What Is ARP? The Address Resolution Protocol Explained

At its core, ARP serves a simple yet crucial role: it matches an IP address to a device’s physical (MAC) address. But what exactly is ARP, and how does it work in practice?

In this guide, we’ll break it down step by step. You’ll learn ARP’s meaning and find examples on how it works in real life. We’ll also cover common ARP risks, how to check for vulnerabilities, and practical steps to protect your network.

What Is ARP?

The Address Resolution Protocol (ARP) is a networking protocol that helps your device figure out which hardware (MAC) address corresponds to a given IP address so it can send data to the right device. 

The protocol only works inside a single LAN (Local Area Network), for example, your home Wi-Fi or office network setup. Within that LAN, ARP operates at the data-link level (Layer 2 of the OSI model) where devices identify each other by their physical (MAC) addresses.

ARP is also specific to IPv4 networks, which are still the most common type of network in use today. The newer IPv6 standard replaces it with the Neighbor Discovery Protocol (NDP), which serves a similar purpose, linking IP addresses to MAC addresses, but uses different underlying mechanisms suited to how IPv6 handles addressing and communication.

How ARP Works

When a device wants to send data to another device on the same network, it needs two pieces of information: the destination device’s IP address and its MAC address. It usually knows the IP because that’s what applications and operating systems use, but not the MAC. That’s where ARP steps in.

ARP sends out a request to every device on the LAN (called a “broadcast”) that’s listening, asking, “Who has this IP address?” The device with that IP replies with its MAC address, so the sender can deliver data accurately. 

Here’s how ARP works in its most basic form, between two devices communicating over the same local network:

1. Device A wants to send data to Device B at IP address xxx.xxx.x.xx.
2. Device A doesn’t know Device B’s MAC address, so it broadcasts: “Who has xxx.xxx.x.xx?”
3. Device B replies “I do! My MAC address is XX:XX:XX:XX:XX.”
4. Device A can now send data directly to Device B.

When this happens, the sender records the IP-to-MAC pairing in its ARP cache, a small table stored in memory. That cache prevents the device from broadcasting again every time it needs to talk to the same destination. 

ARP always operates locally, even when you’re trying to connect to something outside your network. Here’s how that works:

1. You open a website on your computer. Because the destination is outside your local network, your computer must send the request to the default gateway, which is usually your router.
2. Your computer doesn’t yet know the router’s MAC address, so it broadcasts an ARP request on the LAN: “Who has the IP address of the default gateway?”
3. The router replies with its MAC address. Your computer saves this information in its ARP cache and sends the website request to the router.
4. The router forwards the request across the internet to the website’s server.
5. The website responds to the router’s public IP address (not directly to your computer).
6. When the router receives the reply, it uses its own ARP cache to find your computer’s MAC address and deliver the response locally.

If the router doesn’t already have your MAC address in its cache, it will also send an ARP request to the local network. Your computer replies, and the router updates its ARP cache so future traffic can be delivered directly without broadcasting again.

Why ARP Is Important

In addition to basic communication, ARP also plays a role in network security, efficiency, and troubleshooting. Here are some of the reasons ARP is useful in networking:

• Helps detect IP conflicts early: By checking the ARP cache, you can spot when two devices are assigned the same IP, so you can prevent devices from losing connectivity or sending data to the wrong destination.
• Supports network security: You can also periodically check the ARP activity to reveal suspicious behavior and detect potential attacks.
• Improves network efficiency: Storing IP-MAC mappings in the ARP cache saves bandwidth, especially on networks with many devices, because it reduces repeated broadcast requests.
• Aids troubleshooting and diagnostics: Network administrators use ARP tables to track device connectivity, verify correct routing, and pinpoint devices that are offline or misconfigured.

Types of Address Resolution Protocol

ARP is a single protocol, but it actually includes several related variants, each designed for a specific purpose or network condition.

Proxy ARP

Proxy ARP is when a router (or another device) answers an ARP request on behalf of another machine. The device doing the asking thinks the destination is on its own local subnet, but in reality, it isn’t. The router “pretends” to be the destination by replying with its own MAC address, then forwards the traffic where it really needs to go.

When it’s used:

• To connect two subnets that aren’t properly routed but share the same physical network.
• In legacy or misconfigured networks where hosts assume all devices are on the same LAN.
• Occasionally in VPNs or mobile carrier networks to simplify address handling.

In practice:
Admins rarely rely on proxy ARP today because it can cause confusion and unnecessary traffic, as well as create security issues. It still appears in specialized setups or backward-compatible systems.

Gratuitous ARP

Gratuitous ARP is when a device sends out an ARP reply without being asked. Instead of waiting for someone to ask, it broadcasts its identity to make sure everyone’s ARP cache is up to date.

When it’s used:

• When a device first connects or reboots, to make sure others know its address.
• When an IP changes (such as after a failover), to refresh old ARP entries.
• To detect duplicate IPs: if another device responds, there’s a conflict.

In practice:
Modern systems automatically send gratuitous ARPs when their network interface starts up, when their IP address changes, or after a failover, for example, when one server or router takes over from another. In high-availability setups (like redundant routers or clustered servers), admins sometimes configure gratuitous ARPs deliberately.

Reverse ARP (RARP)

Reverse ARP works the opposite way of normal ARP. Instead of asking “who has this IP address?”, a device asks “what is my IP address?” when it only knows its own MAC address.

When it’s used:

• In older setups where devices booted without storage and had to request their IPs from a RARP server.

In practice:
RARP is obsolete. Modern networks replaced it with Bootstrap Protocol (BOOTP) and later Dynamic Host Configuration Protocol (DHCP), which do the same job with more flexibility.

Inverse ARP (InARP)

Inverse ARP is similar to RARP in that it reverses the normal ARP process, but the key difference is in whose IP is being requested. With InARP, a device asks for the IP address of another device, not its own.

When it’s used:

• In older WAN technologies like Frame Relay and ATM where connections are pre-established at Layer 2.

In practice:
InARP isn’t used on Ethernet or Wi-Fi. It’s a legacy feature that helped early WAN protocols map virtual circuit identifiers to IPs before modern networking made those mappings unnecessary.

How to Check Your ARP Cache Table

Every device keeps an ARP cache table to speed up local communication. The table stores known pairs of IP addresses and MAC addresses, so the device doesn’t have to broadcast an ARP request every time it wants to reach another system on the network.

Entries in the cache don’t last forever. Most operating systems keep them for only a few minutes (typically 1–20), while routers hold them longer, often for several hours. When an entry expires, the device simply sends a new ARP request to refresh it.

There are two main types of entries:

• Dynamic ARP entries are created automatically when the device learns a new address mapping. They expire after a set timeout.
• Static ARP entries are added manually by an administrator and never expire. These are often used in secure or sensitive environments to prevent ARP spoofing and other address-based attacks.

Here’s how to check your ARP cache on different devices:

Windows

1. Open the Command Prompt by searching for “cmd” in the Start menu.



2. Type “arp -a” and press Enter.



3. You’ll see a list of IP addresses with their corresponding MAC addresses.



Linux / macOS

1. Open the Terminal and type “arp -a” or “ip neigh.” You’ll see your saved IP-to-MAC associations.



Mobile Devices (Android/iOS)

Phones and tablets also maintain ARP caches, but you can’t view them through standard settings. On Android, you can find the ARP cache with terminal apps or developer tools (using ip neigh), but that requires root access. On iOS, you can only check the ARP cache if the device is jailbroken.

⚠️ Rooting or jailbreaking gives you deeper control over the system, but it also voids warranties and can make your device more vulnerable to malware or instability. For most users, it’s not worth the risk just to see the ARP table.

Routers

Routers also keep ARP tables, but they maintain one for each interface or network connection (LAN, WAN, etc.). Like other devices, they use dynamic ARP by default, but many allow you to add static entries as well. You can view the ARP table from your router’s admin panel, usually under menus like Status, Diagnostics, and LAN Settings.

If your ARP table looks empty, try pinging a device first by typing “ping” followed by a device’s IP address. This will force an ARP request, so the new mapping will appear in the table.

ARP Security Risks

The ARP protocol wasn’t designed for security but network efficiency. It doesn’t require authentication or verification because this would take up bandwidth and slow down the mapping process. This opens the door for cybercriminals and other malicious actors to intercept communications and launch various attacks. 

Man-in-the-Middle (MITM) Attacks

A MITM attack happens when a hacker uses ARP spoofing to intercept and alter data sent between two devices. Unlike simple eavesdropping, MITM attacks let attackers actively manipulate the conversation by inserting malware or fake instructions. This type of attack comes in several forms, including ARP Spoofing.

ARP Spoofing/Poisoning

ARP spoofing occurs when an attacker sends fake ARP messages to a network. This tricks devices into associating the attacker’s MAC address with the IP address of another device, such as a router or server. Once the attacker is in the middle, they can steal data, monitor communications, and access sensitive accounts.

Denial-of-Service (DoS) via ARP Flooding

Attackers can deliberately flood a network with excessive ARP requests. When devices receive too many ARP messages, they may slow down dramatically or crash. This form of DoS attack can cripple an entire network.

Session Hijacking

Session hijacking takes advantage of active connections between a user and a service. By intercepting the network traffic, an attacker can steal session tokens or authentication cookies so they can access sensitive accounts and perform unauthorized actions. 

Expert tip: Adding a VPN to your devices gives you extra protection against these and other types of cyber attacks. PIA VPN secures your connection with strong encryption that stops third parties on your network from intercepting your personal data or active sessions. You can even set it up on a compatible router to protect your entire network.

How to Check for ARP Vulnerabilities



Look for Duplicate IP/MAC Entries

Check your network’s ARP table using the arp -a command. It works on most systems, but you can also use ip neigh for some Linux/Mac devices. This will show you a list of IP addresses and the MAC addresses they’re associated with. 

If multiple IP addresses are pointing to the same MAC address, that’s a red flag and a sign of potential ARP spoofing.

Monitor Active ARP Traffic

There are tools that let you watch ARP activity in real time, like Wireshark and tcpdump. These programs show every ARP message your devices are sending, so you can spot suspicious activity early and take action before it causes problems.

If you see lots of ARP messages suddenly appearing on the network, or repeated ARP replies without requests, it can be a warning sign of an ongoing attack.

Check Router and Switch Logs

Many modern routers and switches log unusual ARP activity automatically. Check the logs for messages about duplicate IP addresses, frequent MAC changes, or unusual ARP broadcasts. This can help catch problems before they spread.

Run ARP Security Tools

If you’re managing a large network where it would be impossible or impractical to monitor ARP tables manually, consider using tools that are specifically designed to detect ARP anomalies. Tools like arpwatch and XArp can automatically flag suspicious ARP behavior and alert you in real-time.

How to Protect Against ARP Attacks

To protect your network from ARP attacks, you need to make it harder for attackers to tamper with your devices. Here are some tips:

Use Static ARP Entries

One of the simplest protections is to create static ARP entries for the most important devices on your network, like your router, servers, or printer. These are devices you always connect to, and they rarely change their IP or MAC address. If an attacker tries to poison your ARP cache with a fake entry, your device will ignore it.

• On Windows, type “arp -s” in the CMD, followed by the IP address of the device you’re configuring and then its MAC address.
• On Linux or Mac, open Terminal and type “sudo arp -s” followed by the IP address and the MAC address of the device.

Encrypt Your Network Traffic

Even if someone manages to spoof ARP messages, encryption keeps your data safe. It doesn’t prevent ARP spoofing outright, since the attack happens at the data link layer before your encrypted tunnel is established. However, it does make ARP attacks far less useful to an attacker, because they wouldn’t be able to read the data even if they intercept your traffic.

The easiest and most effective way to encrypt your connection is to use a reputable VPN like PIA. Just make sure to set it up on all the devices in your network, otherwise your packets will become vulnerable again when they reach the unencrypted device. PIA gives you unlimited simultaneous device connections with every subscription.

Enable Dynamic ARP Inspection (DAI)

If you have a managed switch, you should enable DAI or similar ARP spoofing detection features. DAI monitors ARP requests and replies and checks them against a trusted list of IP-to-MAC mappings, dropping any messages that don’t match. 

You can do this through your switch’s web interface or console by marking trusted ports (like those connected to routers or servers) and untrusted ports (regular devices). If your device doesn’t specifically call it DAI, look for ARP security or spoofing detection features, they work in the same way.

Adjust ARP Cache Timeouts

ARP cache entries normally expire after a short period, but you can shorten this window even further to reduce the time an attacker has to exploit a fake entry. 

• On Windows, you can do this with netsh interface ipv4 set global arpcachetimeout=60 to set the cache to 60 seconds.
• On Linux, adjust the value in /proc/sys/net/ipv4/neigh/default/gc_stale_time.
• On Mac, you can periodically clear ARP entries with sudo arp -d <IP> or set up a script to automate it.

Monitor Network Traffic

Use monitoring tools like Wireshark, ARPwatch, or IDS/IPS solutions to spot unusual ARP activity, so you can react immediately before attackers disrupt the network. For example, multiple IPs linked to the same MAC address or sudden changes in ARP tables can indicate an attack. 

Partition Your Network

Dividing your network into smaller segments limits the damage an attacker can do. If someone manages to launch an ARP spoofing attack on one part of the network, they won’t be able to easily reach other segments. For example, you can place your servers in a separate VLAN or use a firewall to isolate sensitive devices.

Increase Port Security

Attackers often try to plug in rogue devices or flood a port with fake MAC addresses. You can limit the number of devices allowed on each port, and configure it so only known MAC addresses are accepted. If someone tries to connect an unauthorized device, the port will block it.

Secure Network Access

Use Network Access Control (NAC) to verify every device before it joins your network. Use strong Wi-Fi encryption like WPA3, disable unused physical ports, and lock your equipment in a secure location so no one can access it physically.

Common ARP-Related Problems and How to Solve Them

While ARP may sound abstract, it shows up in everyday networking problems. Here are some common scenarios where ARP plays a critical role:

• Device online but printer/NAS unreachable. This usually happens because your computer remembers the wrong MAC address for the printer. Clear the ARP cache by typing “arp -d” in the Command Prompt on Windows, or “ip -s -s neigh flush all” on Linux/Mac.
• Gaming or streaming lag on LAN. If your ping suddenly jumps even though your internet speed looks fine, it could be caused by an old router or another misconfigured device spamming the network with too many ARP requests. Try restarting or rebooting the devices in your network.
• Virtual machines or containers won’t connect. If you’re running programs like VMware, VirtualBox, or Docker, and your virtual computer can’t reach the internet or your main PC, it’s often because the ARP tables are misconfigured. Resetting the ARP cache usually solves the issue.
• The internet works, but some sites don’t load. Sometimes ARP entries expire too quickly or get poisoned. Flushing the ARP cache or restarting your device usually restores full access.

FAQ