What is the 'arp' command, and how can I use it?
ARP stands for Address Resolution Protocol. This protocol is used by network nodes to match IP addresses to MAC addresses.
The protocol functionally divided into two parts:
So ARP provides method for hosts send message to destination address on physical network. Ethernet hosts must convert a 32-bit IP address into a 48-bit Ethernet address. The host checks its ARP cache to see if address mapping from IP to physical address is known:
ARP is transparent to bridging - bridging will send ARP broadcasts. Routers do not propagate Ethernet broadcasts – a router is Network Level device
The ARP protocol format looks like this:
The operation of the ARP protocol looks like this:
The "arp" Command
arp displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.
You can use the arp command to view and modify the ARP table entries on the local computer. This may display all the known connections on your local aream network segment (if they have been active and in the cache). The arp command is useful for viewing the ARP cache and resolving address resolution problems.
Syntax (Inet means Internet address)
arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]
Here are the switch definitions:
-a [InetAddr] [-N IfaceAddr] : Displays current ARP cache tables for all interfaces. To display the ARP cache entry for a specific IP address, use arp -a with the InetAddr parameter, where InetAddr is an IP address. To display the ARP cache table for a specific interface, use the -N IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. The -N parameter is case-sensitive.
-g [InetAddr] [-N IfaceAddr] : Identical to -a.
-d InetAddr [IfaceAddr] : Deletes an entry with a specific IP address, where InetAddr is the IP address. To delete an entry in a table for a specific interface, use the IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of InetAddr. So "arp -d *" will flush your ARP cache.
-s InetAddr EtherAddr [IfaceAddr] : Adds a static entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. To add a static ARP cache entry to the table for a specific interface, use the IfaceAddr parameter where IfaceAddr is an IP address assigned to the interface.
/? : Displays help at the command prompt.
To run the arp command in Windows click START> RUN> CMD.
There are two types of ARP entries- static and dynamic. Most of the time, the computer will use dynamic ARP entries. This means that the ARP entry (the Ethernet MAC to IP address link) has been learned (usually from the default gateway) and is kept on a device for some period of time, as long as it is being used. A static ARP entry is the opposite of a dynamic ARP entry. With a static ARP entry, the computer is manually entering the link between the Ethernet MAC address and the IP address. Software in your computer will predefine these static entries such as multicast addresses and broadcast addresses. Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.
Detecting Duplicate IP Addresses Using ARP
When starting up, some operating systems like Windows perform a gratuitous ARP to detect any duplication with its own IP address. While this function detects most cases of duplicate IP addresses, in a few situations two TCP/IP hosts on the same network can be configured for the same IP address. Since the MAC and IP address mapping is done by the ARP module, which uses the first ARP response it receives, the impostor computer's reply sometimes comes back before the intended computer's reply.
Detecting Invalid Entries in the ARP Cache
Troubleshooting the ARP cache can be difficult because the problems associated with it are so often intermittent. The exception to this is when you find that the wrong host responds to a command, perhaps when you use a Netuse or Telnet command. The symptoms of invalid entries in the ARP cache are harder to reproduce and involve intermittent problems that only affect a few hosts. The underlying problem is that two computers are using the same IP address on the network. You only see the problems intermittently because the most recent ARP table entry is always the one from the host that responded more quickly to any particular ARP request.
Inverse Address Resolution Protocol (Inverse ARP or InARP)
Used to obtain Network Layer addresses (for example, IP addresses) of other nodes from Data Link Layer (Layer 2) addresses. Since ARP translates Layer 3 addresses to Layer 2 addresses, InARP may be described as its inverse. InARP is implemented as a protocol extension to ARP: it uses the same packet format as ARP, but different operation codes. It is primarily used in Frame Relay and ATM networks, in which Layer 2 addresses of virtual circuits are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before those virtual circuits can be used.
Reverse Address Resolution Protocol (Reverse ARP or RARP)
Like InARP, translates Layer 2 addresses to Layer 3 addresses. RARP is used to obtain the Layer 3 address of the requesting station itself for address configuration purposes. RARP is essentially obsolete; it was replaced by BOOTP, which has been superseded by the Dynamic Host Configuration Protocol (DHCP)
Hope this helps!