Address Resolution Protocol (ARP)

ARP stands for Address Resolution Protocol. ARP is how network devices associate MAC addresses with IP Addresses so that devices on the local network can find each other. ARP is different from TCP/IP as it uses only the ethernet frame in its packets. ARP is similar to DNS, except instead of converting host names to IP addresses, ARP converts IPs to MAC addresses.

An ARP request works by Computer A asking the network “Who has IP address of 10.10.1.123?” An ARP reply is sent by Computer B telling Computer A, “My IP is 10.10.1.123 and my MAC address is 01-23-45-67-89-ab”.

To improve efficiency, most systems update their MAC tables every time they get a response, even if they did not specifically make a request for it. This is the vulnerability of ARP that an attacker can use by sending a message out to computer B, saying “Computer C is at my MAC”. Packets sent from B, to C’s IP will instead be routed to the attacker’s computer. The attacker can capture these packets or sniff them for the data he wants. The attacker could either forward these packets out so the victim wouldn’t even know someone was sniffing his packets or he could block all traffic – rendering the victims network connection useless.