ARP (Address Resolution Protocol)
Why this topic matters in cybersecurity:
ARP connects software addresses (IP) to hardware addresses (MAC). If you don't understand these pillars, you can't understand how traffic flows. And if you don't know how traffic flows, you can't intercept it (attack) or secure it (defend).
Is it worth your time right now? 100% Yes. You cannot progress to hacking Wi-Fi, performing Man-in-the-Middle (MitM) attacks, or analyzing malware traffic without mastering these. This is non-negotiable knowledge for a hacker.
π Real-World Applications:
- CTFs: You'll constantly need to scan networks (ARP/ICMP) or decode hidden messages in traffic (DNS tunneling).
- Pentesting: The most common local network attack, ARP Poisoning, allows you to spy on everyone's traffic.
- Defense: Recognizing "Rogue DHCP servers" or "DNS exfiltration" is a daily task for SOC analysts.
- Troubleshooting: "Why can't I reach the server?" uses ICMP and DNS logic.
π οΈ Immediate skills you'll gain:
- Understanding how your computer finds the router.
- The ability to read Wireshark packet captures for these protocols.
- The theory behind "Man-in-the-Middle" attacks.
- How to map a network using Pings.
π Roadmap for the Lesson: 1. ARP (Address Resolution Protocol) | 2. ICMP | 3. DNS | 4. DHCP
1. ARP (Address Resolution Protocol)
One-line definition: ARP connects a logical IP address (software) to a physical MAC address (hardware).
Why it exists: Devices know who they want to talk to (IP), but not where the hardware is located (MAC) to actually send the electrical signals.
Break into components:
- IP Address: The temporary "location" (like a house address). Assigned by software/routers. Can change if you move networks. Used for routing across the internet.
- MAC Address: The permanent "identity" (like a Social Security Number). Burned into the network chip. Never changes (physically). Used for moving data between two cables in the same room.
- The Gap: Your computer has the packet ready for the IP, but the network card needs the MAC to build the frame.
π’ Analogy: The Office Mailroom
IP is the employee's name (e.g., "Manager Dave"). You want to send a letter to Dave.
MAC is Dave's physical cubicle number (e.g., "Desk 4B").
The Problem: You have a letter for "Dave" (IP), but the mail cart only understands "Desk numbers" (MAC). You need a directory to find out which desk Dave sits at. ARP is that directory.
How they connect:
Before your computer can send a single bit of data to a local device, it must translate the IP it knows into the MAC it needs.
- Example 1 (Basic): You want to print a document. Your laptop knows the
Printer's IP is
192.168.1.50. But to send the data over the Wi-Fi, it needs the Printer's specific hardware ID (MAC). It uses ARP to ask, "Who has 192.168.1.50?" - Example 2 (Cybersecurity): An attacker wants to intercept your traffic. They need your computer to send data to their MAC address instead of the router's. To do this, they must mess with this translation process.
Now that we know why we need ARP, let's look at how it happens. Itβs a simple conversation.
1b-i. The Broadcast (ARP Request)
Definition: A message sent to everyone on the network asking for the owner of a specific IP.
- Your computer yells: "Who has IP 192.168.1.1? Tell me!"
- This message is sent to the Broadcast MAC Address
(
FF:FF:FF:FF:FF:FF). - Every single device on the network receives and reads this packet.
1b-ii. The Unicast (ARP Reply)
Definition: A direct, private reply from the target device back to the requester.
- The router (who owns 192.168.1.1) hears the shout.
- It replies directly to you: "I am 192.168.1.1, and my MAC address is
AA:BB:CC:11:22:33." - Other devices ignore the original shout because they aren't that IP.
1b-iii. The ARP Table (Caching)
Definition: A temporary "cheat sheet" stored on your computer.
Why it exists: So you don't have to shout (broadcast) every single time you send a packet. It saves bandwidth and time.
- Once you get the reply, your computer writes it down:
192.168.1.1 = AA:BB:CC:11:22:33. - This entry stays for a few minutes.
- If you don't talk to that device for a while, the entry is deleted (flushed).
π Analogy: The Crowded Party
The Request: You stand on a chair at a party and shout, "HEY! Who here is named ALICE?" (Broadcast).
The Reaction: Bob, Charlie, and Dave hear you but ignore you because they aren't Alice.
The Reply: Alice walks over to you and whispers, "I'm Alice, and I'm standing by the window." (Unicast).
The Cache: Now, whenever you want to talk to Alice, you just walk to the window. You don't need to shout again.
- Example 1 (Basic - Wireshark): If you open Wireshark and filter for
arp, you will literally see lines that say: "Who has 10.0.0.1? Tell 10.0.0.5" followed by "10.0.0.1 is at 00:11:22:33:44:55". - Example 2 (Cybersecurity - Recon): A hacker joins a network and wants to
know what other devices are there. They send ARP Requests for every IP address (192.168.1.1
through 192.168.1.254). Everyone who exists replies. This is called ARP
Scanning (using tools like
netdiscoverorarp-scan).
Massive Design Flaw: ARP is too trusting. It has zero authentication.
1c-i. Lack of Authentication (Trust Issues)
Devices automatically trust any ARP reply they receive. The protocol was designed in the 1980s when networks were small and everyone was friendly.
- If I tell your computer, "Hey, I am the Router," your computer does not check ID.
- It just updates its ARP table: Router IP = My Hacker MAC.
- It doesn't even care if it never asked for the router's IP. You can just send unsolicited replies (Gratuitous ARP).
1c-ii. Intro to ARP Spoofing (Conceptual)
Definition: An attack where a hacker sends fake ARP messages to associate their MAC address with a legitimate IP (like the gateway/router).
π΅οΈ How it works: Man-in-the-Middle (MitM)
- Target: Victim PC (192.168.1.5) wants to talk to Router (192.168.1.1).
- Attack: Hacker sends an ARP packet to Victim: "I am 192.168.1.1."
- Attack: Hacker sends an ARP packet to Router: "I am 192.168.1.5."
- Result: Victim sends password to Hacker -> Hacker records it -> Hacker forwards it to Router.
- Stealth: The victim has internet access, so they never know they are being spied on.
π€‘ Analogy: The Imposter
Scenario: You ask the room, "Who is the Bank Manager? I have money to deposit."
The Attack: I (the criminal) step forward immediately and say, "I am the Bank Manager. Give me the cash."
The Failure: You hand me the cash without asking for a badge or ID.
The Result: I take the money, record the amount, and then hand it to the real manager so nobody gets suspicious.
- Example 1 (Basic): You are at a coffee shop. A hacker runs a script. Suddenly, your Netflix stream goes through their laptop before hitting the Wi-Fi router. They can see exactly which server you are connecting to, or kill the connection to kick you offline (Denial of Service).
- Example 2 (Cybersecurity - Tools): A pentester uses a tool called
BettercaporEttercap.
Command:arp.spoof on -t 192.168.1.15
This floods the victim (1.15) with fake packets saying "I am the router." The pentester opens Wireshark on their own machine and watches the victim's traffic flow in real-time.
π ARP Wrap-Up
- Roles: IP is your logical location (where you are); MAC is your physical identity (who you are).
- Persistence: IPs change when you move networks; MACs are burned into the hardware.
- Interaction: They work together via ARP. IP gets it to the right network; MAC gets it to the right device.
- Scope: IPs are Global; MACs are Local (replaced at every router hop).
- Practical uses: Troubleshooting (
arp -a), identifying devices, and "MAC Filtering" on routers.
π Sources & References
- RFC 826: Ethernet Address Resolution Protocol (ARP).
- ISO/IEC 7498-1: The OSI Reference Model (Layers 2 and 3).
- IEEE 802.3: Standard for Ethernet (MAC addressing).
- MITRE ATT&CK: T1557.002 (Adversary-in-the-Middle: ARP Poisoning).
