# ARP and RARP ## What is ARP ARP, the Address Resolution Protocol, is a protocol used to discover the hardware address, or MAC address, of a device given its IP address. When a device wants to send data to another device on the same local network, it needs the MAC address of the destination to construct the Ethernet frame. If it only knows the IP address, it uses ARP to find the corresponding MAC address. ARP operates between the Network layer and the Data Link layer and is considered a companion to the IP protocol. ## How ARP Works When Device A wants to communicate with Device B on the same network and does not have Device B's MAC address in its ARP cache, it broadcasts an ARP request. The ARP request contains Device A's IP and MAC address and asks who has Device B's IP address. Every device on the local network receives this broadcast. Device B recognizes its own IP address in the request and responds with an ARP reply containing its MAC address. Device A receives the reply, stores the IP-to-MAC mapping in its ARP cache for future use, and can now construct Ethernet frames addressed to Device B. ## ARP Cache The ARP cache is a table in every networked device that stores IP-to-MAC address mappings. Entries are added dynamically when ARP requests are answered. Entries in the ARP cache have a timeout value, typically a few minutes. When an entry expires, it is removed and the device must use ARP again the next time it needs to communicate with that IP address. The ARP cache can be viewed with the command arp -a on most operating systems. ## Gratuitous ARP A gratuitous ARP is an ARP request where the source and target IP addresses are both set to the IP address of the sending device. It is sent by a device when it first joins a network or when its IP address changes. Gratuitous ARP serves two purposes. It allows the device to update the ARP caches of other devices on the network with its new or current MAC address. It also allows the device to check whether any other device on the network is already using the same IP address, which would indicate an address conflict. ## ARP Spoofing ARP spoofing is an attack in which a malicious device sends fake ARP replies associating its own MAC address with the IP address of another device, such as the default gateway. When other devices update their ARP caches with the fake information, their traffic intended for the gateway is sent to the attacker instead. This enables man-in-the-middle attacks where the attacker can intercept and potentially modify the traffic. ## RARP RARP, the Reverse Address Resolution Protocol, is the opposite of ARP. It allows a device that knows its own MAC address to discover its IP address from a RARP server. RARP was used by diskless workstations that booted from the network and needed to obtain their IP address before they could communicate. RARP has been entirely replaced by BOOTP and DHCP, which provide more complete network configuration information than just an IP address.