Networking › Module 6 › Lesson 2
ARP — Finding Neighbors on a LAN
How devices map IP addresses to MAC addresses on a local network
Opening
Who is 192.168.1.10 on this cable?
Your laptop knows it needs IP 192.168.1.10, but Ethernet frames need a MAC. ARP (Address Resolution Protocol) answers that question on IPv4 LANs. When ARP is wrong—or poisoned—traffic can go to the wrong device. Defenders watch ARP closely.
1. When ARP Is Used
ARP runs only on the local link (same broadcast domain). You use it when: • Sending to another host on your subnet (neighbor). • Sending to the default gateway (first hop toward the internet). You do not ARP a public IP across the internet—your host ARPs the gateway, and routers use their own next-hop mappings farther along.
2. ARP Request and Reply
1. Host A needs Host B's MAC. It broadcasts an ARP request: "Who has 192.168.1.10? Tell 192.168.1.5." 2. Host B (if present) unicasts an ARP reply with its MAC. 3. Host A caches the mapping and builds the Ethernet frame. The request is a Layer 2 broadcast—every station on the LAN hears it; only the owner should reply.
3. The ARP Cache
Purpose
Avoid flooding the LAN with ARP for every packet—store IP→MAC for a short time.
View it
Linux: ip neigh show or arp -a. Windows: arp -a. Incomplete entries may mean no reply yet.
Stale entries
If a device changes MAC or goes offline, old cache entries can cause brief failures until refreshed.
4. ARP Spoofing Awareness (Defensive)
ARP has no built-in authentication. An attacker on the LAN can send forged ARP replies and convince victims that the attacker's MAC is the gateway (or another host)—classic man-in-the-middle on the local link. Defenses (awareness only here): static ARP for critical hosts, Dynamic ARP Inspection on managed switches, monitoring for duplicate or flapping MAC/IP pairs, and segmenting untrusted devices. Never practice spoofing on networks you do not own.
Knowledge Check
ARP's main job on a LAN is to:
Multiple choice
Knowledge Check
An ARP request is typically sent as a:
Multiple choice
Knowledge Check
True or False: ARP spoofing can redirect LAN traffic because ARP replies are not strongly authenticated.
True or False