ARP (Address Resolution Protocol)
What it is (Definition)
ARP, the Address Resolution Protocol, is the mechanism that maps an IPv4 address to a link-layer (MAC) address on a local network. When a host wants to send an IPv4 packet to a next hop on the same LAN, it needs a destination MAC address to build the Ethernet frame. ARP answers the question: “Which MAC owns this IPv4 address right now?”
In most everyday captures, ARP appears as short request/reply exchanges that happen before “real” traffic begins. It is easy to ignore—until it breaks. If ARP resolution fails, higher-layer protocols (TCP, UDP, DNS, HTTP) may look “down” even though the link is physically connected, because the host cannot build frames to reach its gateway or neighbor.
Where it sits in the stack (Layer & usage)
ARP is best understood as a bridging function between L3 addressing (IPv4) and L2 delivery (Ethernet). It operates only within the local broadcast domain and is not routed across subnets.
- Below: Ethernet II framing (ARP is carried in Ethernet with EtherType
0x0806). - Above: IPv4 forwarding decisions (who is the next hop?) and normal application traffic that depends on reachability.
- Where used: LANs with IPv4, home/enterprise networks, data centers, virtualization bridges, and any place hosts share a subnet.
A key practical point: when a host needs to reach a destination outside its subnet, it does not ARP for the remote host. It ARPs for the default gateway’s MAC address and then sends packets to the gateway at L2 while keeping the remote IP as the L3 destination.
Header overview (Fields at a glance)
ARP messages are small and structured. They identify the link-layer type and protocol type, then include sender and target addresses. In normal use you see two main operations: ARP request (“who has X?”) and ARP reply (“X is at Y”).
| Field | Size | Purpose | Common values / notes |
|---|---|---|---|
| Hardware type | 2 bytes | Link-layer type | Typically Ethernet |
| Protocol type | 2 bytes | Network-layer protocol | Typically IPv4 (0x0800) |
| Operation | 2 bytes | Request vs reply | Request (“who-has”), Reply (“is-at”) — exact values in Fields (Soon) |
| Sender MAC / Sender IP | 6 bytes / 4 bytes | Who is asking / answering | Used to populate ARP caches on listeners |
| Target MAC / Target IP | 6 bytes / 4 bytes | Who the message is about | Target MAC may be empty in requests |
How it works (Typical flow)
- A host decides the next hop for an IPv4 destination (neighbor on the subnet, or the default gateway).
- If the next hop MAC is not in the ARP cache, the host sends an ARP request as a broadcast on the LAN.
- All hosts receive the request; the owner of the target IPv4 address replies with its MAC address.
- The sender stores the mapping in its ARP cache for a limited time and immediately sends the intended traffic.
- Devices may refresh or update mappings over time; changes can occur during failover, VM migration, or readdressing.
- Broadcast request: One-to-many discovery inside the LAN.
- Unicast reply: Direct response containing the mapping.
- Cache behavior: Short-lived mappings reduce ARP chatter but require refresh on change.
How it looks in Wireshark
Display filter example:
arp- Requests often read like: “Who has 192.168.1.1? Tell 192.168.1.20” (wording varies by Wireshark version).
- Replies often read like: “192.168.1.1 is at aa:bb:cc:dd:ee:ff”.
- You commonly see ARP bursts at the start of a connection, after sleep/wake, or during topology changes.
Quick read tip: If traffic to “the internet” fails, check whether the host can ARP the default gateway. No gateway MAC mapping usually means everything above L2 will look broken.
Common issues & troubleshooting hints
ARP resolution fails (incomplete entries)
- Symptom
- Connections to local peers or the default gateway time out, and you see repeated ARP requests without receiving a reply. Higher-layer errors may look like “host unreachable,” “no route,” or application timeouts despite the interface being up.
- Likely cause
- The target host is down, on a different VLAN/subnet, behind a misconfigured switch port, or blocked by filtering. In virtualized environments, incorrect port-group/VLAN tagging can make the ARP broadcast never reach the actual owner.
- How to confirm
- Capture on the sender and look for repeated ARP requests for the same target IP with no corresponding reply. If possible, capture near the expected responder to verify whether the request arrives there.
Duplicate IP address (ARP conflict)
- Symptom
- Connectivity to a host is intermittent, with sessions switching between two devices or failing unpredictably. You may see ARP replies for the same IP coming from different MAC addresses over short periods.
- Likely cause
- Two devices are configured with the same IPv4 address, or an address was reused without clearing old state. Failover systems can also temporarily present different MACs for the same IP during transitions.
- How to confirm
- In the capture, compare ARP “is-at” replies for the conflicting IP and see whether multiple source MAC addresses appear. Switch logs or ARP tables can also reveal the IP-to-MAC mapping changing repeatedly.
ARP spoofing / poisoning
- Symptom
- Traffic is redirected through an unexpected device, or users report certificate warnings, strange latency, or intermittent drops. Captures may show frequent unsolicited ARP replies that “update” mappings even when no request was observed.
- Likely cause
- A malicious or misbehaving host is sending forged ARP replies to claim ownership of another IP address (often the gateway), enabling man-in-the-middle interception or disruption.
- How to confirm
- Look for ARP replies that associate the gateway IP with an unusual MAC address, or rapid changes in the gateway mapping. Correlate with sudden path changes, duplicated traffic, or unexpected MAC vendor OUIs.
Security notes (if relevant)
ARP has no authentication; any host on the LAN can claim “I am X” by sending ARP replies. Most networks rely on design and switch controls to reduce risk: segmentation (VLANs), port security, dynamic ARP inspection, and 802.1X. Higher-layer protections like TLS help even if ARP is attacked, but ARP spoofing can still cause outage or forced proxies.
Related pages (internal links)
- Back to Dictionary Index
- Key fields (ARP operation, Sender/Target fields — Soon)
- Related topics (ARP troubleshooting flow, ARP spoofing detection — Soon)