What Is ARP? How Your Network Resolves MAC to IP Addresses

Every time your computer sends data across a local network, it needs to know exactly which physical device to deliver that data to — and that's where the ARP protocol steps in. ARP, or Address Resolution Protocol, is the invisible bridge between the logical IP addresses you configure and the hardware MAC addresses that actually move frames across your network. Understanding how ARP works gives you a clearer picture of why devices can or cannot communicate on your local network.

In this guide you will learn exactly what ARP does, how the request-reply cycle works step by step, and how to spot and fix common ARP-related problems on your home network. Whether you are curious about why a device suddenly stops responding or you want to understand the foundation of local networking, this explanation will make it click. If you are also brushing up on networking basics, our guide on what an IP address is and our explainer on how DHCP works pair well with this topic.

What Is ARP and Why Does Your Network Need It?

The internet and your home network operate on two different addressing systems simultaneously. IP addresses (like 192.168.1.10) are logical addresses assigned by your router or manually configured. MAC addresses (like A4:C3:F0:85:22:11) are hardware identifiers burned into each network adapter at the factory. When your computer wants to send a packet to another device on the same local subnet, it knows the destination IP address — perhaps because DNS resolved a hostname, or you typed it directly — but it does not inherently know which MAC address corresponds to that IP. ARP is the protocol that answers that question.

Without ARP, your computer would have no way to address an Ethernet frame correctly. Ethernet operates at Layer 2 of the OSI model and uses MAC addresses to route frames between devices on the same physical network segment. IP operates at Layer 3 and uses IP addresses to route packets across different networks. ARP acts as the glue between these two layers, translating Layer 3 IP addresses into the Layer 2 MAC addresses that Ethernet actually uses to deliver data. This translation is required every time a device communicates with another device on the same local network for the first time.

ARP is defined in RFC 826, published in 1982, and remains foundational to IPv4 networking to this day. For IPv6 networks, a functionally equivalent mechanism called Neighbor Discovery Protocol (NDP) takes over, but the concept is nearly identical. On a typical home network with a router, several smartphones, laptops, and smart TVs, ARP requests and replies are flying back and forth constantly — most of them resolved within milliseconds and cached locally so they do not have to be repeated on every single packet.

The ARP cache (sometimes called the ARP table) is a short-term memory your operating system keeps. It stores recently resolved IP-to-MAC mappings so that your device does not have to broadcast an ARP request every time it wants to send a frame. Each entry has a time-to-live, typically between 1 and 20 minutes depending on the operating system, after which it expires and must be refreshed. You can view your ARP cache on Windows with arp -a in Command Prompt, and on macOS or Linux with arp -n in the terminal.

How the ARP Request and Reply Cycle Works

Follow these five steps to trace exactly what happens when your laptop tries to reach another device on your local network for the first time.

1. Check the ARP cache first — Before sending any broadcast, your operating system checks its local ARP table. If it already has a valid, unexpired entry mapping the destination IP to a MAC address, it uses that entry directly and skips steps 2 through 4 entirely. This caching mechanism keeps network traffic lean and response times fast on busy networks.
2. Broadcast an ARP Request — If no cache entry exists, your device constructs an ARP Request packet and sends it as a broadcast to the MAC address FF:FF:FF:FF:FF:FF. This special address means "deliver this frame to every device on the local network segment." The packet essentially asks: "Who has IP address 192.168.1.20? Tell 192.168.1.5." Every device on the subnet receives this broadcast and checks whether the requested IP matches its own.
3. Target device sends an ARP Reply — The device that owns the requested IP address responds with a unicast ARP Reply sent directly back to the requester. The reply contains: "I have 192.168.1.20 and my MAC address is B8:27:EB:44:12:9F." No other device on the network needs to respond, and the exchange is now complete at the protocol level.
4. Update the local ARP cache — Your operating system stores the newly learned IP-to-MAC mapping in its ARP cache with a timestamp. Subsequent packets to that same IP address will be delivered immediately using the cached MAC address, without triggering another broadcast. Other devices on the subnet may also update their own caches if they observed the exchange, depending on their OS behavior.
5. Frame is delivered using the MAC address — With the MAC address now known, your network stack builds the Ethernet frame with the correct destination MAC, wraps the IP packet inside it, and hands it to your network adapter for transmission. The adapter places the frame on the wire (or transmits it wirelessly), and the destination device's adapter recognizes its own MAC address and accepts the frame.

ARP Message Types, Packet Fields, and Variants

ARP is not limited to a single operation type. The table below summarizes the key ARP variants and related concepts you are likely to encounter in home and small-business networking contexts.

ARP Type	Direction	Purpose	Common Use Case
ARP Request	Broadcast (Layer 2)	Ask who owns a given IP address	Initial resolution before first packet to a new destination
ARP Reply	Unicast (direct)	Return the MAC address for a queried IP	Response from the device that owns the requested IP
Gratuitous ARP	Broadcast (unsolicited)	Announce own IP-to-MAC mapping proactively	Device boot-up, IP conflict detection, failover notification
Proxy ARP	Unicast reply from router	Router answers ARP requests on behalf of remote devices	Bridging subnets without static routes on end devices
ARP Spoofing	Broadcast (malicious)	Poison caches with false MAC mappings	Man-in-the-middle attacks; detected by security tools

Troubleshooting ARP Problems on Your Home Network

ARP issues are among the most common causes of mysterious "device not reachable" problems on local networks, yet they are frequently overlooked because most troubleshooting starts at the IP layer or above. A stale or incorrect ARP cache entry can make a device appear unreachable even though it is powered on and connected. Similarly, duplicate IP addresses — two devices configured with the same IP — cause ARP conflicts that result in intermittent connectivity for both devices. Recognising these symptoms early saves a lot of frustrating diagnostic time.

ARP spoofing is a security concern worth understanding even on home networks. A malicious device (or malware on an infected machine) can send forged Gratuitous ARP broadcasts that overwrite legitimate cache entries with the attacker's MAC address, redirecting traffic intended for your router through the attacker's machine first. This is a classic man-in-the-middle technique. On a home network, enabling strong Wi-Fi security settings reduces the risk of rogue devices joining your network in the first place. Some routers also offer Dynamic ARP Inspection (DAI) in their firmware to block spoofed ARP packets.

If you suspect an ARP problem, the steps below cover the most effective fixes. For persistent issues where devices keep dropping off the network, also check your router's DHCP lease table to ensure no two devices have been assigned the same IP — see our guide on checking who is on your Wi-Fi for a practical walkthrough.

• Flush the ARP cache on Windows with arp -d * in an elevated Command Prompt to clear all stale entries instantly.
• On macOS, run sudo arp -ad in Terminal; on Linux use sudo ip neigh flush all to purge the neighbor table.
• Assign static IP addresses to critical devices (printers, NAS drives, smart TVs) through your router's DHCP reservation feature to prevent IP conflicts.
• Reboot the affected device and your router if ARP entries are stale — a full reboot clears both devices' ARP caches and forces a clean resolution.

Pro Tip: If a device on your network shows the correct IP but is still unreachable, use our Ping Test Tool to verify basic connectivity, then cross-reference the device's MAC address with the MAC Lookup Tool to confirm you are looking at the right device in your ARP table.

Frequently Asked Questions

What is ARP and what does it stand for?

ARP stands for Address Resolution Protocol. It is a network communication protocol used to map a known IPv4 address to an unknown MAC (hardware) address on a local network segment. Without ARP, devices on the same subnet would have no mechanism to translate logical IP addresses into the physical Layer 2 addresses required to actually deliver Ethernet frames. You can learn more about the addressing system ARP works alongside in our What Is an IP Address guide.

How is ARP different from DNS?

DNS (Domain Name System) translates human-readable hostnames like "example.com" into IP addresses, operating across the internet at Layer 3 and above. ARP operates only on a local network segment at Layer 2, translating IP addresses into MAC addresses so that Ethernet frames can be addressed correctly. They solve different problems at different layers: DNS gets you the IP, ARP gets you the MAC address needed to deliver frames to that IP on your local network.

Can I see my ARP table on Windows?

Yes. Open Command Prompt and type arp -a to display the full ARP cache, showing every IP address your PC has recently resolved to a MAC address. The output lists the interface, the IP address, the corresponding MAC address, and whether the entry is dynamic (learned via ARP) or static (manually configured). Dynamic entries expire automatically; static entries persist until manually removed.

What is ARP spoofing and is it dangerous?

ARP spoofing (also called ARP poisoning) is an attack where a malicious device sends forged ARP Reply packets to overwrite legitimate IP-to-MAC mappings in other devices' caches, redirecting their traffic through the attacker's machine. It is the foundation of many man-in-the-middle attacks on local networks. The best defenses are keeping unauthorized devices off your network with strong Wi-Fi encryption and enabling Dynamic ARP Inspection on routers that support it.

What is a Gratuitous ARP and when does it happen?

A Gratuitous ARP is an unsolicited ARP announcement where a device broadcasts its own IP-to-MAC mapping without being asked. This happens at boot time so that other devices on the network can update their caches proactively, during IP address changes, and in high-availability setups where a virtual IP address fails over to a new physical interface. It is a normal and useful part of network operations, though it can also be exploited in ARP spoofing attacks.

Does IPv6 use ARP?

No. IPv6 replaces ARP with Neighbor Discovery Protocol (NDP), defined in RFC 4861. NDP performs the same IP-to-MAC resolution function but uses ICMPv6 messages called Neighbor Solicitation and Neighbor Advertisement instead of the dedicated ARP packet format. NDP also adds additional features such as router discovery and stateless address autoconfiguration (SLAAC) that go well beyond what ARP provides in IPv4 networks.

Related Guides

• What Is DHCP? How Your Router Assigns IP Addresses
• MAC Address Lookup Tool
• How to Check Who Is on Your Wi-Fi
• Ping Test Tool

For authoritative networking standards and specifications, refer to the Internet Assigned Numbers Authority (IANA) or IETF RFC documents.