspection vlan [vlan-id]
🔐
Defense
Static ARP Entries
Manually configuring permanent ARP entries for critical hosts (routers, servers, DNS) prevents those entries from being overwritten by malicious ARP replies. Less scalable but very effective for protecting high-value fixed-IP assets on the network.
Windows: arp -s 192.168.1.1 AA-BB-CC-DD-EE-FF
Linux: arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF
Static entries cannot be overwritten by ARP replies
🔎
Detection
ARP Anomaly Detection
Monitoring tools like ARPwatch, Wireshark, and IDS systems watch for suspicious ARP behavior: duplicate IP-to-MAC mappings, unsolicited ARP replies (gratuitous ARP floods), rapid cache changes, and MAC addresses claiming multiple IPs.
Indicator: One MAC → multiple IPs (spoofing)
Indicator: Unsolicited ARP Reply (gratuitous)
Tool: arpwatch, XArp, Wireshark arp filter
📋
Detection
Gratuitous ARP
A Gratuitous ARP is an ARP Reply sent without a preceding Request. Legitimate uses: announcing a new MAC after a NIC replacement, IP conflict detection at boot, and VRRP/HSRP failover. Malicious use: silently poisoning caches across the network segment.
Legit: Host announcing new MAC after failover
Malicious: Attacker broadcasting fake IP→MAC
THA = FF:FF:FF:FF:FF:FF (broadcast target)
⚖️
ARP vs RARP vs Gratuitous ARP The three main ARP-family operations compared
Feature 🔍 ARP ↩️ RARP 📣 Gratuitous ARP
DirectionIP → MACMAC → IPSelf-announcement
Operation Code1 (Request) / 2 (Reply)3 (Request) / 4 (Reply)2 (Reply, unsolicited)
Who SendsAny host needing MACDiskless workstationHost announcing itself
Broadcast?Request = broadcastRequest = broadcastReply = broadcast
SPA ValueSender's known IP0.0.0.0 (unknown)Sender's IP (self)
THA Value00:00:00:00:00:00Same as SHAFF:FF:FF:FF:FF:FF
TPA ValueIP being resolved0.0.0.0 in req / filled in replySender's own IP
ARP Cache UpdateYes — fills cacheNo cache involvementForces cache update
Security RiskCan be poisonedObsolete — DHCP used insteadPrimary poisoning vector
Legitimate UseNormal Layer-2 operationLegacy diskless bootFailover, IP conflict detection
🧠
Knowledge Check Quiz Test your understanding of ARP, cache poisoning, and address resolution
ARP Protocol Quiz
Score: 0 / 0