This wiki has been migrated to and is now deprecated. Please use that site instead.

Address Resolution Protocol (ARP)

The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3 (protocol) and a layer 2 (hardware) address. A typical use is the mapping of an ["IP"] address (e.g. to the underlying ["Ethernet"] address (e.g. 01:02:03:04:05:06). You will often see ARP packets at the beginning of a conversation, as ARP is the way these addresses are discovered.

ARP can be used for Ethernet and other LANs, ATM, and a lot of other underlying physical addresses (the list of hardware types in the [ ADDRESS RESOLUTION PROTOCOL PARAMETERS] document at the ["IANA"] Web site includes at least 33 hardware types).

ARP is used to dynamically build and maintain a mapping database between link local leyer 2 addresses and layer 3 addresses. In the common case this table is for mapping Ethernet to IP addresses. This database is called the ["ARP Table"]. Dynamic entries in this table are often cached with a timeout of up to 15 minutes, which means that once a host has ARPed for an IP address it will remember this for the next 15 minutes before it gets time to ARP for that address again.

A peculiarity of ARP is that since it tries to reduce/limit the amount of network traffic used for ARP a host MUST use all available information in any ARP packet that is received to update its ["ARP Table"] with. Sometimes a host thus sends out ARP packets, NOT in order to discover a mapping but to use this side effect of ARP and preload the ARP table of a different host with an entry. These special ARP packets are refered to as ["Gratuitous ARP"]s and Ethereal will detect and flag the most common versions of such ARPs in the packet summary pane.

["Gratuitous ARP"]s are more important than one would normally suspect when analyzing captures. So dont just ingore them or filter out ARP from your capture immediately. Consider that a normal host will always send out a ["Gratuitous ARP"] the first thing it does after the link goes up or the interface gets enabled, which means that almost everytime we see a ["Gratuitous ARP"] on the network, that host that sent it has just had a link bounce or had its interface disabled/enabled. This is very useful information when troubleshooting networks. Remember though that you can only see these ["Gratuitous ARP"]s or any other ARPs for that matter if your capture device is in the same ["Broadcast Domain"] as the host that originates the ARP packet.

Several viruses send a lot of ARP traffic in an attempt to discover hosts to infect; see the ArpFlooding page.


[ RFC 826] "An Ethernet Address Resolution Protocol" was released in November 1982.

Protocol dependencies

Layer 2 protocols:

Layer 3 protocols:

Example traffic

XXX - Add example traffic here (as plain text or Ethereal screenshot).


The ARP dissector is fully functional.

Preference Settings

ARP has no preference settings.

Example capture file

Display Filter

A complete list of ARP display filter fields can be found in the [ display filter reference]

Filtering only on ARP packets is rarely used, as you won't see any IP or other packets. However, it can be useful as part of a larger filter string.

Capture Filter

You can filter ARP protocols while capturing.

Capturing only ARP packets is rarely used, as you won't capture any IP or other packets. However, it can be useful as part of a larger filter string.


At which event is an entry in the ARP table removed/replaced, if the host detects problems sending packets to the entries host? I would think it doesn't take 15 minutes in that case. - Ulf Lamping

Could someone explain ARP flooding and other attack's to the ARP layer to capture packets not dedicated to the capturing host? - Ulf Lamping