ARP

Feb 21, 2026

/ Update May 23, 2026

2 min read

Address Resolution Protocol (ARP) is a Layer 2 networking protocol used to map a dynamic, logical IP address (Layer 3) to a fixed, physical MAC address (Layer 2) on a Local Area Network (LAN).

Each device within a network has a ledger to store information on, which is called a cache. In the context of ARP, this cache stores the identifiers of other devices on the network.

How it Works#

In order to map these two identifiers together (IP address and MAC address), ARP sends two types of messages:

ARP Request
- When an ARP request is sent, a message is broadcasted on the network to other devices asking, “What is the mac address that owns this IP address?”
- The ARP Request is sent from the MAC address of the requester to the broadcast MAC address, ff:ff:ff:ff:ff:ff.
ARP Reply
- When the other devices receive that message, they will only respond if they own that IP address and will send an ARP reply with its MAC address. The requesting device can now remember this mapping and store it in its ARP cache for future use.

An ARP Request or ARP Reply is not encapsulated within a UDP or even IP packet; it is encapsulated directly within an Ethernet frame.
ARP is considered layer 2 because it deals with MAC addresses. Others would argue that it is part of layer 3 because it supports IP operations

Eg: Viewing an ARP request with tshark

user@Linux$ tshark -r arp.pcapng -Nn
    1 0.000000000 cc:5e:f8:02:21:a7 → ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.66.1? Tell 192.168.66.89
    2 0.003566632 44:df:65:d8:fe:6c → cc:5e:f8:02:21:a7 ARP 42 192.168.66.1 is at 44:df:65:d8:fe:6c

shell

tcpdump displays packets differently. It uses the terms ARP Request and ARP Reply.

user@Linux$ tcpdump -r arp.pcapng -n -v
17:23:44.506615 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.66.1 tell 192.168.66.89, length 28
17:23:44.510182 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.66.1 is-at 44:df:65:d8:fe:6c, length 28

shell

Common Variations#

Gratuitous ARP: A device announces its own IP-to-MAC mapping to the network to update other devices’ caches, often used after an IP or MAC address change.
Proxy ARP: A router answers ARP requests on behalf of another device, usually to assist devices that cannot resolve MAC addresses directly.

ARP

https://nahil.xyz/vault/networking/network-protocols/arp/

Author Nahil Rasheed

Published at February 21, 2026

Copyright CC BY-NC-SA 4.0

Disclaimer This content is provided strictly for educational purposes only.

DNS

DHCP