The arp tool is a troubleshooting tool included with most operating systems and is used to examine the MAC address cache on the local system (router, switch or computer) and to set or purge physical hardware MAC address associations with logical addresses (IP addresses usually). The arp tool was designed to allow an administrator to interact, or display the Address Resolution Protocol's cache on the local host. See our ARP Tutorial for an explaination of Address Resolution Protocol and the ARP cache. See our RARP tutorial for an explaination of the Reverse Address Resolution Protocol.
Why You Need an ARP tool
Using the arp tool, you can delete, or manually set, a specific ARP cache entry. The most common reason for needing to check the ARP table is conflicts between logical or physical addresses. The ARP tool shows you the current arp table entries for your device. That table shows the mappings between the logical and physical addresses (MAC addresses) in use on the network that the computer has heard from or talked to in the last few minutes. Duplicate MAC addresses or duplicate IP addresses are the most common conflicts you will see and ARP will instantly identify such conflicts if checked at the default gateway or the local LAN switch.
The 'arp' Tool in Cisco, Microsoft and Linux
Every operating system and computer with network capability has an ARP tool for troubleshooting local network problems. This page illustrates the many versions of the command on the most common systems and platforms.
- Cisco 'show arp' help
- Cisco 'show arp' output
- Windows (MS-DOS) arp help page
- MS-DOS 'arp -a' output
- Linux arp man page (and MacOS)
- Linux 'arp -an' output
Cisco routers and Cisco Catalyst switches have the 'show arp' command which displays all ARP entries for all protocols (IP, IPX/SPX, Appletalk etc.) Below is an example of the ARP output from a Cisco Catalyst switch (borrowed from Cisco's website).
Console> show arp ARP Aging time = 300 sec + - Permanent Arp Entries * - Static Arp Entries * 22.214.171.124 at 00-08-cc-44-aa-18 on vlan 5 + 126.96.36.199 at 00-08-94-cc-02-aa on vlan 5 188.8.131.52 at 00-10-07-3c-05-13 port 7/1-4 on vlan 5 184.108.40.206 at 00-00-1c-03-00-40 port 7/1-4 on vlan 5 Console>
C:\Users>arp Displays and modifies the IP-to-Physical address translation tables used by address resolution protocol (ARP). ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] [-v] -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. -v Displays current ARP entries in verbose mode. All invalid entries and entries on the loop-back interface will be shown. inet_addr Specifies an internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -d Deletes the host specified by inet_addr. inet_addr may be wildcarded with * to delete all hosts. -s Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies a physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Example: > arp -s 220.127.116.11 00-aa-00-62-c6-09 .... Adds a static entry. > arp -a .... Displays the arp table.
MS-DOS ARP output
C:\Users>arp -a Interface: 192.168.1.101 --- 0xb Internet Address Physical Address Type 192.168.1.1 00-1c-10-f5-3b-06 dynamic 192.168.1.103 00-18-e7-16-7c-1b dynamic 192.168.1.252 00-30-6e-c6-3b-69 dynamic 192.168.1.253 00-1a-92-7c-24-c7 dynamic 192.168.1.254 00-18-e7-16-22-06 dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static 18.104.22.168 01-00-5e-00-00-16 static 22.214.171.124 01-00-5e-00-00-fb static 126.96.36.199 01-00-5e-00-00-fc static 255.255.255.255 ff-ff-ff-ff-ff-ff static Interface: 172.16.0.1 --- 0x10 Internet Address Physical Address Type 172.16.0.255 ff-ff-ff-ff-ff-ff static 188.8.131.52 01-00-5e-00-00-16 static 184.108.40.206 01-00-5e-00-00-fb static 220.127.116.11 01-00-5e-00-00-fc static Interface: 172.16.237.1 --- 0x12 Internet Address Physical Address Type 172.16.237.255 ff-ff-ff-ff-ff-ff static 18.104.22.168 01-00-5e-00-00-16 static 22.214.171.124 01-00-5e-00-00-fb static 126.96.36.199 01-00-5e-00-00-fc static
Below is a copy of the Linux manual page for the arp command in Linux.
arp - manipulate the system ARP cache
arp [-evn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
Arp manipulates the kernel's ARP cache in various ways. The primary options are clearing an address mapping entry and manually setting up one. For debugging purposes, the arp program also allows a complete dump of the ARP cache.
- Tell the user what is going on by being verbose.
- -n, --numeric
- shows numerical addresses instead of trying to determine symbolic host, port or user names.
- -H type, --hw-type type, -t type
- When setting or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0x01 for IEEE 802.3 10Mbps Ethernet). Other values might include network technologies such as ARCnet (arcnet) , PROnet (pronet) , AX.25 (ax25) and NET/ROM (netrom).
- -a [hostname], --display [hostname]
- Shows the entries of the specified hosts. If the hostname parameter is not used, all entries will be displayed. The entries will be displayed in alternate (BSD) style.
- -d hostname, --delete hostname
- Remove any entry for the specified host. This can be used if the indicated host is brought down, for example.
- -D, --use-device
- Use the interface ifa's hardware address.
Shows the entries in default (Linux) style.
- -i If, --device If
- Select an interface. When dumping the ARP cache only entries matching
the specified interface will be printed. When setting a permanent
or temp ARP entry this interface will be associated with the
entry; if this option is not used, the kernel will guess based on
the routing table. For pub entries the specified interface
is the interface on which ARP requests will be answered.
NOTE: This has to be different from the interface to which the IP datagrams will be routed.
- -s hostname hw_addr, --set hostname
- Manually create an ARP address mapping entry for host hostname with
hardware address set to hw_addr class, but for most classes
one can assume that the usual presentation can be used. For the Ethernet
class, this is 6 bytes in hexadecimal, separated by colons. When
adding proxy arp entries (that is those with the publish flag
set a netmask may be specified to proxy arp for entire subnets.
This is not good practice, but is supported by older kernels because
it can be useful. If the temp flag is not supplied entries
will be permanent stored into the ARP cache.
NOTE: As of kernel 2.2.0 it is no longer possible to set an ARP entry for an entire subnet. Linux instead does automagic proxy arp when a route exists and it is forwarding. See arp(7) for details.
- -f filename, --file filename
- Similar to the -s option, only this time the address info
is taken from file filename set up. The name of the data file
is very often /etc/ethers, but this is not official. If no
filename is specified /etc/ethers is used as default.
The format of the file is simple; it only contains ASCII text lines with a hardware address and a hostname separated by whitespace. Additionally the pub, temp and netmask flags can be used.
- In all places where a hostname is expected, one can also
enter an IP address in dotted-decimal notation.
As a special case for compatibility the order of the hostname and the hardware address can be exchanged.
Each complete entry in the ARP cache will be marked with the C flag. Permanent entries are marked with M and published entries have the P flag.
Referenced Byarphound(8), arpsnmp(8), arpwatch(8), bmc-config.conf(5), ether-wake(8), garp(8), packit(8), proc(5), rip98d(8), rip98d.conf(5)
[root@baristhan]# arp -na ? (192.168.1.1) at 00:1c:10:f5:3b:06 [ether] on eth0 ? (192.168.1.254) at 00:18:e7:16:22:06 [ether] on eth0