ARP (Address Resolution Protocol) is used to translate IP addresses into MAC addresses so devices on the same local network can actually send data to each other. Every time your computer communicates with another device on your network, it needs to know not just the device’s IP address but also its physical hardware address (called a MAC address). ARP is the behind-the-scenes protocol that makes that connection.
How ARP Works Step by Step
Your computer maintains a small cache of recent IP-to-MAC address mappings called an ARP table. When it needs to send data to another device, it checks this table first. If the mapping is already there, the data goes out immediately.
If the entry isn’t cached, your computer broadcasts an ARP request to every device on the local network. Think of it as shouting, “Whoever has IP address 192.168.1.10, tell me your MAC address.” Every device on the network segment hears this broadcast, but only the one with the matching IP address responds. That device sends a reply directly back (no broadcasting this time) with its MAC address. Your computer stores this mapping in its ARP table and wraps the data in a network frame addressed to that MAC address. From there, the data flows normally.
This entire exchange happens in milliseconds and is completely invisible to you. It occurs every time you load a webpage, print a document over your network, or stream a video from a local media server.
Why IP Addresses Aren’t Enough
Networks operate on two levels that need to work together. At the higher level, devices use IP addresses to identify each other across the internet and across networks. But at the physical level, the actual hardware that moves data along a cable or Wi-Fi signal uses MAC addresses, which are unique identifiers burned into each network card.
ARP sits right at the boundary between these two levels, running directly on the hardware layer rather than over IP itself. When you send a packet to a device on your local network, ARP translates the destination IP into the correct MAC address. When the destination is outside your network (like a website), ARP instead resolves your router’s MAC address so it can forward the packet onward. As a packet hops across routers on its way to a destination, the MAC address changes at every hop while the IP address stays the same throughout the journey.
The ARP Cache and Timeouts
Your device doesn’t send an ARP broadcast every single time it communicates. It stores results in a local ARP cache so repeated communications are fast. On Windows systems, a cached entry stays in a “reachable” state for somewhere between 15 and 45 seconds (the exact duration is randomized). After that window, the entry goes stale and will be refreshed the next time it’s needed. Other operating systems handle timing differently, but the principle is the same: entries are temporary and regularly cleared to account for devices joining, leaving, or changing addresses on the network.
You can view your own ARP cache by opening a command prompt or terminal and typing arp -a. You’ll see a list of IP addresses paired with MAC addresses for every device your computer has recently communicated with.
Variations of ARP
Standard ARP handles the most common scenario, but several specialized versions exist for different situations.
- Gratuitous ARP: A device broadcasts its own IP-to-MAC mapping without anyone asking. This is useful when a device’s IP address changes, because it tells every other device on the network to update their cached entries immediately rather than waiting for the old ones to expire.
- Proxy ARP: A router answers ARP requests on behalf of devices that are on a different network segment. This lets two separate physical networks share the same IP address range, with the router stepping in to relay traffic between them.
- Inverse ARP: Works in reverse, starting with a hardware address and discovering the IP address on the other end. This was designed for wide-area network technologies like Frame Relay, where a device knows the virtual circuit identifier for a connection but not the IP address of the remote station.
ARP Security Risks
ARP has a well-known vulnerability: it trusts every response it receives, even ones it never asked for. This “stateless” design means any device on the network can send a fake ARP reply claiming that a particular IP address belongs to its MAC address, and every other device will update its cache with that false information.
Attackers exploit this through a technique called ARP poisoning (or ARP spoofing). The attack works like this: the attacker sends forged ARP packets to the network, mapping a legitimate IP address (like the router’s) to the attacker’s own MAC address. Other devices cache this false mapping and start sending their traffic to the attacker instead of the real destination. The attacker can then read, modify, or forward that traffic without anyone noticing. This is one of the most common methods for executing man-in-the-middle attacks on local networks.
Defending Against ARP Attacks
Network switches from companies like Cisco offer a feature called Dynamic ARP Inspection (DAI) that specifically counters ARP poisoning. The switch intercepts all ARP packets on untrusted ports and checks them against a database of known valid IP-to-MAC bindings, typically built from DHCP assignment records. Any ARP packet with a mismatched binding gets logged and dropped before it can reach other devices. In networks that don’t use DHCP, administrators can set up manual access control lists that define which IP-to-MAC pairings are legitimate.
On the endpoint side, some security tools and operating systems can lock ARP entries for critical addresses (like the default gateway) to prevent them from being overwritten by spoofed responses.
ARP in IPv6 Networks
ARP only works with IPv4. In IPv6 networks, its role is handled by Neighbor Discovery Protocol (NDP), which combines the functions of ARP with several other IPv4-era protocols, including router discovery and redirect messaging. NDP improves on ARP in one notable way: it can detect when a link to a neighbor has gone down on one side (a “half-link failure”), something ARP has no mechanism for. As IPv6 adoption grows, NDP gradually takes over the address resolution job that ARP has handled since the 1980s, though ARP remains essential on the vast number of networks still running IPv4.