Introduction to ARP Poisoning

ARP (Address Resolution Protocol) is a communications protocol used for converting between IP Addresses and Physical Addresses (MAC address). The conversion from IP to Physical Address is needed on LANs (Local Area Networks) in order to transfer packets from the Network Layer to the Data Link Layer of the OSI Model. The Data Link Layer relies on Physical Addresses for routing while the higher layers rely on IP addresses to identify computers.


ARP converts between IP Addresses (Network Layer) and MAC Addresses (Data Link Layer).

It is important to realize that ARP is only used on LANs (Local Area Networks). Originally, all computers were directly connected to The Internet, so all routing was based on IP addresses. Eventually, routers allowed multiple computers on a LAN to connect to The Internet with a single IP address.

In order to allow computers to share an external IP Address while maintaining network discoverability and backwards¬†compatibility, there needs to be a different way to identify hosts behind the router and a way to convert between a host’s two addresses. To meet this need, the MAC Address of a device is used to identify that host on a LAN. MACs are unique to each computer and thus provide a way to uniquely identify all devices on a LAN.

ARP is used to communicate MAC addresses so that all hosts know each other’s MAC/IP pair. After exchanging MAC Addresses, hosts can conform to the standard OSI model for TCP/IP communication on a LAN.

ARP Poisoning takes advantage of the overly trusting ARP system. By sending forged ARP packets, an attacker can cause a victim to send traffic to any nodes on the local network.

Here we will explain in detail how the ARP protocol works, show the protocols inherent weakness, and then examine the different methods for attacking with and defending against ARP based exploits.

Leave a comment

Your email address will not be published. Required fields are marked *