What is the 'arp' command, and how can I use it?

Details

Created on Friday, 10 September 2010 09:19

Last Updated on Saturday, 22 September 2012 15:43

Written by Andrew Walding

ARP stands for Address Resolution Protocol.  This protocol is used by network nodes to match IP addresses to MAC addresses.

The protocol functionally divided into two parts:

• One part determines a physical address when sending a packet
• Other part answers requests from other machines

So ARP provides method for hosts send message to destination address on physical network.  Ethernet hosts must convert a 32-bit IP address into a 48-bit Ethernet address.  The host checks its ARP cache to see if address mapping from IP to physical address is known:

• If mapping is known, physical address is placed in frame and sent
• If mapping is not known, broadcast message is sent and awaits a reply
• Target machine, recognizing IP address matches its own, returns answer

ARP is transparent to bridging - bridging will send ARP broadcasts.  Routers do not propagate Ethernet broadcasts – a router is Network Level device

The ARP protocol format looks like this:

The operation of the ARP protocol looks like this:

1. Caches are empty
2. Host 2 knows that it wants to send a packet to Host 1 (eg Default GW)
3. Host 2 has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for 192.168.1.1.
4. Host 1 responds with its MAC address
5. Host 1 and 2 both insert this received information into their ARP caches for future use

The "arp" Command

arp displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.

You can use the arp command to view and modify the ARP table entries on the local computer. This may display all the known connections on your local aream network segment (if they have been active and in the cache). The arp command is useful for viewing the ARP cache and resolving address resolution problems.

Syntax (Inet means Internet address)

arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]

Here are the switch definitions:

-a [InetAddr] [-N IfaceAddr] : Displays current ARP cache tables for all interfaces. To display the ARP cache entry for a specific IP address, use arp -a with the InetAddr parameter, where InetAddr is an IP address. To display the ARP cache table for a specific interface, use the -N IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. The -N parameter is case-sensitive.

-g [InetAddr] [-N IfaceAddr] : Identical to -a.

-d InetAddr [IfaceAddr] : Deletes an entry with a specific IP address, where InetAddr is the IP address. To delete an entry in a table for a specific interface, use the IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of InetAddr.  So "arp -d *" will flush your ARP cache.

-s InetAddr EtherAddr [IfaceAddr] : Adds a static entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. To add a static ARP cache entry to the table for a specific interface, use the IfaceAddr parameter where IfaceAddr is an IP address assigned to the interface.

/? : Displays help at the command prompt.

To run the arp command in Windows click START> RUN> CMD.

There are two types of ARP entries- static and dynamic. Most of the time, the computer will use dynamic ARP entries. This means that the ARP entry (the Ethernet MAC to IP address link) has been learned (usually from the default gateway) and is kept on a device for some period of time, as long as it is being used. A static ARP entry is the opposite of a dynamic ARP entry. With a static ARP entry, the computer is manually entering the link between the Ethernet MAC address and the IP address. Software in your computer will predefine these static entries such as multicast addresses and broadcast addresses. Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.

Detecting Duplicate IP Addresses Using ARP

When starting up, some operating systems like Windows perform a gratuitous ARP to detect any duplication with its own IP address. While this function detects most cases of duplicate IP addresses, in a few situations two TCP/IP hosts on the same network can be configured for the same IP address.  Since the MAC and IP address mapping is done by the ARP module, which uses the first ARP response it receives, the impostor computer's reply sometimes comes back before the intended computer's reply.

These problems are difficult to isolate and track down. Use the arp -a command to display the mappings in the ARP cache. If you know the Ethernet address for the remote computer you wish to use, you can easily determine whether the two match. If not, use the arp -d command to delete the entry, then use Ping with the same address (forcing an ARP), and check the Ethernet address in the cache again by using arp -a .  If both computers are on the same network, you will eventually get a response from the imposter computer. If not, you might have to capture the traffic from the impostor host with Network Monitor to determine the owner or location of the system.

Detecting Invalid Entries in the ARP Cache

Troubleshooting the ARP cache can be difficult because the problems associated with it are so often intermittent.  The exception to this is when you find that the wrong host responds to a command, perhaps when you use a Netuse or Telnet command. The symptoms of invalid entries in the ARP cache are harder to reproduce and involve intermittent problems that only affect a few hosts. The underlying problem is that two computers are using the same IP address on the network. You only see the problems intermittently because the most recent ARP table entry is always the one from the host that responded more quickly to any particular ARP request.

To address the problem, display the ARP table using the arp -a command. Since addresses assigned by DHCP do not cause address conflicts like those described here, the main source of these conflicts is likely to be static IP addresses. Maintaining a list of static addresses (and corresponding MAC addresses) as they are assigned can help you track down any address conflict just by examining the IP and MAC address pairs from the ARP table and comparing them to the recorded values.

Inverse Address Resolution Protocol (Inverse ARP or InARP)

Used to obtain Network Layer addresses (for example, IP addresses) of other nodes from Data Link Layer (Layer 2) addresses.  Since ARP translates Layer 3 addresses to Layer 2 addresses, InARP may be described as its inverse.  InARP is implemented as a protocol extension to ARP: it uses the same packet format as ARP, but different operation codes.  It is primarily used in Frame Relay and ATM networks, in which Layer 2 addresses of virtual circuits are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before those virtual circuits can be used.

Reverse Address Resolution Protocol (Reverse ARP or RARP)

Like InARP, translates Layer 2 addresses to Layer 3 addresses.  RARP is used to obtain the Layer 3 address of the requesting station itself for address configuration purposes.  RARP is essentially obsolete; it was replaced by BOOTP, which has been superseded by the Dynamic Host Configuration Protocol (DHCP)

If you do not have a record of all IP and MAC address pairs on your network, you might want to examine the manufacturer bytes of the MAC addresses for inconsistencies. These three-byte numbers are called Organizationally Unique Identifiers (OUIs) and are assigned by the Institute of Electrical and Electronics Engineers (IEEE); the first three bytes of each MAC address identify the card's manufacturer. Knowing what equipment you installed and comparing that with the values returned by arp -a might allow you to determine which static address was entered in error.  Another possible issue is that DHCP might have detected a duplicate MAC/card already on the network, and thus denied a computer's request to join. Other DHCP and related messages here can often quickly isolate and solve a problem.

Hope this helps!