• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Browsers
    • Gaming
    • Hardware
    • Internet
    • iPhone
    • Linux
    • macOS
    • Office
    • Reviews
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
What Is ARP (Address Resolution Protocol)?

What Is ARP (Address Resolution Protocol)?

August 20, 2022 by Mel Hawthorne Leave a Comment

You might be familiar with the concept of IP addresses. Every computer on a network has at least one. When communicating between networks, these IP addresses uniquely identify the source and destination of the network traffic so it can be delivered and responded to reliably. When communicating to a device on the same network, a computer doesn’t directly use the IP address. Instead, it translates that IP address to a MAC address. ARP is the protocol to manage IP to MAC translations and communicate this around the network.

ARP stands for Address Resolution Protocol. It is a stateless protocol that has broadcast and request-response components. ARP is primarily used in IPv4 networks, though other networking systems also use it. IPv6 networks implement ARP functionality and some additional functionality with NDP. Or Neighbour Discovery Protocol.

MAC addresses that have been identified are stored in an ARP table on each device. Each entry in the ARP table regularly expires. But can be updated passively as ARP traffic is broadcast to the network, minimizing the total amount of ARP traffic needed.

ARP Probe and Response

If a computer needs to transmit a network packet, It looks at the destination IP address. It knows it needs to send it to the router for devices in a different network. This can then direct the packet onto the right network. If the packet is intended for a device on the local network, the computer needs to know the correct MAC address to send it to.

As the first port of call, the computer will check its ARP table. This should have a list of all known devices on the local network. If the target IP and MAC address are there, it will use the ARP table to complete and send the packet. If the IP address does not have an entry in the ARP table, the computer must find out via an ARP probe.

The computer broadcasts an ARP probe to the network asking “who has <IP address>” with <IP address> replaced the relevant IP address. Every device on the network will see this message as it is a broadcast. Most will ignore it as it’s not aimed at them. But the device that has that IP address will respond with another broadcast message saying “<IP address> belongs to <MAC address>” again with <IP address> and <MAC address> replaced with their respective values. The original computer will then update its ARP table and send the packet to the intended recipient.

Note: The ARP probe response is also a broadcast. This allows all other network devices to update their ARP tables without requiring them to make identical ARP probes. This helps to minimize ARP traffic.

ARP Probe on Connection

When a computer connects to a network, it must get an IP address. This can be manually specified but is typically dynamically allocated by a DHCP (Dynamic Host Control Protocol) server. The DHCP server is generally a function of the network router but can be run by a separate device. Once a new device has an IP address, either through manual configuration or DHCP. The device must quickly verify that no other device is already using that IP address.

To do so, the device broadcasts an ARP probe packet, asking for any device using its newly assigned IP address to respond to it. The expected response is silence. No other device should react, especially in a DHCP network. After short delays, the device will broadcast the same message again a few times. This repetition helps in cases where one packet might have been dropped on the way to or from a device with a conflicting IP address. Once there have been no responses to a few ARP probes, the device can start using its new IP address. To do so, it needs to send a gratuitous ARP.

Gratuitous ARP

Once a device has determined that the IP address it wants to use isn’t being used, it sends a gratuitous ARP. This simply involves broadcasting to the network “<MAC address> has <IP address>.” This is typically formatted as if it were a response to a standard ARP probe, just without an ARP probe ever requesting it, hence the name “gratuitous ARP.”

Gratuitous ARP requests are also regularly sent to the network just as reminders to all other devices that the computer is still connected, online, and has its IP address.

ARP Spoofing

ARP is a stateless protocol, there is no connection, and all messages are broadcast to the network at large. All devices listen to and cache ARP responses in their ARP tables. This, however, leads to a vulnerability in the system. Assuming an attacker can physically connect to the network, they can run software that maliciously broadcasts incorrect gratuitous ARP response packets. Every device on the network will see the malicious ARP packets, implicitly trust them, and update their routing tables. These now incorrect ARP tables are referred to as “poisoned.”

This could just be used to cause network issues by pointing traffic in the wrong direction. There is a worse scenario, however. If the attacker spoofs ARP packets for the router’s IP address and points them to their own device, they’d receive and be able to see all the network traffic. Assuming the device has another network connection to forward the traffic, it can take a Man in the Middle (MitM) position. This allows the attacker to perform nasty attacks such as HTTPS stripping, potentially allowing them to see and modify all network traffic.

Note: There are some protections against MitM attacks. The attacker would not be able to duplicate the HTTPS certificate of a website. Any user having the traffic intercepted should get browser certificate errors.

There are, however, many essential and unencrypted communications, especially on an internal network. This isn’t so much the case on a home network. Still, corporate networks built on Windows are particularly vulnerable to ARP spoofing attacks.

ARP poisoning enables MitM attacks – Source: Wikipedia

Conclusion

ARP stands for Address Resolution Protocol. It is used in IPv4 networks to translate IP addresses to MAC addresses as is needed in local networks. It consists of stateless request and response broadcasts. Responses, or lack thereof, allow a device to determine what MAC address is associated with an IP address or if an IP address is unused. Devices cache ARP responses to update their ARP tables.

Devices may also regularly broadcast gratuitous announcements that their MAC address is associated with their IP address. The lack of an authentication mechanism allows a malicious user to broadcast bogus ARP packets to poison ARP tables and direct traffic to themselves to perform traffic analysis or MitM attacks.

You Might Also Like

  • Windows 10
    Windows 10: Flush ARP Cache
  • iPhone: Change Video Recording Resolution
    iPhone: Change Video Recording Resolution
  • 2023
    7 Free and Useful Apps to Keep Your New Year's Resolution
  • How to Find a Higher Resolution Version of an Image
    How to Find a Higher Resolution Version of an Image
  • Linux Mint: How to Configure Your Output Resolution
    Linux Mint: How to Configure Your Output Resolution
  • fix-windows-10-update-error-0xc19001e1
    How to Change Display Resolution on Windows 10 and 11

Filed Under: Hardware

Reader Interactions

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Send HD Pictures and Videos on WhatsApp
  • How to Share Files Using Google Nearby Share
  • Android Battery Will Not Charge Fix
  • Turning on Triple Touch Zoom on Android
  • How to Connect Outlook 2023 to Gmail
  • Netflix: Change Password
  • Step-by-Step Guide: How to Use WhatsApp on Your Computer
  • Android: Enable or Disable Background Data

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

You May Also Like

  • Resolution
  • Connection-Oriented Protocol
  • Connectionless Protocol
  • Server Message Block (SMB) Protocol
  • IP Address

© Copyright 2023 Guiding Tech Media · All Rights Reserved · Privacy