The Address Resolution Protocol (ARP) is a fundamental mechanism used on IPv4 networks to discover the link-layer (hardware) address that corresponds to a given IP address. ARP operates at the boundary between the Internet layer and the link layer: when a device needs to send an IPv4 packet to an address on the same local network, it must first obtain the recipient's hardware (MAC) address. ARP performs that translation by broadcasting a request and receiving a direct reply from the owner of the queried IP.

How ARP works

When a system needs the MAC address for an IPv4 address and does not already have it cached, it emits an ARP request as a link-layer broadcast. The request names the target IP and indicates the sender's IP and MAC. Every device on the local segment sees the request, but only the host whose IP matches replies with an ARP reply containing its MAC address. The requester then records the mapping in its ARP cache so subsequent frames can be addressed directly.

Packet structure and key elements

  • Hardware and protocol identifiers: specify the link-layer type and the upper-layer protocol (typically Ethernet and IPv4).
  • Address sizes: indicate the length in bytes of hardware and protocol addresses.
  • Operation code: identifies whether the packet is a request or a reply.
  • Sender and target addresses: include both the MAC and IP of the sender and the IP of the intended recipient (target MAC is filled in the reply).

ARP was designed as part of the early TCP/IP suite to support address translation on local networks. Historically there was also Reverse ARP (RARP), which allowed a diskless host to learn its IPv4 address by broadcasting its hardware address and receiving an IP in reply. RARP has been rendered largely obsolete by more capable boot and configuration protocols such as BOOTP and DHCP. For IPv6, ARP was replaced by the Neighbor Discovery Protocol, which integrates address resolution with other neighbor management functions.

Uses, variations, and examples

Beyond basic requests and replies, several behaviors and variations are common in operational networks: caching of address mappings to avoid excessive broadcasts; gratuitous ARP, where a host announces its own IP-to-MAC mapping (often used for duplicate-address detection or to update peer caches); and proxy ARP, where a router answers on behalf of another machine to make networks appear contiguous. Common tools and commands on hosts let administrators view and manipulate the ARP cache for troubleshooting.

Limitations and security considerations

ARP is a simple, unauthenticated protocol and is therefore vulnerable to spoofing or poisoning attacks in which a malicious host sends forged ARP replies to associate its MAC with another IP. Such attacks can enable traffic interception or denial of service on local networks. Network designs and defenses — for example, static ARP entries for critical devices, dynamic ARP inspection, segmentation, and secure switch features — are used to mitigate these risks. Also, ARP only works within a single broadcast domain; routers do not forward ARP broadcasts between networks.