TL;DRARP (Address Resolution Protocol) finds the MAC address that matches a known IP address on a local network. Every device keeps an ARP table (cache) of these matches. Windows, macOS, and Linux all use arp -a to view it. Attackers can also fake ARP replies, a trick called ARP spoofing.
What Is ARP (Address Resolution Protocol)?
ARP (Address Resolution Protocol) maps a device’s IP address to its MAC address on a local network. Defined in RFC 826, ARP lets one device broadcast a request for a hardware address. The matching device replies directly. Every wired and Wi-Fi network depends on it.
ARP was defined in 1982 and is now Internet Standard STD 37. It solves one specific problem: your computer thinks in IP addresses, but the network hardware only understands MAC addresses.
Every frame sent over Ethernet or Wi-Fi needs a destination MAC address. ARP is the lookup step that supplies it. Without ARP, an IP-based application would have no way to actually place its data on the wire.
Why Networks Need ARP: Bridging IP and MAC Addresses
Devices are addressed two ways at once. Software uses a logical IP address. Hardware carries a physical MAC address burned in at the factory. ARP is the translator that connects the two, every time two devices on the same network need to talk.
Picture a laptop that wants to print a document. It knows the printer’s IP address, maybe 192.168.1.20. But the Ethernet or Wi-Fi frame carrying that print job needs the printer’s MAC address, not its IP.
This is why ARP sits at an awkward spot in the OSI model. It resolves a Layer 3 address into a Layer 2 address, so different references classify it differently. Some place it at Layer 2, others at Layer 3, and a few call it its own in-between layer entirely.
How ARP Works: Request and Reply, Step by Step
A device first checks its own ARP table for a cached match. If nothing is cached, it broadcasts an ARP request to every device on the segment. Only the device holding that IP address replies, sending its MAC address back directly.
The full cycle runs in four steps:
- Check the cache. The device looks in its own ARP table first. A cached entry skips the rest of these steps entirely.
- Broadcast the request. If there is no entry, the device broadcasts an ARP request to the whole segment. It uses the broadcast MAC address (
ff:ff:ff:ff:ff:ff) and asks which device owns a specific IP. - Receive the reply. Only the device with that IP address answers. It replies directly to the requester with its own MAC address.
- Cache the answer. The requesting device stores the new IP-to-MAC pairing in its ARP table for future use.
You can watch this table build in real time. On Windows, macOS, or Linux, open a terminal and run arp -a:
C:\> arp -a
Interface: 192.168.1.42 --- 0x9
Internet Address Physical Address Type
192.168.1.1 aa-bb-cc-11-22-33 dynamic
192.168.1.20 00-1a-2b-3c-4d-5e dynamic
Each row is one resolved mapping. The “Type” column shows whether the entry is dynamic (learned via ARP) or static (manually configured).
What Is an ARP Table (ARP Cache)?
An ARP table (or ARP cache) is the running list a device keeps of recently resolved IP-to-MAC pairs. It saves the device from broadcasting a new ARP request for every single packet it sends to the same neighbor.
Entries are dynamic by default, and the timeout is not the same on every system. Here is how long a typical entry stays fresh before the OS revalidates it:
| Operating System | Typical Default Timeout |
|---|---|
| Windows | 15–45 seconds, then revalidated |
| Linux | 15–45 seconds, rechecked roughly every 60 seconds |
| macOS | Around 20 minutes |
These are typical defaults, not fixed rules. Exact values shift across OS versions and any custom network configuration.
Static entries are also possible. A network administrator can pin an IP-to-MAC pairing permanently. That is one common defense against ARP spoofing on a small, tightly controlled network.
If you spot an unfamiliar MAC address in your ARP table, look it up. The MAC address vendor lookup tool tells you the manufacturer.
What Is Gratuitous ARP (ARP Announcement)?
Gratuitous ARP is an unsolicited ARP message a device sends about its own address, not in reply to any request. Devices send it on boot, after a DHCP renewal, or during a failover, so neighbors can update their tables early.
Common triggers include a network interface coming online and a new DHCP lease. High-availability failover protocols like VRRP or HSRP trigger it too, when they switch an active role between routers.
RFC 5227 renamed this behavior “ARP Announcement” for a specific reason. Traditional gratuitous ARP alone sends only one announcement and does not reliably detect a duplicate IP address already in use.
RFC 5227 instead defines a proper probe-and-defend sequence, called Address Conflict Detection. That extra step is what actually catches a conflict before it disrupts either device’s connection.
What Is ARP Spoofing (ARP Cache Poisoning)?
ARP spoofing is an attack where a device sends forged ARP replies, claiming another device’s IP address as its own. Neighbors update their tables with the attacker’s MAC address, so traffic meant for the real device is quietly rerouted instead.
The usual target is the local router. An attacker can poison every device’s ARP table with their own MAC address, in place of the router’s. That intercepts all traffic leaving the network.
This is a classic man-in-the-middle setup. ARP has no built-in authentication. Any device on the segment can claim to be any IP address, and older systems will often believe it.
A few defenses hold up well in practice:
- Static ARP entries for critical devices like routers and servers, so a forged reply cannot overwrite them.
- Dynamic ARP Inspection on managed switches, which checks ARP traffic against known-good IP-to-MAC pairings.
- Network segmentation, since ARP spoofing cannot cross into a different VLAN or subnet.
- HTTPS and a VPN, so intercepted traffic stays encrypted even if the attack succeeds.
Does IPv6 Use ARP?
No. IPv6 does not use ARP at all. It replaces address resolution with Neighbor Discovery Protocol (NDP), defined in RFC 4861. NDP runs over ICMPv6, not ARP’s own broadcast frame type.
NDP does more than ARP ever did. Beyond resolving addresses, it also handles router discovery, duplicate address detection, and automatic reconfiguration when a neighbor becomes unreachable.
This trips people up constantly when comparing IPv4 vs. IPv6. People often search for the phrase IPv6 ARP. The answer is that ARP was retired for IPv6 traffic, and NDP took over the job.
How to Fix an “ARP Resolution Failure”
An ARP resolution failure means a device broadcast a request for a local IP address and got no reply. The usual causes are a powered-off target, a subnet mismatch, an IP conflict, or a VLAN boundary blocking the broadcast.
Our network troubleshooting guide flags this failure as a cause of Destination Host Unreachable errors. Here is how to isolate it:
- Confirm the target is online. A powered-off or disconnected device can never answer an ARP request.
- Check both subnet masks. Devices on different subnets never exchange direct ARP traffic; a router has to bridge them instead.
- Rule out a VLAN mismatch. Ports assigned to different VLANs will not see each other’s ARP broadcasts at all.
- Flush a stale entry. On Windows, run
arp -d *as an administrator, then try the connection again.
Related Tools
These free NetworkCheckr tools pair directly with what you just learned about ARP. Use them to identify a MAC vendor, confirm your own IP configuration, or troubleshoot a stalled connection right now.
Identify the vendor behind any MAC address sitting in your ARP table.
Confirm your own public and private IP address before you troubleshoot.
Check whether two devices actually share the same subnet.
The full step-by-step diagnostic workflow, from cable to DNS.
MAC Address Lookup · My IP Address · Subnet Calculator · Network Troubleshooting Guide · All Network Tools
Frequently Asked Questions About ARP
These are quick answers to the ARP questions people ask most often. Use them to settle one specific point fast. Check the full sections above when you need complete technical detail.
Is ARP a Layer 2 or Layer 3 protocol?
ARP does not fit cleanly into either layer. It resolves a Layer 3 IP address into a Layer 2 MAC address, so different references classify it differently. Most treat it as a Layer 2 protocol carried directly over Ethernet.
What is the difference between ARP and RARP?
ARP finds a MAC address from a known IP address. RARP (Reverse ARP) does the opposite and finds an IP address from a known MAC address. RARP is obsolete and was replaced by BOOTP and DHCP.
Can you ping a MAC address directly?
No. Ping uses ICMP over IP, and an IP address is the required input, not a MAC address. ARP works behind the scenes to resolve the destination MAC before your ping packet ever leaves the device.
Why does my ARP table show an “incomplete” entry?
An incomplete entry means a request went out but no reply came back. The target device may be offline, sitting on a different subnet, or blocked by a firewall rule.
Do I need to clear my ARP cache?
Rarely. Entries expire and refresh automatically within a few minutes. Clear it manually only when troubleshooting a stale entry after swapping hardware or fixing an IP conflict.
What port does ARP use?
None. ARP works below the transport layer and never uses a port number. It runs as its own EtherType directly on top of Ethernet, separate from TCP and UDP.