Listen to this Post
ARP (Address Resolution Protocol) is a fundamental networking protocol used to map a Layer 3 IP address to a Layer 2 MAC address, enabling direct communication between devices on the same local network.
How ARP Works
- When PC1 wants to communicate with PC3, it checks its ARP cache for PC3βs MAC address.
- If the MAC address isnβt cached, PC1 sends an ARP broadcast request (Destination MAC:
FF:FF:FF:FF:FF:FF). - PC3 recognizes its IP in the request and responds with a unicast ARP reply containing its MAC address.
- PC1 updates its ARP cache and proceeds with communication (e.g., ICMP ping).
You Should Know:
1. Viewing ARP Cache (Linux/Windows)
- Linux:
arp -n # Shows ARP table (numeric format) ip neigh # Modern alternative
- Windows:
arp -a # Displays ARP entries
2. Manually Adding/Deleting ARP Entries
- Linux:
sudo arp -s <IP> <MAC> # Static ARP entry sudo arp -d <IP> # Delete entry
- Windows:
arp -s <IP> <MAC> # Static entry arp -d <IP> # Remove entry
3. Detecting ARP Spoofing (Security)
- Monitor ARP traffic:
sudo tcpdump -i eth0 arp # Capture ARP packets
- Use ARPWatch to detect anomalies:
sudo apt install arpwatch sudo systemctl start arpwatch
4. Clearing ARP Cache
- Linux:
sudo ip -s -s neigh flush all # Flush ARP cache
- Windows:
netsh interface ip delete arpcache
5. Static ARP for Security
Prevent ARP poisoning by locking critical MAC addresses:
sudo arp -i eth0 -s 192.168.1.1 00:1a:2b:3c:4d:5e
What Undercode Say:
ARP is a critical yet vulnerable protocol. Attackers exploit ARP spoofing to intercept traffic (MITM attacks). Always:
– Monitor ARP tables for unexpected changes.
– Use static ARP entries for critical devices (routers, servers).
– Implement DHCP snooping and dynamic ARP inspection (DAI) on switches.
Expected Output:
$ arp -n Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:1a:2b:3c:4d:5e C eth0
For further reading:
References:
Reported By: Ibrahim Solalu – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
