Everything You Need to Know About ARP Tables
- ARP stands for Address Resolution Protocol.
- An ARP table maps the connection between IP addresses (software) and MAC addresses (hardware), thereby tying a mysterious IP address to an real-world physical connection.
- ARP tables have the advantage of being cached, so if repeated requests are sent by the same computer to another computer on a network, the signal gets sent more reliably. After a set amount of time, info in the ARP table expires to ensure freshness and correctness.
And that's it, that's all you need to know.
Something You Do Not Need To Know About ARP Tables, But Script Kiddies Do
Within an internal LAN, entire ARP tables can be passed from any single workstation to any other workstation. So if workstation A sends out an ARP request hunting workstation B, but the request bumps into workstation C first, and it has an entry for workstation B in its ARP table, it'll send its ARP info back to workstation A, saving it the trip of going all the way to workstation B.
This level of openness combined with the ability for most switches to allow multiple MAC addresses to bind to single ports makes ARP tables ripe for poisoning and running interference. If you can get on a network, you can simply write up a bogus ARP table and reroute IP requests to different MAC addresses altogether. From there packet sniffing and data theft is fairly simple. Most switches have ARP tables set to clear out every minute or so, though, so you'll have to work fast to get any business done.