~/ linuxnetwork.net

Mastering the `arp` Command: A Deep Dive into the ARP Tool from net-tools

In the world of computer networking, communication between devices on the same local network (LAN) relies on a fundamental protocol that bridges the gap between software and hardware addressing: the Address Resolution Protocol (ARP). While we typically think in terms of IP addresses, the actual network hardware uses MAC addresses to deliver frames. ARP is the magic that translates an IP address to its corresponding MAC address.

The arp command is a classic, user-space utility, part of the venerable net-tools package, that allows a system administrator to view, add, and delete entries in the system's ARP cache. Although net-tools is considered deprecated in favor of the iproute2 suite (which uses the ip neigh command), arp remains widely used, understood, and available on many systems. Understanding arp is crucial for network troubleshooting, security analysis, and deepening your comprehension of LAN operations.

This blog post will provide a comprehensive guide to the arp command, from basic usage to advanced troubleshooting scenarios.

Table of Contents#

  1. Understanding the ARP Protocol
  2. The arp Command: Syntax and Basic Usage
  3. Viewing the ARP Cache
  4. Manipulating the ARP Cache
  5. Common Practices and Best Practices
  6. Example Usage Scenarios
  7. arp vs. ip neigh
  8. Conclusion
  9. References

Understanding the ARP Protocol#

Before diving into the command, let's quickly recap how ARP works.

  1. The Problem: Your computer (e.g., 192.168.1.10) wants to send a packet to a server on the same local network (e.g., 192.168.1.1). It knows the destination IP address but not the destination MAC address. The network card needs the MAC address to frame the data correctly.
  2. The ARP Request: Your computer broadcasts an ARP request packet to the entire LAN, asking: "Who has IP address 192.168.1.1? Tell 192.168.1.10."
  3. The ARP Reply: The device with the IP 192.168.1.1 recognizes its own IP and sends a unicast reply back to your computer: "Hey 192.168.1.10, the MAC address for 192.168.1.1 is aa:bb:cc:dd:ee:ff."
  4. Caching: Your computer stores this IP-to-MAC mapping in its ARP cache for a short period (usually a few minutes). This avoids having to broadcast a new request for every single packet sent to that IP.

The arp command is the tool to inspect and manage this local cache.

The arp Command: Syntax and Basic Usage#

The basic syntax of the arp command is:

arp [options] [hostname_or_ip]

Common options include:

  • -a or -n: Display all entries in the cache. (-n shows numerical addresses, which is faster as it avoids DNS lookups).
  • -d <host>: Delete an entry for the specified host.
  • -s <host> <hw_address>: Add a static entry mapping a host to a MAC address.
  • -i <interface>: Specify the network interface (e.g., eth0, wlan0).
  • -v: Verbose mode.

Note: On some systems (like Linux), you may need to use arp -a or just arp by itself. On others (like older BSD/macOS), the flags might differ slightly. The examples in this guide are based on a standard Linux implementation. Always check the man page (man arp) for your specific system.

Viewing the ARP Cache#

The most common use of the arp command is to simply view the current cache.

Command:

arp -n

or

arp -a

Example Output:

Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1             ether   aa:bb:cc:dd:ee:ff   C                     eth0
192.168.1.105           ether   00:11:22:33:44:55   C                     wlan0
192.168.1.255           ether   ff:ff:ff:ff:ff:ff   CM                    eth0

Output Explanation:

  • Address: The IP address of the neighboring machine.
  • HWtype: The type of address, almost always ether for Ethernet.
  • HWaddress: The corresponding MAC address.
  • Flags:
    • C: A complete, learned entry (via an ARP request/reply).
    • M: A permanent (static) entry that you have manually added.
    • P: A published entry (this system will answer ARP requests for this IP).
  • Iface: The network interface through which the host is reachable.

Using the -n option is a best practice for troubleshooting, as it prevents the command from performing potentially slow DNS reverse lookups.

Manipulating the ARP Cache#

Adding a Static ARP Entry#

Why would you add a static entry? Primarily for two reasons:

  1. Security: To prevent ARP spoofing attacks against a critical host (like your default gateway) by permanently binding its IP to the correct MAC address.
  2. Reliability: For devices that do not respond to ARP requests correctly.

Command:

arp -s <IP_Address> <MAC_Address>

Example: To statically assign the correct MAC address to your gateway:

sudo arp -s 192.168.1.1 aa:bb:cc:dd:ee:ff

Important: You need sudo because modifying the ARP cache requires root privileges. Also, note that static ARP entries are not persistent across reboots. To make them permanent, you need to add the command to a startup script (e.g., /etc/rc.local on some systems).

Deleting an ARP Entry#

You might want to delete an entry to force a new ARP lookup. This is very useful if you suspect the cached information is wrong (e.g., a device's network card was replaced, changing its MAC address).

Command:

arp -d <IP_Address>

Example: To delete the entry for 192.168.1.105:

sudo arp -d 192.168.1.105

To clear the entire ARP cache, you can delete all entries. A common trick is to use the -a option to list all hosts and then delete them. However, a more robust method is to use the ip command or simply bring the interface down and up again (sudo ip link set dev eth0 down && sudo ip link set dev eth0 up).

Common Practices and Best Practices#

  1. Always use -n for troubleshooting. Speed is critical when diagnosing network issues. Avoiding DNS lookups is a simple way to get faster, more reliable output.
  2. Use static ARP entries sparingly and wisely. They create administrative overhead. If a device's MAC address changes (hardware replacement), your static entry will block communication until it is updated.
  3. Prefer ip neigh for scripting and modern systems. The iproute2 tools are the present and future of Linux networking. The equivalent of arp -n is ip neigh show.
  4. Understand the flags. Knowing what C (complete) and M (permanent) mean is essential for interpreting the cache correctly.
  5. Flushing the cache is a valid step. If you're experiencing strange connectivity issues on a LAN, flushing the ARP cache is a standard step, similar to flushing DNS.

Example Usage Scenarios#

Troubleshooting Connectivity#

Problem: You can't ping 192.168.1.50, but you are sure the device is powered on.

Diagnosis Steps:

  1. Check if the IP is in your ARP cache and what MAC address is associated with it.

    arp -n | grep 192.168.1.50
    • If it's not there: The ARP request may have failed. Check physical connectivity, VLAN configuration, and firewall rules (some firewalls block ARP).
    • If it's there with an incomplete flag or a strange MAC (e.g., 00:00:00:00:00:00): This indicates an ARP failure. The request was made, but no reply was received.

  2. Use tcpdump to watch ARP traffic and see what's happening.

    sudo tcpdump -i eth0 arp

    Then try to ping 192.168.1.50. You should see your ARP request go out. If you see no reply, the problem is with the target device or the network path to it.

Detecting ARP Spoofing#

Problem: You suspect a malicious device on your network is performing an ARP spoofing (or poisoning) attack, pretending to be the router.

Diagnosis Steps:

  1. Check the ARP entry for your router (e.g., 192.168.1.1).

    arp -n | grep 192.168.1.1

    Example output: 192.168.1.1 ether aa:bb:cc:dd:ee:ff C eth0

  2. Now, verify that the MAC address aa:bb:cc:dd:ee:ff is indeed the correct hardware address of your router. You can usually find this on a label on the router itself or in its administration interface.

  3. If the MAC address in your ARP cache is different from the legitimate one, your traffic might be being intercepted. A common sign is seeing the MAC address of a different manufacturer (e.g., the router is a Cisco device but the MAC in the cache is from a Realtek NIC).

arp vs. ip neigh#

As mentioned, the arp tool is from the deprecated net-tools package. The modern replacement is the ip command from iproute2.

Featurearp commandip neigh command
Show Cachearp -nip neigh show
Add Staticarp -s 192.168.1.1 aa:bb:cc:dd:ee:ffip neigh add 192.168.1.1 lladdr aa:bb:cc:dd:ee:ff dev eth0 nud permanent
Delete Entryarp -d 192.168.1.1ip neigh del 192.168.1.1 dev eth0
StatusDeprecated, but simple and widely known.Current standard, more powerful and precise.

While it's important to be familiar with arp for historical and practical reasons, investing time in learning ip neigh is highly recommended for anyone working extensively with Linux networking.

Conclusion#

The arp command is a small but powerful tool that provides a window into the critical layer of networking that connects IP addresses to physical hardware addresses. From basic cache inspection to advanced security measures like adding static entries, mastering arp is a fundamental skill for any system or network administrator. While the industry is moving towards the iproute2 toolkit, the concepts and logic behind arp remain perfectly relevant. The next time you face a puzzling local network issue, let arp -n be one of your first diagnostic steps.

References#

  1. Man Pages: The ultimate source of truth. Always consult them first.
    • man arp
    • man ip (then look for the neigh section)
  2. Wikipedia - Address Resolution Protocol: https://en.wikipedia.org/wiki/Address_Resolution_Protocol
  3. ARP RFC 826: https://datatracker.ietf.org/doc/html/rfc826 - The original protocol specification.
  4. Linux iproute2 Documentation: https://wiki.linuxfoundation.org/networking/iproute2
2026-03