05. ARP (Address Resolution Protocol)

Links layer 3 IPs to layer 2 MACs on a local network.

ARP Packets

  • Hardware Type: e.g., Ethernet (1).
  • Protocol Type: e.g., IPv4 (0x0800).
  • Hardware Address Length: e.g., 6 bytes for MAC.
  • Protocol Address Length: e.g., 4 bytes for IPv4.
  • Opcode: Request (1) or Reply (2).
  • Sender & Target Hardware Addresses (MACs).
  • Sender & Target Protocol Addresses (IPs).

ARP Cache Poisoning and Man-in-the-middle (MITM)

Exploits the fact that hosts accept unsolicited ARP replies. By sending forged ARP replies, the attacker can trick a victim and a gateway into mapping each other's IP addresses to the attacker's MAC address, thus redirecting all traffic through the attacker's machine. _Attachments/Pasted image 20250707022433 _Attachments/Pasted image 20250707022545

  • Defenses:
    • Static ARP Entries
      • Manually setting a permanent entry in the ARP table (arp -s <IP> <MAC>).
      • Only manageable in very small, static networks.
    • Dynamic ARP Inspection (DAI)
      • Switch feature that works with DHCP Snooping.
      • Maintains a trusted database of IP-to-MAC bindings. If an ARP packet arrives on a port with a binding that doesn't match the database, the switch drops the packet.

© 2025 All rights reservedBuilt with Flowershow Cloud

Built with LogoFlowershow Cloud