Exploring ARP: A Hands-On Lab with Wireshark and Command Line

April 14, 2025

As an L2 Support Engineer at NetOne Zambia, understanding network protocols like ARP (Address Resolution Protocol) is crucial for troubleshooting and securing our IT infrastructure. Recently, I conducted a hands-on lab to capture and analyze ARP traffic using Wireshark and simulate ARP behavior via command line. This exercise not only deepened my understanding of how devices communicate on a LAN but also reinforced my passion for cybersecurity. Below, I will walk you through the steps, share my findings, and reflect on the experience.

Capturing ARP Traffic in Wireshark

Wireshark is a powerful tool for network analysis, and capturing ARP traffic is a great way to see how devices resolve IP addresses to MAC addresses. Here’s how I did it:

Open Wireshark and start capturing traffic on your local network interface (e.g., Ethernet or Wi-Fi).
In the display filter bar, type arp to filter out everything except ARP traffic.
Open a command prompt or terminal and ping a device on your LAN, such as your router: ping 192.168.1.1.
Watch for ARP packets in Wireshark. You will see an ARP Request like: “Who has 192.168.1.1? Tell 192.168.1.100,” followed by an ARP Reply like: “192.168.1.1 is at aa:bb:cc:dd:ee:ff.”

Clicking on an ARP packet in Wireshark and expanding the “Address Resolution Protocol” section reveals key details: Sender MAC address, Sender IP address, Target MAC address (often 00:00:00:00:00:00 in a request), and Target IP address. This gives a clear view of how devices discover each other on the network.

Simulating ARP Behavior via Command Line

To further explore ARP, I used built-in command-line tools to view and manipulate the ARP cache on my machine. Here’s how it works on Windows and Linux/macOS:

On Windows:

View the ARP cache: arp -a
Clear the ARP cache: arp -d *
Ping a new IP to trigger ARP: ping 192.168.1.1
Run arp -a again to see the MAC address of 192.168.1.1 listed.

On Linux/macOS:

View the ARP table: ip neigh or arp -n
Clear ARP entries: ip neigh flush all
Ping and re-check: ping 192.168.1.1, then ip neigh

This simulation helped me understand how ARP dynamically updates as devices communicate, a critical process for network connectivity.

Bonus: ARP Spoofing for Cybersecurity Learning

For those interested in cybersecurity, ARP spoofing is a technique used by attackers to intercept network traffic. As an ethical experiment, I explored this using tools like arpspoof (available in Kali Linux or via the dsniff package). Simulating ARP spoofing in a controlled environment helped me understand the vulnerabilities in ARP and the importance of implementing security measures like static ARP entries or network monitoring at NetOne Zambia. This knowledge is crucial for protecting our infrastructure from potential attacks.

Reflection: Balancing Work and Play

The photo below captures me, standing outside our cafeteria in Lusaka after a day of technical exploration. I had just completed a similar ARP lab and decided to take a break, enjoying the fresh air and reflecting on what I had learned. The dartboard on the wall and the outdoor setup remind me of the balance I have always sought between work and play. Diving deep into protocols like ARP fuels my passion for tech, while moments like these, relaxing with colleagues, recharge me for the journey ahead. As I continue to grow at NetOne, I am committed to using these skills to enhance our network security and share knowledge with the tech community in Zambia.

Darwin Chapuswike outside cafeteria in Lusaka, 2025

← Back to Publications