Gyaan

MAC Addresses & ARP

beginner mac arp ethernet lan data-link

A MAC (Media Access Control) address is a unique hardware identifier baked into every network interface card. ARP is the protocol that translates IP addresses into MAC addresses so devices on the same LAN can actually talk.

In simple language: IP gets us across the internet, but on the final hop within a LAN, devices speak in MAC. ARP is the phone book that maps “this IP” to “this MAC.”

MAC Address Format

A MAC address is 48 bits, written as 6 hex octets:

00:1A:2B:3C:4D:5E
|_______||_______|
   OUI    Device ID
 (3 bytes) (3 bytes)
  • OUI (Organizationally Unique Identifier) — first 3 bytes, identifies the vendor (Apple, Cisco, Intel, etc.).
  • Device ID — last 3 bytes, unique within that vendor.

So 00:1A:2B:xx:xx:xx would mean “made by some specific vendor that owns the OUI 00:1A:2B.”

Special MAC Addresses

FF:FF:FF:FF:FF:FF    -> broadcast (everyone on the LAN)
01:00:5E:xx:xx:xx    -> IPv4 multicast
33:33:xx:xx:xx:xx    -> IPv6 multicast
00:00:00:00:00:00    -> unspecified

Why MAC and IP Both?

Two layers, two purposes:

  • IP (Layer 3) — global, hierarchical, routable. Tells routers where to send packets.
  • MAC (Layer 2) — local, flat, hardware-tied. Tells switches which physical port to forward a frame to.

A router’s job is to receive a frame, peel off the Ethernet header, look at the IP, find the next hop, and rewrite the MAC for the next leg. IP stays the same end-to-end (mostly). MAC changes every hop.

How ARP Works

We have IP 192.168.1.5 and want to send a packet to 192.168.1.10. The OS needs the MAC of .10 to build the Ethernet frame. ARP to the rescue.

ARP Request / Reply
1. Host A broadcasts: "Who has 192.168.1.10? Tell 192.168.1.5"
(sent to MAC FF:FF:FF:FF:FF:FF — everyone on the LAN)
2. Host B replies (unicast): "192.168.1.10 is at 00:1A:2B:3C:4D:5E"
3. Host A caches the mapping and sends the actual frame.

The ARP Cache

Every OS keeps an ARP cache so we don’t broadcast for every packet.

# Linux / macOS
arp -a
# ? (192.168.1.1) at 8c:4d:ea:11:22:33 on en0 ifscope [ethernet]
# ? (192.168.1.10) at 00:1a:2b:3c:4d:5e on en0 ifscope [ethernet]

# Windows
arp -a

# Manually delete an entry
sudo arp -d 192.168.1.10

Entries typically expire after a few minutes (varies by OS) so stale info doesn’t linger.

Gratuitous ARP

A device can send an ARP for its own IP without anyone asking. Why?

  • Announce itself — “Hey, 192.168.1.20 is now me, MAC AA:BB:CC…”
  • Update everyone’s caches after a NIC change or failover.
  • Detect IP conflicts — if someone else replies, we have a duplicate IP.

This is what high-availability setups (VRRP, keepalived) use to migrate a virtual IP between nodes.

ARP Spoofing (Security Note)

ARP has no authentication. An attacker on the same LAN can send forged ARP replies saying “I’m the gateway” and intercept everyone’s traffic — that’s an ARP spoofing / MITM attack. Mitigations: dynamic ARP inspection on managed switches, static ARP entries for critical hosts, or just use TLS so even if someone reads the bytes, they can’t decrypt.

Changing a MAC Address

MAC is “burned in” but the OS can override what’s sent on the wire:

# macOS
sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff

# Linux
sudo ip link set dev eth0 address aa:bb:cc:dd:ee:ff

Useful for privacy on public Wi-Fi (modern phones randomize MACs by default).

ARP Doesn’t Exist in IPv6

IPv6 replaces ARP with NDP (Neighbor Discovery Protocol) running over ICMPv6. Same idea — find the link-layer address for a given IPv6 — but smarter and authenticated-friendly.

Interview Tip

A common gotcha: “what’s the destination MAC when host A talks to a host on a different subnet?” Answer: it’s the gateway’s MAC, not the final destination’s. The MAC changes at every router hop; the IP stays the same.

References