What is ARP and ARP Spoofing(ARP cache poisoning)?

Here is a short video i made to help you understand better!


ARP-Address Resolution Protocol


  • As we can see in the above image, the second layer i.e. the Data Link Layer is the layer in which ARP protocol is used.
  • ARP is used to find the MAC address of a machine in LAN whose IP address is known.
  • As in Data Link Layer IP addresses are not much useful MAC addresses are used for communication within a LAN.

Steps involved:

  • ARP Request
  • ARP Response(ARP Reply)

ARP Table: Every machine in a LAN maintains an ARP Table which consists of two columns viz. IP address and MAC address. For faster communication MAC addresses are maintained for corresponding IP addresses so that every time ARP Request is not sent.

Explanation with example:


ARP Request

  • In the above image, suppose machine A wants to communicate with machine B. Machine A will check its ARP table if it doesn’t have machine B’s MAC address then A will send an ARP Request.
  • As B’s MAC address is not known this will be a broadcast message and as it is a broadcast message Target MAC address will contain all 0’s as highlighted above.

ARP Response

  • As all the machines receive the ARP Request sent by A, they will compare their IP address with the Target IP.
  • Whose IP address matches with Target IP will send an ARP Response to A.
  • As in this case B’s IP matches with the Target IP , B will send an ARP Response to A which will contain its MAC address , A will update its ARP Table and thus communication will be established.

ARP Spoofing (ARP cache poisoning)

  • Advantage of ARP is that it is simple to implement.
  • Disadvantage of ARP is that it doesn’t involve authentication i.e. it doesn’t check that ARP Response is received from a valid source or not.
  • This flaw is exploited by a technique we call as ARP spoofing or ARP cache poisoning.
  • In ARP spoofing we poison the ARP cache or ARP Table by making a machine add wrong details in their ¬†ARP Table

Explanation with example:


This is a Man-in-the-middle attack using ARP spoofing.

  • Let’s consider that Bob wants to communicate with Alice but he doesn’t have Alice’s MAC address. So Bob will send an ARP Request which will be a broadcast message.
  • So along with Alice, attacker will also receive this message as attacker is also present in the LAN. Attacker will send a fake crafted ARP reply to Bob with Alice’s IP address and its MAC address.
  • Bob will update its ARP Table where it will map Alice’s IP address with Attacker’s MAC address (as there is no authentication) and Bob will send all the packets to Attacker instead of Alice.
  • The same process is repeated with Alice where Alice is made to map Bob’s IP address with Attacker’s MAC address and thus a Man-in-the-middle attack is carried out using ARP spoofing.