So I have a lot of free time at work right tnow, and a MCSE study guide on TCP/IP networking I got for Christmas, and I'm trying to finally sit down and study this and learn the deeper aspects about TCP/IP. I can brush the surface of it with my knowledge, and it's due time for me to dive into it.

So right now I'm studying how ARP works in regard to resolving MAC addresses, and I'm a little confused. The book explains that a router checks a packet's ARP cache to see if it already knows the MAC address of the machine it's looking for. If it's not listed in the cache, it broadcasts to the entire local network asking if any of the machines on that LAN have the IP address that the packet is intended for.

So here's my question: How could a packet sent from a WAN know the IP address of the destination machine behind the LAN? There's usually only one WAN IP address for the entire network at the router, so that would only leave the LAN IP addresses for each specific machine. So how in the world would a remote client outside the LAN know that IP in order for it be requested from the packet?

Or am I just misunderstanding what I'm reading here?

Ok, that's the first question. Second: I believe I've heard the term "ARP poisoning" thrown around before, but I wasn't familiar with ARP yet so I didn't understand what was going on. What exactly is that concept?