ARP stands for Address Resolution Protocol.  This protocol is used by network nodes to match IP addresses to MAC addresses.

Displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.

You can use the arp command to view and modify the ARP table entries on the local computer. This may display all the known connections on your local aream network segment (if they have been active and in the cache). The arp command is useful for viewing the ARP cache and resolving address resolution problems.

Syntax (Inet means Internet address)

arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]

Here are the switch definitions:

-a [InetAddr] [-N IfaceAddr] : Displays current ARP cache tables for all interfaces. To display the ARP cache entry for a specific IP address, use arp -a with the InetAddr parameter, where InetAddr is an IP address. To display the ARP cache table for a specific interface, use the -N IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. The -N parameter is case-sensitive.

-g [InetAddr] [-N IfaceAddr] : Identical to -a.

-d InetAddr [IfaceAddr] : Deletes an entry with a specific IP address, where InetAddr is the IP address. To delete an entry in a table for a specific interface, use the IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of InetAddr.  So "arp -d *" will flush your ARP cache.

-s InetAddr EtherAddr [IfaceAddr] : Adds a static entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. To add a static ARP cache entry to the table for a specific interface, use the IfaceAddr parameter where IfaceAddr is an IP address assigned to the interface.

/? : Displays help at the command prompt.

To run the arp command in Windows click START> RUN> CMD.

There are two types of ARP entries- static and dynamic. Most of the time, the computer will use dynamic ARP entries. What this means is that the ARP entry (the Ethernet MAC to IP address link) has been learned (usually from the default gateway) and is kept on a device for some period of time, as long as it is being used. The opposite of a dynamic ARP entry is static ARP entry. With a static ARP entry, the computer is manually entering the link between the Ethernet MAC address and the IP address. Software in your computer will predefine these static entries such as multicast addresses and broadcast addresses.  Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.

Detecting Duplicate IP Addresses Using ARP

When starting up, some operating systems like Windows perform a gratuitous ARP to detect any duplication with its own IP address. While this function detects most cases of duplicate IP addresses, in a few situations two TCP/IP hosts on the same network can sometimes be configured for the same IP address.  Since the MAC and IP address mapping is done by the ARP module, which uses the first ARP response it receives, the impostor computer's reply sometimes comes back before the intended computer's reply.

These problems are difficult to isolate and track down. Use the arp -a command to display the mappings in the ARP cache. If you know the Ethernet address for the remote computer you wish to use, you can easily determine whether the two match. If not, use the arp -d command to delete the entry, then use Ping with the same address (forcing an ARP), and check the Ethernet address in the cache again by using arp -a .  If both computers are on the same network, you will eventually get a response from the imposter computer. If not, you might have to capture the traffic from the impostor host with Network Monitor to determine the owner or location of the system.

Detecting Invalid Entries in the ARP Cache

Troubleshooting the ARP cache can be difficult because the problems associated with it are so often intermittent.  The exception to this is when you find that the wrong host responds to a command, perhaps when you use a Netuse or Telnet command. The symptoms of invalid entries in the ARP cache are harder to reproduce and involve intermittent problems that only affect a few hosts. The underlying problem is that two computers are using the same IP address on the network. You only see the problems intermittently because the most recent ARP table entry is always the one from the host that responded more quickly to any particular ARP request.

To address the problem, display the ARP table using the arp -a command. Since addresses assigned by DHCP do not cause address conflicts like those described here, the main source of these conflicts is likely to be static IP addresses. Maintaining a list of static addresses (and corresponding MAC addresses) as they are assigned can help you track down any address conflict just by examining the IP and MAC address pairs from the ARP table and comparing them to the recorded values.

If you do not have a record of all IP and MAC address pairs on your network, you might want to examine the manufacturer bytes of the MAC addresses for inconsistencies. These three-byte numbers are called Organizationally Unique Identifiers (OUIs) and are assigned by the Institute of Electrical and Electronics Engineers (IEEE); the first three bytes of each MAC address identify the card's manufacturer. Knowing what equipment you installed and comparing that with the values returned by arp -a might allow you to determine which static address was entered in error.  Another possible issue is that DHCP might have detected a duplicate MAC/card already on the network, and thus denied a computer's request to join. Other DHCP and related messages here can often quickly isolate and solve a problem.

Hope this helps!