惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

MyScale Blog
MyScale Blog
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
N
News and Events Feed by Topic
Recent Announcements
Recent Announcements
D
Docker
M
MIT News - Artificial intelligence
L
LangChain Blog
I
InfoQ
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
博客园_首页
MongoDB | Blog
MongoDB | Blog
美团技术团队
S
Schneier on Security
G
GRAHAM CLULEY
月光博客
月光博客
有赞技术团队
有赞技术团队
Vercel News
Vercel News
Scott Helme
Scott Helme
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
Attack and Defense Labs
Attack and Defense Labs
Google Online Security Blog
Google Online Security Blog
Simon Willison's Weblog
Simon Willison's Weblog
量子位
S
Security @ Cisco Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
Visual Studio Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
NISL@THU
NISL@THU
N
Netflix TechBlog - Medium
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
小众软件
小众软件
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threatpost
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security Affairs
Cloudbric
Cloudbric
爱范儿
爱范儿
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Are UK council websites adhering to government security guidelines? - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is GhostPairing on WhatsApp? What is a prompt injection attack? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
What is ARP? ARP protocol explained
Ray Walsh · 2026-05-14 · via Comparitech

What is ARP? ARP protocol explained

When data moves across a Local Area Network (LAN), the network needs a way to deliver it to the correct device. ARP is what makes this possible.

Address Resolution Protocol (ARP) maps an IP address to a device’s MAC address, allowing data to be delivered to the right hardware on the local network. At the data link layer, devices only recognize MAC addresses, which is why ARP is needed to link them together. It translates between the Network Layer (Layer 3) and the Data Link Layer (Layer 2) in the OSI Model, ensuring that devices on the same network can communicate with each other.

In simple terms, ARP acts as the bridge that allows devices on an IPv4 network to find and communicate with one another. ARP does this by broadcasting an ARP request. This message is sent across the network to ask: “Who has this IP address?”

When a device responds with an ARP reply, the result is stored in an ARP cache (or ARP table), allowing the network to deliver data between those devices more quickly from then on.

Keep reading to learn what ARP is in more detail, how ARP works, and why it is an essential part of the network stack.

What is ARP (Address Resolution Protocol)?

ARP is a translation protocol that allows a network to connect two different types of addresses. This ensures that data sent across a network, or internally between devices on the same network, reaches the correct device.

The important thing to remember is that while the internet and routers use public and private IP addresses to route traffic, Local Area Networks still need to convert IP address data into a Media Access Control address (MAC).

This can feel confusing when you first start learning about networking, because the private IP address feels like it should be enough for the router to send traffic back to individual devices on the network.

The reality is that Ethernet and wifi don’t deliver data using IP addresses. Instead, they rely on ARP to map an IP address to a MAC address so the data can be delivered correctly on the local network.

A MAC address is unique to the Network Interface Card (NIC) on a connected device. Every device on a network has a NIC, including laptops, desktop computers, tablets, smartphones, and smart home or IoT devices. This individuality is why the MAC is used to identify devices within a LAN.

Key takeaway: At the physical level (the Data Link Layer), devices only recognize each other by their MAC addresses. This is why the private IP address alone is not enough to deliver data between devices.

How does ARP work? Address Resolution Protocol explained

When a device (such as a router, computer, or smartphone) wants to send data to another device on the same network, this is what happens:

  1. Device checks the ARP cache (aka ARP table). This table stores known relationships between IP addresses and MAC addresses. The cache helps speed up communication on a LAN and is maintained by each device on the network.
  2. ARP request. If the IP address is not in the ARP table, the device broadcasts a message to all devices on the network: “Who has the IP address 192.168.1.X?”
  3. MAC address response. Every device on the LAN receives the broadcast. The device that owns that IP address responds with its MAC address. All other devices ignore the request.
  4. Mapping is stored. When the ARP reply arrives, the originating device stores the IP-to-MAC mapping in its ARP cache.

From this point on, the device knows where to send data on the LAN without repeating the process. ARP is used again only when the entry expires, is cleared, or a new device appears on the network.

What information does an ARP message contain?

For ARP to successfully map an IP address to a MAC address, it includes a specific set of fields. I have included each of the fields in an ARP message below:

ARP FieldWhat it means
Hardware typeIdentifies the type of network technology being used (such as Ethernet). This ensures devices interpret the MAC address format correctly.
Protocol typeSpecifies the network protocol tied to the address, most commonly IPv4 in standard ARP operations.
Hardware lengthIndicates the size (in bytes) of the MAC address used in the message.
Protocol lengthDefines the length of the IP address included in the ARP packet.
Operation (opcode)Shows whether the message is an ARP request (asking for a MAC address) or an ARP reply (providing one).
Sender hardware addressThe MAC address of the device sending the ARP message.
Sender protocol addressThe IP address of the device that initiated the ARP request or reply.
Target hardware addressThe MAC address of the destination device. In an ARP request, this field is empty because the sender is trying to discover it.
Target protocol addressThe IP address of the device being queried. This tells the network which device should respond.

What is an ARP Cache Timeout?

Once an ARP message has linked an IP address to a MAC address, each device stores that information in its ARP cache. This speeds up communication between devices on the network.

However, the ARP table doesn’t store this information indefinitely. Each IP-to-MAC mapping will eventually expire. This is known as an ARP cache timeout.

When this happens, ARP must be used again to broadcast a new ARP request to the network, allowing the process to start over.

Why does the ARP cache timeout so quickly?

An ARP table is constantly being updated, which means that ARP messages are being sent more often than you might realize. The primary reason for this is that networks are dynamic. Devices can join or leave, and IP-to-MAC mappings can change over time.

To ensure that data is always delivered to the correct hardware within a LAN, entries in the ARP cache expire and are removed after a few minutes if they are not used. In other words, the cache only keeps mappings between devices that have recently communicated with each other.

If devices stop communicating for a period of time (usually just a few minutes), the mapping is cleared. This ensures that a new ARP request is sent when communication resumes, allowing the network to maintain an up-to-date, accurate mapping between devices.

Can ARP broadcast across the Internet?

No. ARP is a protocol that works locally within a LAN. Routers use IP addresses to route data across the Internet. These addresses allow data to be sent between networks.

ARP is only needed for the final step, where an IP address must be mapped to a MAC address on the local network (the link between Layer 3 and Layer 2 in the OSI Model). As a result, ARP is never involved in sending data between different networks.

What are the different types of ARP? Why do they differ?

Standard ARP only works when a device knows the IP address it is looking for, and the target is on the same subnet. In the real world, networks are not all identical, and different network architectures may require variations of ARP or closely related protocols.

For example, larger organizations often split their networks into multiple subnets, which means a device may not be able to discover the MAC address of the destination directly. In these cases, ARP is used to resolve the router’s MAC address instead, and the router forwards the data to the destination IP.

In some cases, devices may also need to check for address conflicts, announce their presence, or discover missing information. These situations require different approaches to address resolution, which is where variations of ARP come in.

Proxy ARP

Proxy ARP is a version of ARP that allows a router to act on behalf of another device.

When a device sends an ARP request for an IP address that is not actually on the local network, Proxy ARP enables the router to respond with its own MAC address instead. This makes it appear as though the devices are on the same subnet, even though the traffic is actually being handled by the router.

This approach lets devices communicate across a larger network, even if they are technically located on different subnets of the same network.

Gratuitous ARP

Gratuitous ARP is a version of the protocol that sends ARP messages without being asked. In this case, a device broadcasts its IP-to-MAC mapping to the entire network.

This helps detect IP conflicts and ensures that other devices update their ARP cache with the correct information, allowing communication across the network to remain efficient.

Reverse ARP (RARP)

Reverse ARP (RARP) is an older ARP variant that was used in situations where a device knew its MAC address but did not know its own IP address. It sends a RARP request to a dedicated server, which responds with the correct IP address.

This protocol is now largely obsolete and only used in a few legacy systems. It was originally designed for devices that could not store their own network settings and needed a server to assign an IP address. In modern networks, DHCP performs this role automatically when devices connect.

Inverse ARP (InARP)

Inverse ARP (InARP) is similar to RARP, but is used to request another device’s IP address. It is used in specialized network environments where a device already has a connection to another device but does not know the other device’s IP address.

What are the security risks of ARP?

The primary risk of ARP is that it lacks built-in authentication. This means that malicious devices can send false ARP messages to manipulate how traffic is routed on a network. ARP spoofing can allow attackers to redirect traffic, intercept data, or disrupt communication between devices.

What is ARP spoofing?

ARP spoofing (also known as ARP poisoning) is a type of attack where adversaries send forged ARP replies over the local network. This causes network-connected devices to associate the attacker’s MAC address with a legitimate IP address.

As ARP only operates within a local network, an attacker must have access to that network to carry out this attack. Hackers often gain this access by compromising a device within the network. However, it can also happen if an attacker connects directly to the target network, for example, by being given the wifi password as a guest.

A key risk of ARP spoofing is that it can act as a precursor to more serious attacks, including:

  • Impersonation attacks (session hijacking). Attackers may hijack active sessions by stealing session identifiers, allowing them to impersonate users on websites or services.
  • DoS attacks. Attackers can use their position within the network to overwhelm devices with excessive traffic. This causes disruption or denial-of-service (DoS) conditions.
  • Man-in-the-middle (MITM) attacks. Attackers position themselves between two devices to monitor, intercept, or modify traffic.

What is a Man-in-the-Middle (MITM) attack?

A Man-in-the-Middle (MITM) attack occurs when an attacker intercepts data passing between two devices, either on a local network or over the internet. In the context of ARP spoofing, it involves monitoring or modifying data as it passes between devices on the same LAN.

MITM attacks can be used to steal sensitive information such as login credentials, session data, or private communications.

How to detect ARP spoofing

The most basic way to detect ARP spoofing is to check a device’s ARP cache. On most computers, you can open the command line and run the arp -a command to view current IP-to-MAC mappings.

If you notice multiple IP addresses linked to the same MAC address, or mappings that change unexpectedly, this can be a sign of suspicious activity. On larger networks, administrators often use tools such as Wireshark, Arpwatch, or XArp to spot unusual ARP traffic patterns.

It’s worth noting that this kind of behavior isn’t always malicious. For example, routers, proxy devices, and load balancers can legitimately map multiple IP addresses to a single MAC address. Because of this, unusual mappings should be investigated rather than treated as an attack immediately.

How to prevent ARP spoofing

Network administrators use a combination of network controls and security practices to reduce the risk of ARP spoofing. These controls are usually implemented at the switch or network infrastructure level.

Dynamic ARP Inspection (DAI) validates ARP messages against trusted data, such as DHCP records. This allows administrators to block forged responses before they affect other devices on the network.

Static ARP entries can also be used to lock IP-to-MAC mappings in place. Because these mappings are fixed, they cannot be overwritten by malicious ARP replies. However, static entries are difficult to manage at scale, so they are typically only used in controlled environments.

Other measures include segmenting networks into smaller subnets, restricting access to network ports, and monitoring traffic for unusual behavior. These steps do not eliminate the risk, but they limit how far an attack can spread laterally.

Use a VPN to protect against ARP spoofing

If you’re worried about ARP spoofing on public wifi networks, a VPN provides an effective layer of protection. A VPN encrypts your internet traffic, which means that even if an attacker intercepts your data, they will not be able to read sensitive information.

While a VPN does not prevent ARP spoofing itself, it significantly reduces the risk by protecting your data from being exposed. This makes it one of the simplest and most effective ways to stay secure on public wifi, where attacks such as ARP poisoning, MITM attacks, and rogue hotspots are more common. Learn more in our guide to using a VPN on public wifi.

ARP vs DHCP vs DNS. What’s the difference?

These protocols all play a role in how devices join a network, locate each other, and communicate with services, either locally or across the internet. However, ARP, DHCP, and DNS each serve a different purpose in that process.

  • ARP (Address Resolution Protocol) links an IP address to a MAC address, allowing devices to communicate effectively over local networks.
  • DHCP (Dynamic Host Configuration Protocol) assigns IP addresses and other network settings to devices when they connect.
  • DNS (Domain Name System) translates human-readable domain names, such as websites, into IP addresses that devices use to connect to services.

What is Neighbor Discovery Protocol (NDP)?

ARP is used to map IP addresses to MAC addresses on IPv4 networks, but it is not suitable for the same task on IPv6. This is where Neighbor Discovery Protocol (NDP) comes in. NDP allows devices on an IPv6 network to locate each other and communicate effectively. Like ARP, NDP works within the local network and does not transmit data across the Internet.

That said, NDP is more advanced than ARP. In addition to resolving link-layer addresses, it can also be used to discover nearby devices, identify routers, and support overall network connectivity.

ARP protocol explained: FAQs

Is ARP still used today?

Yes. ARP is still widely used on IPv4 networks to map IP addresses to MAC addresses. However, in IPv6 environments, it has been replaced by the Neighbor Discovery Protocol (NDP), which performs a similar role with additional features.

What happens if the ARP cache is wrong?

If a device stores an incorrect IP-to-MAC mapping, data can be sent to the wrong destination. This can cause connection issues, failed communication, or, in some cases, allow attackers to intercept traffic.

How long do ARP entries last?

ARP entries are stored temporarily in a device’s ARP cache and expire after a short period of time. This helps ensure that outdated mappings are removed and replaced with accurate information when devices communicate again.

Can ARP be used to detect duplicate IP addresses?

Yes. Techniques such as Gratuitous ARP allow devices to broadcast their IP-to-MAC mapping without being asked. This can help identify IP conflicts if another device responds or if duplicate mappings are detected on the network.