ARP Protocol Explained: Address Resolution, Packet Structure and ARP Cache

What is ARP?

ARP (Address Resolution Protocol) resolves IPv4 addresses to MAC (hardware) addresses on local networks. Defined in RFC 826 in 1982, ARP is one of the oldest and most fundamental protocols still in daily use on virtually every Ethernet network in the world.

When a device wants to send a packet to another device on the same LAN, it knows the destination IP address but needs the corresponding MAC address to build the Ethernet frame. ARP provides this mapping. The sending device broadcasts a short request asking "Who has this IP address?" and the owner of that IP responds with its MAC address.

Without ARP, Ethernet communication would not work because switches forward frames based on MAC addresses, not IP addresses. ARP operates between Layer 2 (Data Link) and Layer 3 (Network) of the OSI model, serving as the bridge that connects IP-level addressing to the physical hardware addresses that Ethernet requires.

How ARP Resolution Works

ARP resolution follows a simple four-step process. First, the sending host checks its ARP cache (a local table of recently resolved IP-to-MAC mappings) to see if it already knows the MAC address for the destination IP. If an entry exists and has not expired, the host uses the cached MAC address and skips the remaining steps entirely.

If no matching entry is found, the host constructs an ARP Requestpacket and broadcasts it to all devices on the local network segment. The broadcast uses the destination MAC address FF:FF:FF:FF:FF:FF, which every device on the LAN will receive and process. The request contains the sender's own MAC and IP addresses along with the target IP address it needs to resolve.

Every device on the LAN receives the broadcast, but only the device that owns the requested IP address responds. That device sends a unicast ARP Reply directly back to the requester, containing its MAC address. The original host then stores this mapping in its ARP cache and uses the newly learned MAC address to send the original data packet.

ARP resolution flow: Host A broadcasts a request, Host B sends a unicast reply, and Host A caches the mapping.

ARP Packet Structure

An ARP packet is 28 bytes long (when used with Ethernet and IPv4) and is encapsulated directly inside an Ethernet frame with EtherType 0x0806. Unlike most network protocols, ARP does not use IP headers or UDP/TCP. It sits directly on top of the data link layer.

The packet begins with the Hardware Type field (2 bytes), which is 0x0001 for Ethernet. The Protocol Type field (2 bytes) indicates the network protocol being mapped, with 0x0800 for IPv4. Next come two length fields: Hardware Address Length (1 byte, value 6 for MAC addresses) and Protocol Address Length (1 byte, value 4 for IPv4 addresses). The Operation field (2 bytes) specifies whether this is a request (1) or a reply (2).

The remaining fields carry the actual addresses. The Sender Hardware Address (6 bytes) and Sender Protocol Address (4 bytes) identify the device that sent the ARP packet. The Target Hardware Address (6 bytes) is set to all zeros in ARP requests because the sender does not yet know it. The Target Protocol Address (4 bytes) contains the IP address being resolved.

ARP packet fields. The sender fields are filled by the requesting host, and the target hardware address is set to zeros in ARP requests.

ARP Request and Response Examples

Below are real ARP request and reply packets shown in hexadecimal. Each example includes the Ethernet header (destination MAC, source MAC, and EtherType) followed by the ARP payload. These are the raw bytes you would see in a packet capture tool like Wireshark.

ARP Request: Who has 192.168.1.2?

Host A (192.168.1.1, MAC 00:11:22:33:44:55) wants to find the MAC address of 192.168.1.2. It broadcasts an ARP request to the entire LAN.

ARP Request (Broadcast)

FF FF FF FF FF FF 00 11 22 33 44 55 08 06
00 01 08 00 06 04 00 01
00 11 22 33 44 55 C0 A8 01 01
00 00 00 00 00 00 C0 A8 01 02

Ethernet Header:

FF FF FF FF FF FF = Dest MAC (broadcast)00 11 22 33 44 55 = Src MAC (Host A)08 06 = EtherType (ARP)

ARP Payload:

00 01 = HW Type (Ethernet)08 00 = Proto Type (IPv4)06 = HW Addr Len (6)04 = Proto Addr Len (4)00 01 = Operation (Request)00 11 22 33 44 55 = Sender MACC0 A8 01 01 = Sender IP (192.168.1.1)00 00 00 00 00 00 = Target MAC (unknown)C0 A8 01 02 = Target IP (192.168.1.2)

ARP Reply: 192.168.1.2 is at AA:BB:CC:DD:EE:FF

Host B (192.168.1.2, MAC AA:BB:CC:DD:EE:FF) recognizes its own IP in the request and sends a unicast reply directly to Host A.

ARP Reply (Unicast)

00 11 22 33 44 55 AA BB CC DD EE FF 08 06
00 01 08 00 06 04 00 02
AA BB CC DD EE FF C0 A8 01 02
00 11 22 33 44 55 C0 A8 01 01

Ethernet Header:

00 11 22 33 44 55 = Dest MAC (Host A)AA BB CC DD EE FF = Src MAC (Host B)08 06 = EtherType (ARP)

ARP Payload:

00 01 = HW Type (Ethernet)08 00 = Proto Type (IPv4)06 = HW Addr Len (6)04 = Proto Addr Len (4)00 02 = Operation (Reply)AA BB CC DD EE FF = Sender MAC (Host B)C0 A8 01 02 = Sender IP (192.168.1.2)00 11 22 33 44 55 = Target MAC (Host A)C0 A8 01 01 = Target IP (192.168.1.1)

ARP Cache

Every operating system maintains an ARP cache (also called an ARP table) that stores recently resolved IP-to-MAC mappings. When a host needs to send a packet, it checks this cache first. If a valid entry exists, the host can send the frame immediately without generating any ARP traffic on the network.

ARP cache entries have a timeout, typically 15 to 20 minutes on most systems. When an entry expires, the device must send a new ARP request the next time it needs to communicate with that IP address. You can view the ARP cache on any system by running arp -a on Windows, macOS, or Linux. This command shows all current mappings along with their interface and whether the entry is static or dynamic.

Most entries in the ARP cache are dynamic, meaning they were learned through ARP request/reply exchanges and will eventually expire. Static entries are manually configured by an administrator and do not expire. Static entries are sometimes used for critical infrastructure like default gateways to prevent ARP spoofing attacks from redirecting traffic.

ARP Variants

Gratuitous ARP is an ARP packet where a device announces its own IP-to-MAC mapping without being asked. The sender and target IP addresses in the packet are the same. Devices send gratuitous ARP after an IP address change, during network failover events, and to detect IP address conflicts on the local network. If another device replies to a gratuitous ARP, it means a duplicate IP exists.

Proxy ARP is a technique where a router answers ARP requests on behalf of devices located on a different network. When a host sends an ARP request for an IP address that is not on the local subnet, the router responds with its own MAC address. This makes separate physical networks appear as a single LAN to the hosts. Proxy ARP is sometimes used to connect networks without reconfiguring IP settings on end devices.

Reverse ARP (RARP) is the opposite of ARP. It allows a device that knows its MAC address but not its IP address to request an IP from a RARP server. This was originally used by diskless workstations during boot. RARP has been replaced by BOOTP and later by DHCP, which provide much more functionality. Inverse ARP (InARP) is used in Frame Relay networks to map Data Link Connection Identifiers (DLCIs) to IP addresses, essentially resolving a Layer 2 address to a Layer 3 address.

ARP Security: ARP Spoofing and Mitigation

ARP has no built-in authentication mechanism. Any device on the local network can send ARP replies at any time, even without receiving a request. This means a malicious device can send false ARP replies claiming that its MAC address is associated with another device's IP address. This attack is called ARP spoofing (or ARP poisoning).

Attackers use ARP spoofing to perform man-in-the-middle attacks. By poisoning the ARP caches of two hosts, the attacker can intercept and inspect all traffic flowing between them. For example, an attacker could poison the ARP cache of a workstation and its default gateway, causing all internet-bound traffic from that workstation to pass through the attacker's machine first.

Several mitigations exist. Dynamic ARP Inspection (DAI) on managed switches validates ARP packets against a trusted database (typically the DHCP snooping binding table) and drops any ARP packets with invalid IP-to-MAC mappings. Static ARP entries for critical infrastructure like default gateways prevent cache poisoning for those specific addresses. ARP monitoring tools such as arpwatch can detect changes in IP-to-MAC mappings and alert administrators. Network segmentation with VLANs limits the broadcast domain and reduces the scope of potential ARP attacks.

ARP vs NDP (IPv6)

IPv4 uses ARP for address resolution, but IPv6 replaces ARP entirely with the Neighbor Discovery Protocol (NDP). NDP uses ICMPv6 messages (specifically Neighbor Solicitation and Neighbor Advertisement) instead of a separate protocol at the data link layer. This design is more secure because NDP can leverage IPsec for authentication, and it supports additional features like Stateless Address Autoconfiguration (SLAAC), router discovery, and duplicate address detection. As networks transition to IPv6, ARP will gradually be replaced by NDP.

Frequently Asked Questions About ARP

What happens if ARP fails?

If a device sends an ARP request and receives no reply, it cannot resolve the destination MAC address. The original packet will be dropped because the device cannot build a valid Ethernet frame without a destination MAC address. Most operating systems will retry the ARP request a few times before giving up. Applications will typically see this as a "host unreachable" or network timeout error.

Why does ARP use broadcast?

ARP uses broadcast because the sender does not know which device on the LAN owns the target IP address. Broadcasting ensures that every device on the network segment receives the request. Only the device with the matching IP address will respond. The reply is sent as unicast because the sender's MAC address is already included in the original request.

What is the difference between ARP and DNS?

ARP and DNS both resolve addresses, but they work at different layers and scales. ARP maps IP addresses to MAC addresses on the local network and operates at Layer 2/3. DNS maps domain names (like example.com) to IP addresses and operates at the application layer across the entire internet. ARP is limited to a single LAN segment, while DNS queries can traverse the global internet.

Can ARP work across different subnets?

No. ARP only works within a single broadcast domain (one LAN segment or VLAN). When a device needs to reach a host on a different subnet, it sends the packet to its default gateway (router) instead. The device uses ARP to resolve the gateway's MAC address, and the router then handles forwarding the packet to the destination subnet, where ARP resolution happens again for the final hop.

How do I clear the ARP cache?

On Windows, run arp -d * in an elevated command prompt. On macOS, use sudo arp -a -d. On Linux, run sudo ip neigh flush all or sudo arp -d <ip-address> to remove a specific entry. Clearing the ARP cache forces the system to re-resolve all MAC addresses on the next communication attempt, which can be useful for troubleshooting stale or incorrect mappings.

Related Protocols

ICMP: the Internet Control Message Protocol, used for diagnostics like ping and traceroute.
DHCP: the Dynamic Host Configuration Protocol, which automatically assigns IP addresses to devices on a network.
DNS: the Domain Name System, which resolves domain names to IP addresses.
NAT: Network Address Translation, which maps private IP addresses to public addresses for internet access.
TCP: the Transmission Control Protocol, which provides reliable, ordered data delivery over IP networks.