The Address Resolution Protocol (ARP) is the mechanism that ties a computer MAC address to an IP address. When a computer needs to send as packet to another computer on the network, that packet needs to be addressed with the MAC address of the receiving computer. The sender knows the IP address and will send out an ARP packet to get the MAC address that belongs to the computer that has the IP address requested. The ARP packet looks like this:

The packet is addressed to the Ethernet broadcast address of ff:ff:ff:ff:ff:ff, basically asking anyone with the IP address of 192.168.179.131 to respond with its MAC address. The response to this request looks like this:

The computer with IP address 192.168.179.131 responds by saying it has the MAC address 00:0c:29:8f:79:2c. The requesting computer will temporarily store the ARP request results in an ARP table so the same query doesn't have to be sent out for every packet. ARP's greatest vulnerability lies in that temporary storage functionality. If an attacker sends out the response to the query before the real target does, the attacker can override the MAC address that the requester stores in its ARP table, hence influencing where the requesting computer sends its packets to. This is called ARP spoofing, and we will see an example use later on in this book.