How ARP Works

This refers to some concepts about network communications protocols covered on the Packet Analysis page.

ARP is a way of using Layer 2 addressing, MAC addresses, with Layer 3 addressing, or IP addresses.

To communicate with other devices on a network, you use their IP addresses. But routers operate on Level 2, MAC addresses. That means that communicating with other devices on a network also requires knowing their MAC address. Getting a MAC address from an IP address is done through ARP.

When computer A is crafting a packet to computer B, it begins by seeing if computer B is in the ARP cache, meaning computer A would already have computer B's MAC address. If not found, computer sends a broadcast packet to FF:FF:FF:FF:FF:FF and asks for which computer at which IP address owns a particular MAC address.

Computers C, D, and E discard the packet. But the recipient, computer B, crafts a reply with its MAC address with an ARP reply. When computer A receives the reply, it stores that information in the computer's ARP cache.

How ARP Poisoning/Spoofing Works

This is the process of fooling a switch or router into thinking your computer has a MAC address that it actually doesn't.

One way to use ARP poisoning is to tap the wire of a network, and intercept traffic from a router to a target computer. In this case, you're fooling the router into sending you the traffic instead, and you forward the traffic on to the target computer like nothing ever happened.

Another way to use ARP poisoning is to cause denial of service attacks. In this case, client requests are sent to a router, which then forwards traffic to a particular MAC address at a particular IP address. Except, the destination computer isn't who it's supposed to be, and so isn't ready for the traffic.