The Address Resolution Protocol (ARP) is a key TCP/IP protocol that is used to determine the physical address of the network card that corresponds to an IP address.
The ARP is a protocol used in the TCP/IP protocol suite at the internet layer.
The ARP finds the MAC address of destination computer by using the IP address of destination computer.
ARP spoofing forces the destination computer to send packets to the attacker instead of source. Attacker
can tap into the communication by forcing source and destination computers to send packets to itself at the
same time. When it comes to this situation it is called MITM ( this attack is classified as the “man in the middle” known as MITM).
The arp command:
Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr] [-v]
-a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
-v Displays current ARP entries in verbose mode. All invalid
entries and entries on the loop-back interface will be shown.
inet_addr Specifies an internet address.
-N if_addr Displays the ARP entries for the network interface specified
-d Deletes the host specified by inet_addr. inet_addr may be
wildcarded with * to delete all hosts.
-s Adds the host and associates the Internet address inet_addr
with the Physical address eth_addr. The Physical address is
given as 6 hexadecimal bytes separated by hyphens. The entry
eth_addr Specifies a physical address.
if_addr If present, this specifies the Internet address of the
interface whose address translation table should be modified.
If not present, the first applicable interface will be used.
> arp -s 18.104.22.168 00-aa-00-62-c6-09 .... Adds a static entry.
> arp -a .... Displays the arp table.
The ARP cache is a collection of ARP entries store by your PC and it will stay there until the ARP cache entry timeout expires.
To flush the entire arp cache use the following command:
C:\WINDOWS\system32>netsh interface ip delete arpcache
All possible issues and errors that result cache update for ARP :
- Solicited entries: A host sends an ARP request and gets the reply.
- Unsolicited entries: A host can receive an ARP request that is not destined for it, because ARP packets are
- Static entries: These entries are entered manually and they have no lifetime. They live until next reboot.
- Gratuitous ARP: A gratuitous ARP is a message sent by a host requesting the MAC address for its own IP
NOTE: ARP Spoofing is an ARP reply, an attacker may easily change the IP and MAC association contained in a host ARP cache.
Read about ARP guard to learn more about ARP.