The arp tool is a troubleshooting tool included with most operating systems and is used to examine the MAC address cache on the local system (router, switch or computer) and to set or purge physical hardware MAC address associations with logical addresses (IP addresses usually). The arp tool was designed to allow an administrator to interact, or display the Address Resolution Protocol's cache on the local host. See our ARP Tutorial for an explaination of Address Resolution Protocol and the ARP cache. See our RARP tutorial for an explaination of the Reverse Address Resolution Protocol.

Why You Need an ARP tool

Using the arp tool, you can delete, or manually set, a specific ARP cache entry. The most common reason for needing to check the ARP table is conflicts between logical or physical addresses. The ARP tool shows you the current arp table entries for your device. That table shows the mappings between the logical and physical addresses (MAC addresses) in use on the network that the computer has heard from or talked to in the last few minutes. Duplicate MAC addresses or duplicate IP addresses are the most common conflicts you will see and ARP will instantly identify such conflicts if checked at the default gateway or the local LAN switch.


The 'arp' Tool in Cisco, Microsoft and Linux

Every operating system and computer with network capability has an ARP tool for troubleshooting local network problems. This page illustrates the many versions of the command on the most common systems and platforms.


Cisco 'show arp' Output

Cisco routers and Cisco Catalyst switches have the 'show arp' command which displays all ARP entries for all protocols (IP, IPX/SPX, Appletalk etc.) Below is an example of the ARP output from a Cisco Catalyst switch (borrowed from Cisco's website).


Console> show arp
   ARP Aging time = 300 sec
   + - Permanent Arp Entries
   * - Static Arp Entries
   * at 00-08-cc-44-aa-18 on vlan 5
   + at 00-08-94-cc-02-aa on vlan 5 at 00-10-07-3c-05-13 port 7/1-4 on vlan 5 at 00-00-1c-03-00-40 port 7/1-4 on vlan 5


MS-DOS arp help page


Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).

ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr] [-v]

  -a            Displays current ARP entries by interrogating the current
                protocol data.  If inet_addr is specified, the IP and Physical
                addresses for only the specified computer are displayed.  If
                more than one network interface uses ARP, entries for each ARP
                table are displayed.
  -g            Same as -a.
  -v            Displays current ARP entries in verbose mode.  All invalid
                entries and entries on the loop-back interface will be shown.
  inet_addr     Specifies an internet address.
  -N if_addr    Displays the ARP entries for the network interface specified
                by if_addr.
  -d            Deletes the host specified by inet_addr. inet_addr may be
                wildcarded with * to delete all hosts.
  -s            Adds the host and associates the Internet address inet_addr
                with the Physical address eth_addr.  The Physical address is
                given as 6 hexadecimal bytes separated by hyphens. The entry
                is permanent.
  eth_addr      Specifies a physical address.
  if_addr       If present, this specifies the Internet address of the
                interface whose address translation table should be modified.
                If not present, the first applicable interface will be used.
  > arp -s   00-aa-00-62-c6-09  .... Adds a static entry.
  > arp -a                                    .... Displays the arp table.

MS-DOS ARP output
C:\Users>arp -a

Interface: --- 0xb
  Internet Address      Physical Address      Type           00-1c-10-f5-3b-06     dynamic         00-18-e7-16-7c-1b     dynamic         00-30-6e-c6-3b-69     dynamic         00-1a-92-7c-24-c7     dynamic         00-18-e7-16-22-06     dynamic         ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static       ff-ff-ff-ff-ff-ff     static

Interface: --- 0x10
  Internet Address      Physical Address      Type          ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static

Interface: --- 0x12
  Internet Address      Physical Address      Type        ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static


Linux arp man page

Below is a copy of the Linux manual page for the arp command in Linux.



arp - manipulate the system ARP cache


arp [-evn] [-H type] [-i if] -a [hostname]

arp [-v] [-i if] -d hostname [pub]

arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]

arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub

arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub

arp [-vnD] [-H type] [-i if] -f [filename]


Arp manipulates the kernel's ARP cache in various ways. The primary options are clearing an address mapping entry and manually setting up one. For debugging purposes, the arp program also allows a complete dump of the ARP cache.


-v, --verbose

Tell the user what is going on by being verbose.
-n, --numeric
shows numerical addresses instead of trying to determine symbolic host, port or user names.
-H type, --hw-type type, -t type
When setting or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0x01 for IEEE 802.3 10Mbps Ethernet). Other values might include network technologies such as ARCnet (arcnet) , PROnet (pronet) , AX.25 (ax25) and NET/ROM (netrom).
-a [hostname], --display [hostname]
Shows the entries of the specified hosts. If the hostname parameter is not used, all entries will be displayed. The entries will be displayed in alternate (BSD) style.
-d hostname, --delete hostname
Remove any entry for the specified host. This can be used if the indicated host is brought down, for example.
-D, --use-device
Use the interface ifa's hardware address.

Shows the entries in default (Linux) style.

-i If, --device If
Select an interface. When dumping the ARP cache only entries matching the specified interface will be printed. When setting a permanent or temp ARP entry this interface will be associated with the entry; if this option is not used, the kernel will guess based on the routing table. For pub entries the specified interface is the interface on which ARP requests will be answered.
This has to be different from the interface to which the IP datagrams will be routed.
-s hostname hw_addr, --set hostname
Manually create an ARP address mapping entry for host hostname with hardware address set to hw_addr class, but for most classes one can assume that the usual presentation can be used. For the Ethernet class, this is 6 bytes in hexadecimal, separated by colons. When adding proxy arp entries (that is those with the publish flag set a netmask may be specified to proxy arp for entire subnets. This is not good practice, but is supported by older kernels because it can be useful. If the temp flag is not supplied entries will be permanent stored into the ARP cache.
As of kernel 2.2.0 it is no longer possible to set an ARP entry for an entire subnet. Linux instead does automagic proxy arp when a route exists and it is forwarding. See arp(7) for details.
-f filename, --file filename
Similar to the -s option, only this time the address info is taken from file filename set up. The name of the data file is very often /etc/ethers, but this is not official. If no filename is specified /etc/ethers is used as default.

The format of the file is simple; it only contains ASCII text lines with a hardware address and a hostname separated by whitespace. Additionally the pub, temp and netmask flags can be used.

In all places where a hostname is expected, one can also enter an IP address in dotted-decimal notation.

As a special case for compatibility the order of the hostname and the hardware address can be exchanged.

Each complete entry in the ARP cache will be marked with the C flag. Permanent entries are marked with M and published entries have the P flag.



See Also

rarp(8), route(8), ifconfig(8), netstat(8)


Fred N. van Kempen, <> with a lot of improvements from net-tools Maintainer Bernd Eckenfels <>.

Referenced By

arphound(8), arpsnmp(8), arpwatch(8), bmc-config.conf(5), ether-wake(8), garp(8), packit(8), proc(5), rip98d(8), rip98d.conf(5)


Linux 'arp -na' output

[root@baristhan]# arp -na
? ( at 00:1c:10:f5:3b:06 [ether] on eth0
? ( at 00:18:e7:16:22:06 [ether] on eth0

Bookmark this page and SHARE:  



Free Training