ARP Table Explainer

Understand how the Address Resolution Protocol (ARP) works with an interactive simulation. Watch ARP requests and replies in action, see how MAC addresses are resolved, and learn to read ARP tables — essential knowledge for network troubleshooting and security.

ARP Simulation

Your Computer
IP: 192.168.1.10
MAC: AA:BB:CC:11:22:33

Target Device
IP: 192.168.1.1
MAC: ??:??:??:??:??:??

ARP Table

IP Address	MAC Address	Type	Age (sec)

What Is ARP?

The Address Resolution Protocol (ARP) maps IP addresses to MAC (hardware) addresses on a local network. When your computer wants to communicate with another device on the same subnet, it needs the destination's MAC address to create an Ethernet frame. ARP provides this mapping by broadcasting a request and caching the response.

ARP operates at Layer 2/3 boundary and is fundamental to how Ethernet networks function. Every time you access your router at 192.168.1.1, your computer uses ARP to find the router's MAC address. Use our Subnet Calculator to understand which devices are on the same subnet (and thus use ARP directly).

How ARP Works Step by Step

Step	Action	Frame Details
1. Check cache	Computer checks local ARP table for target IP	No network traffic
2. ARP Request	If not cached, broadcast "Who has [IP]?"	Dst: FF:FF:FF:FF:FF:FF (broadcast)
3. All devices receive	Every device on the subnet processes the request	Only target IP responds
4. ARP Reply	Target responds with its MAC address	Unicast reply to requester
5. Cache entry	Requester adds IP→MAC mapping to ARP table	Cached for 1-20 minutes (OS dependent)
6. Communication	Ethernet frames now use resolved MAC address	Direct unicast communication

ARP Table Types

Type	Description	Lifetime	Created By
Dynamic	Learned via ARP request/reply	1-20 minutes (varies by OS)	Normal ARP resolution
Static	Manually configured, persistent	Until removed or reboot	Admin configuration
Incomplete	ARP request sent, no reply yet	~3 seconds	Pending resolution
Proxy ARP	Router answers on behalf of remote host	Like dynamic entries	Router feature

Pro Tip: If you see duplicate MAC addresses for different IPs in your ARP table, this could indicate an ARP spoofing attack or a misconfigured network. Static ARP entries for critical infrastructure (routers, servers) prevent ARP poisoning attacks. On your router at 192.168.1.1, look for ARP binding features in the security settings.

Viewing Your ARP Table

# Windows
arp -a

# Linux
arp -n
# or (modern)
ip neigh show

# macOS
arp -a

# Cisco IOS
show ip arp

# Clear ARP cache
# Windows: arp -d *
# Linux: sudo ip neigh flush all

After checking your ARP table, use our DNS Lookup to verify DNS resolution is also working correctly, and our Ping Test to confirm connectivity to resolved hosts.

ARP Security Threats

ARP has no built-in authentication, making it vulnerable to several attacks:

Attack	Description	Impact	Prevention
ARP Spoofing	Attacker sends fake ARP replies	Traffic interception (MITM)	Static ARP, Dynamic ARP Inspection
ARP Poisoning	Corrupts ARP cache of victims	Redirect traffic to attacker	802.1X, port security
ARP Flooding	Floods switch with ARP packets	Switch reverts to hub (broadcasts all)	Rate limiting, port security
Gratuitous ARP	Unsolicited ARP announcements	IP conflict detection, but exploitable	DAI on managed switches

For network security beyond ARP, check your firewall and NAT configuration. Use network traffic monitoring to detect suspicious ARP activity. Verify open ports with our Port Checker.

Note: ARP only works within a single broadcast domain (subnet/VLAN). When communicating with devices on other subnets, your computer ARPs for the default gateway MAC address, and the gateway handles routing to the remote network. This is why the gateway's ARP entry is the most important one in your ARP table. Segment networks with VLANs using our VLAN ID Calculator.

Common ARP Troubleshooting

"Destination host unreachable" — ARP request got no reply. Target device may be offline, on a different subnet, or firewalling ARP. Use our Subnet Calculator to verify both devices are on the same subnet.
Duplicate IP address detected — Two devices have the same IP. Check DHCP configuration and use our DHCP Lease Calculator to avoid pool overlap.
Intermittent connectivity — ARP cache expiry during active connections. Increase ARP timeout or add static entries for critical devices.
Slow initial connections — ARP resolution delay (broadcast + reply). Normal for first connection; subsequent connections use cache.
One-way communication — ARP works one direction but not the other. Check for asymmetric routes or firewall rules. Verify with our Ping Test.

ARP vs NDP (IPv6)

IPv6 replaces ARP with the Neighbor Discovery Protocol (NDP), which uses ICMPv6 instead of a separate protocol:

Feature	ARP (IPv4)	NDP (IPv6)
Layer	Layer 2/3	Layer 3 (ICMPv6)
Resolution	IP → MAC	IPv6 → MAC
Discovery	Broadcast	Multicast (solicited-node)
Security	None (exploitable)	SEND (optional crypto)
Extra Features	None	Router discovery, SLAAC, DAD

Key Takeaways

ARP maps IP addresses to MAC addresses on the local network — essential for Ethernet communication.
ARP broadcasts can be seen by all devices on the subnet, creating a security risk (spoofing).
Dynamic ARP entries expire after 1-20 minutes; static entries persist until manually removed.
The gateway's ARP entry is the most important — all off-subnet traffic goes through it.
Use Dynamic ARP Inspection (DAI) on managed switches to prevent ARP attacks.
IPv6 replaces ARP with NDP, which uses multicast instead of broadcast and offers optional crypto security.

Video: ARP Explained

Related Tools & Guides

Frequently Asked Questions

What is the ARP table?

The ARP table (or ARP cache) is a local database that maps IP addresses to MAC addresses. Your computer checks this table before sending any data on the local network. If the destination isn't in the table, an ARP request is broadcast to find the MAC address.

How long do ARP entries last?

Dynamic ARP entries expire after a timeout period: Windows defaults to 15-45 seconds of inactivity, Linux defaults to 30-60 seconds, and macOS defaults to 20 minutes. Static entries persist until manually removed or system reboot.

What is ARP spoofing?

ARP spoofing (or ARP poisoning) is an attack where a malicious device sends fake ARP replies to associate its MAC address with another device's IP. This redirects traffic through the attacker, enabling man-in-the-middle attacks. Prevent with static ARP entries or Dynamic ARP Inspection on switches.

Why does ARP only work on the local subnet?

ARP uses Ethernet broadcast frames (FF:FF:FF:FF:FF:FF), which don't cross router boundaries. For devices on remote subnets, your computer ARPs for the gateway MAC address, and the router forwards packets to the remote subnet using its own ARP table.

What is Gratuitous ARP?

A Gratuitous ARP is an unsolicited ARP reply sent by a device announcing its own IP-to-MAC mapping. It's used for duplicate IP detection, updating ARP caches after MAC address changes, and failover in high-availability setups.

How do I prevent ARP attacks on my network?

Enable Dynamic ARP Inspection (DAI) on managed switches, use VLANs to limit broadcast domains, configure DHCP snooping, and add static ARP entries for critical infrastructure. Monitor network traffic for unusual ARP patterns.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.