Address resolution protocol (ARP) is a network protocol used to map IP addresses to physical MAC (media access control) addresses within a local network segment.
What Is ARP?
Address resolution protocol (ARP) operates within the link layer of the OSI model and plays a critical role in IPv4 networking by translating logical IP addresses into physical MAC addresses. When a device wants to send data to another device on the same local area network (LAN), it first checks its ARP cache to see if it already has a record of the target deviceโs MAC address corresponding to its IP address.
If the mapping is not found, the device broadcasts an ARP request packet to all devices on the network, asking which one holds the specified IP address. The device with the matching IP address responds with an ARP reply containing its MAC address. This information is then stored in the ARP cache for future communications, reducing the need for repeated broadcasts.
ARP is essential for the functioning of Ethernet networks because while higher-level protocols like IP operate with logical addresses, actual data transmission over Ethernet relies on MAC addresses. ARP functions only within the boundaries of a single broadcast domain and does not operate across routers or different subnets, where other mechanisms, such as proxy ARP or routing, are needed to resolve addresses.
Types of ARP
There are several variations of ARP, each designed to handle different situations in IP networking. These types build on the basic ARP mechanism but serve specific roles depending on network architecture and requirements:
- Standard ARP (or simply ARP) is the original form used to resolve an IPv4 address into a MAC address within the same local network segment. A host broadcasts an ARP request, and the device with the matching IP responds with its MAC address.
- Proxy ARP allows a router to respond to ARP requests on behalf of a device that resides on a different subnet. The router pretends to be the destination host by replying with its own MAC address, enabling devices on different subnets to communicate without explicit routing configuration, though this can introduce scalability and security issues.
- Reverse ARP (RARP) was designed to allow a device that knows its MAC address to request its IP address from a central server. This was mainly used by diskless workstations during boot but is now obsolete, replaced by DHCP.
- Gratuitous ARP occurs when a device sends an ARP request for its own IP address or sends an unsolicited ARP reply. This is used to update ARP tables in other devices, detect IP conflicts, or announce IP address changes.
- Inverse ARP (InARP) is used primarily in frame relay and ATM networks. Instead of resolving an IP to a hardware address, it resolves a known virtual circuit identifier (such as a DLCI) into a network layer address.
- Dynamic ARP refers to ARP entries that are learned automatically and maintained temporarily in the ARP cache. These entries expire after a set period unless refreshed.
- Static ARP refers to manually configured ARP entries that remain in the cache permanently and do not expire. This can be used for security or performance reasons but requires manual maintenance.
How Does ARP Work?
When a device on a local network needs to send data to another device, it first checks whether it already knows the MAC address corresponding to the destination IP address by looking in its ARP cache.
If the mapping exists, it uses the stored MAC address to send the data directly. If the mapping is not found, the device broadcasts an ARP request to all devices on the local network, essentially asking, โWho has this IP address?โ All devices on the network receive the request, but only the device with the matching IP address responds with an ARP reply that includes its MAC address.
Upon receiving the reply, the sender stores the new IP-to-MAC mapping in its ARP cache for future use and proceeds to transmit the data to the destination using the resolved MAC address. This entire process ensures that devices on the same local subnet can communicate using their physical network interfaces, while higher-level IP protocols handle addressing and routing across broader networks.
What Is an Example of ARP?
For example, suppose a computer with IP address 192.168.1.10 wants to send data to another computer on the same local network with IP address 192.168.1.20. The sending computer first checks its ARP cache to see if it already knows the MAC address for 192.168.1.20. If it does not, it sends an ARP request broadcast to all devices on the network, asking, โWho has IP address 192.168.1.20?โ The computer with IP address 192.168.1.20 receives the request and replies with its MAC address, for instance, 00-14-22-01-23-45. The sending computer receives this reply, updates its ARP cache with the new IP-to-MAC mapping, and uses that MAC address to send the data directly over the local network.
ARP Tools
Hereโs a list of common ARP tools.
arp (command-line tool)
Available on most operating systems (Windows, Linux, macOS), this command-line tool allows users to view, add, and delete entries in the ARP cache. It helps troubleshoot local network communication issues by displaying current IP-to-MAC address mappings or forcing specific mappings.
Arping
Primarily used on UNIX-like systems, arping sends ARP requests to a specific IP address and reports whether a reply was received. It works similarly to a ping but operates at the link layer, making it useful for verifying if a host is reachable on the local network segment and for detecting duplicate IP addresses.
netstat -arp (or netstat -an on some systems)
In some systems, netstat can display the ARP cache along with other network statistics, helping diagnose network problems by showing active ARP entries and their status.
ip neighbor (Linux)
This is part of the ip command suite in modern Linux systems. It shows and manipulates the neighbor table, which functions similarly to the ARP cache for IPv4 (and ND for IPv6), allowing administrators to check and update MAC address mappings.
Wireshark
A network protocol analyzer that captures and displays network traffic, including ARP requests and replies. Wireshark allows detailed inspection of ARP packets, making it valuable for diagnosing ARP-related problems, such as spoofing or incorrect address resolution.
Nmap (with ARP Scan)
Nmap can perform ARP scans to identify live hosts on a local subnet quickly. Since ARP requests do not rely on IP-layer responses, ARP scanning is often more reliable for discovering devices within the same broadcast domain.
Arpwatch
A network monitoring tool that keeps track of ARP traffic on a network and logs IP-to-MAC address mappings. It can alert administrators to changes in mappings, which may indicate potential network issues or ARP spoofing attacks.
How Does ARP Cache Work?
The ARP cache is a table stored in a deviceโs memory that keeps track of recently resolved IP-to-MAC address mappings to reduce the need for repeated ARP requests.
When a device needs to send data, it first checks the ARP cache to see if the destination IP address already has a corresponding MAC address entry. If the mapping exists, the device uses it to send the frame directly, avoiding unnecessary ARP broadcasts. If the entry is missing, an ARP request is broadcast to resolve the address, and the response is stored in the cache.
Each entry in the ARP cache has a time-to-live (TTL) value, after which it expires to ensure outdated mappings are removed, especially if devices change IP addresses or leave the network. Some ARP entries can also be manually configured as static, in which case they remain in the cache indefinitely until manually deleted or modified.
The ARP cache helps improve network efficiency and performance by minimizing network traffic and latency in address resolution.
What Is ARP Used For?
ARP is used to enable communication between devices on the same local network by translating IP addresses into physical MAC addresses. Since devices use IP addresses for logical addressing at the network layer but require MAC addresses to physically deliver frames at the data link layer, ARP provides the mechanism to perform this address resolution.
Without ARP, devices would not be able to determine where to send packets within the local subnet. It is essential for basic network functions such as initiating connections, transferring data, and maintaining proper network communication. Additionally, ARP plays a role in network diagnostics, device discovery, and certain types of network attacks or defenses, such as ARP spoofing detection.
The Advantages and the Disadvantages of ARP
Hereโs a table summarizing the advantages and disadvantages of ARP:
| Advantages | Disadvantages |
| Simple and efficient mechanism for resolving IP addresses to MAC addresses within a local network. | Limited to local subnet; does not work across routers or different broadcast domains. |
| Operates automatically without requiring manual configuration for most environments. | Vulnerable to ARP spoofing and man-in-the-middle attacks, since ARP lacks authentication. |
| Fast resolution using cache to reduce network overhead and latency after initial resolution. | ARP cache entries can become stale, leading to potential connectivity issues if devices change IP or MAC addresses. |
| Supports dynamic network environments where devices frequently join or leave the network. | Can generate unnecessary broadcast traffic, especially in large or busy networks. |
| Widely supported across all IPv4-based networking systems. | Does not support IPv6; replaced by Neighbor Discovery Protocol (NDP) in IPv6 environments. |
ARP vs. MAC vs. IP vs. DNS
Hereโs a comparison table that distinguishes ARP, MAC, IP, and DNS:
| Aspect | ARP (address resolution protocol) | MAC (media access control address) | IP (internet protocol address) | DNS (domain name system) |
| Function | Resolves IP addresses to MAC addresses on local networks. | Identifies a physical network interface on a local network. | Provides logical addressing for devices across networks. | Resolves domain names to IP addresses. |
| Layer | Link Layer (Layer 2/3 interaction) | Data Link Layer (Layer 2) | Network Layer (Layer 3) | Application Layer |
| Scope | Works within local subnets. | Unique per network interface; local network scope. | Global scope; routable across networks. | Global internet-wide scope. |
| Address type | Protocol for mapping addresses. | Fixed hardware or software-assigned 48-bit address. | 32-bit (IPv4) or 128-bit (IPv6) logical address. | Human-readable domain names. |
| Persistence | ARP cache stores temporary mappings. | Usually static (hardware); can be reassigned. | Dynamic or static assignment via DHCP or configuration. | Static or dynamic; managed via DNS servers. |
| Key use Case | Enables local delivery of packets based on IP. | Identifies the network adapter receiving frames. | Identifies device location in global or private networks. | Translates user-friendly names to IP for network access. |
| Security risks | Vulnerable to spoofing attacks. | Generally secure but can be cloned. | Susceptible to IP spoofing and hijacking. | Vulnerable to DNS spoofing, cache poisoning. |
What Is the Future of ARP?
With the widespread adoption of IPv6, ARP is being replaced with the more secure and efficient neighbor discovery protocol (NDP). While ARP remains essential in IPv4-based networks, its lack of security features makes it vulnerable to spoofing and man-in-the-middle attacks, prompting the development of more secure alternatives and protective measures such as dynamic ARP inspection (DAI) in modern networks.
As IPv6 adoption grows and network security demands increase, ARPโs role will gradually diminish, remaining primarily in legacy systems and IPv4 environments that continue to persist alongside newer technologies.
