Networking Fundamentals · beginner · ~10 min
Explain how a host finds the MAC behind an IP, and why ARP is trust-based.
MAC is the 48-bit link-layer hardware address. ARP resolves an IP to a MAC on the local network by broadcast, caching the answer. ARP is unauthenticated — the basis of ARP spoofing.
LAN-level attacks (MITM via ARP poisoning) and a lot of capture analysis happen at the link layer. Understanding ARP's trust-by-default design explains both the attack and why switched-network defences exist.
MAC address. 48-bit hardware address, LAN-local. ARP request/reply. Broadcast "who has IP?" → unicast "I do, here's my MAC." ARP cache. Recently resolved IP↔MAC pairs. No authentication. Any host may answer → ARP spoofing.
On a single LAN, hosts talk to each other by MAC address (a 48-bit hardware address like 00:1a:2b:3c:4d:5e), not IP. The link layer doesn't understand IP — it needs the MAC of the next hop.
ARP (Address Resolution Protocol) bridges layer 3 and layer 2. To send to 192.168.1.20, a host broadcasts: "Who has 192.168.1.20? Tell me your MAC." The owner replies with its MAC, which the sender caches in its ARP table.
$ arp -a
? (192.168.1.1) at 00:1a:2b:3c:4d:5e [ether] on eth0
ARP has no authentication. Any host can reply "I have that IP" — this is ARP spoofing/poisoning, used (in authorized tests) to position an attacker as a man-in-the-middle on a LAN. The defence is dynamic ARP inspection, static entries, and segmentation. Recognising ARP frames is also a first step in reading captures.
Within a LAN, delivery is by MAC; ARP maps IP→MAC by unauthenticated broadcast. That missing authentication is exactly what makes ARP spoofing possible — and why you'll see ARP traffic at the bottom of every capture.