Networking/Computing Tips/Tricks

Rate this content:
5 of 5 - 8 votes
Thank you for rating this article.

Let's answer the question, but before I do, you can watch my ARP lesson on Youtube here: and look at the lessons in the playlist:

Check out some further ARP Resources:
Our free ARP course at Udemy Our ARP custom profile for Wireshark Our chapter on ARP at the Online School Reference Library

OK - let's get to the answer.

ARP stands for Address Resolution Protocol.  This protocol is used by network nodes to match IP addresses to MAC addresses.  The original specification was RFC 826.  That has since been updated by RFC 5227, and RFC 5494. 

The basic protocol functionally divided into two parts:

  • One part determines a physical address when sending a packet
  • Other part answers requests from other machines

So ARP provides method for hosts send message to destination address on physical network.  Ethernet hosts must convert a 32-bit IP address into a 48-bit Ethernet address.  The host checks its ARP cache to see if address mapping from IP to physical address is known:

  • If mapping is known, physical address is placed in frame and sent
  • If mapping is not known, broadcast message is sent and awaits a reply
  • Target machine, recognizing IP address matches its own, returns answer

ARP sits in Layer 2 of the OSI layered model, working with Ethernet and IPv4 as shown in the diagram:

2020 07 11 06 03 52

ARP does not serve IPv6.  In IPv6 networks, ARP functionality is replaced with Neighbor Discovery (ND) and that was added to the ICMPv6 protocol.  More information on ND here.

ARP is transparent to bridging/switching - bridges/switches at Layer 2 will send ARP broadcasts.  Routers are Layer 3, and they do not propagate Ethernet broadcasts – a router is Network Level device.

The ARP protocol format looks like this:

2020 05 15 19 25 03


The operation of the ARP protocol looks like this:

2020 05 15 19 26 21

  1. Process begins with caches being empty
  2. Host 2 knows that it wants to send a packet to Host 1 (eg Default GW)
  3. Host 2 has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for
  4. Host 1 responds with its MAC address directly (unicast) to Host 2
  5. Host 1 and 2 both insert this received information into their ARP caches for future use

ARP Announcements

ARP Announcements are a way to officially “claim” the IP address on the network.  The ARP Announcement is very similar to a Gratuitous ARP, with one notable exception: the Opcode in an ARP Announcement is set to 1, indicating a request. Typical Gratuitous ARP messages will have an Opcode set to 2.  Both the Sender MAC address and the Sender IP address create a complete ARP mapping, and hosts on the network can use this pair of addresses in their ARP table
Like the Gratuitous ARP, the Target MAC address is ignored, in this example it is set to 0000.0000.0000, some implementations of the ARP Announcement use ffff.ffff.ffff instead.  Finally, the Target IP confirms the subject of the communication: the IP address who’s uniqueness has now been confirmed.

Example ARP Announcement as seen in Wireshark:

2020 05 15 19 30 54

Wireshark users may want to try the following display filter to show ARP Announcements:

string(arp.src.proto_ipv4) == string(arp.dst.proto_ipv4)

ARP Probes

The ARP Probe serves the purpose of polling the network to validate that an IP address is not already in use.  The idea is if the IP address in question is already in use, the initiator of the ARP Probe will expect a Response from original owner. Therefore, this ARP Probe is a request which might prompt a response:

  • The Opcode field set to 1, indicating an ARP Request
  • The Sender MAC address is set to the initiator’s MAC address
  • The Sender IP address is set to
  • The Target MAC address is set to 0000.0000.0000
  • The Target IP Address is set to the IP address being probed

The key difference between a Probe and a Request is that the Sender IP address is set to 0’s.  This is intentional, because the reason for sending the ARP Probe is to prevent an IP conflict.  If the target IP address is already in use, it would be very undesirable for other hosts on the network to inadvertently update their ARP cache based upon the contents of the ARP Probe.  This is also the primary difference between an ARP Probe and a Gratuitous ARP.  A Gratuitous ARP is meant to update all the ARP caches on the network, where as an ARP Probe deliberately prevents updating of ARP caches to continue protecting against IP address conflicts.

Wireshark users will find that if you use the following display filter you can find ARP probes in your packet capture:

arp.src.proto_ipv4 ==


The "arp" Command

arp displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.

You can use the arp command to view and modify the ARP table entries on the local computer. This may display all the known connections on your local aream network segment (if they have been active and in the cache). The arp command is useful for viewing the ARP cache and resolving address resolution problems.

Syntax (Inet means Internet address)

arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]

Here are the switch definitions:

-a [InetAddr] [-NIfaceAddr] : Displays current ARP cache tables for all interfaces. To display the ARP cache entry for a specific IP address, use arp -a with the InetAddr parameter, where InetAddr is an IP address. To display the ARP cache table for a specific interface, use the -N IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. The -N parameter is case-sensitive.

-g [InetAddr] [-NIfaceAddr] : Identical to -a.

-dInetAddr [IfaceAddr] : Deletes an entry with a specific IP address, where InetAddr is the IP address. To delete an entry in a table for a specific interface, use the IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of InetAddr.  So "arp -d *" will flush your ARP cache.

-sInetAddr EtherAddr [IfaceAddr] : Adds a static entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. To add a static ARP cache entry to the table for a specific interface, use the IfaceAddr parameter where IfaceAddr is an IP address assigned to the interface.

/?: Displays help at the command prompt.

Using arp on Windows

To run the arp command in Windows click START> RUN> CMD.  Now enter 'arp -a' at the > prompt:


Using arp on a MAC or Linux System

To run the arp command in MAC-OSX or Linux, first open a Terminal window.  Now enter 'arp -a' at the $ or # prompt:

Screen Shot 2018 02 28 at 2.39.47 PM 

There are two types of ARP entries- static and dynamic. Most of the time, the computer will use dynamic ARP entries. This means that the ARP entry (the Ethernet MAC to IP address link) has been learned (usually from the default gateway) and is kept on a device for some period of time, as long as it is being used. A static ARP entry is the opposite of a dynamic ARP entry. With a static ARP entry, the computer is manually entering the link between the Ethernet MAC address and the IP address. Software in your computer will predefine these static entries such as multicast addresses and broadcast addresses. Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.

Detecting Duplicate IP Addresses Using ARP

When starting up, some operating systems like Windows perform a gratuitous ARP to detect any duplication with its own IP address. While this function detects most cases of duplicate IP addresses, in a few situations two TCP/IP hosts on the same network can be configured for the same IP address.  Since the MAC and IP address mapping is done by the ARP module, which uses the first ARP response it receives, the impostor computer's reply sometimes comes back before the intended computer's reply.

These problems are difficult to isolate and track down. Use the arp -a command to display the mappings in the ARP cache. If you know the Ethernet address for the remote computer you wish to use, you can easily determine whether the two match. If not, use the arp -d command to delete the entry, then use Ping with the same address (forcing an ARP), and check the Ethernet address in the cache again by using arp -a .  If both computers are on the same network, you will eventually get a response from the imposter computer. If not, you might have to capture the traffic from the impostor host with Network Monitor to determine the owner or location of the system.

Detecting Invalid Entries in the ARP Cache

Troubleshooting the ARP cache can be difficult because the problems associated with it are so often intermittent.  The exception to this is when you find that the wrong host responds to a command, perhaps when you use a Netuse or Telnet command. The symptoms of invalid entries in the ARP cache are harder to reproduce and involve intermittent problems that only affect a few hosts. The underlying problem is that two computers are using the same IP address on the network. You only see the problems intermittently because the most recent ARP table entry is always the one from the host that responded more quickly to any particular ARP request.

To address the problem, display the ARP table using the arp -a command. Since addresses assigned by DHCP do not cause address conflicts like those described here, the main source of these conflicts is likely to be static IP addresses. Maintaining a list of static addresses (and corresponding MAC addresses) as they are assigned can help you track down any address conflict just by examining the IP and MAC address pairs from the ARP table and comparing them to the recorded values.

Inverse Address Resolution Protocol (Inverse ARP or InARP)

Used to obtain Network Layer addresses (for example, IP addresses) of other nodes from Data Link Layer (Layer 2) addresses.  Since ARP translates Layer 3 addresses to Layer 2 addresses, InARP may be described as its inverse.  InARP is implemented as a protocol extension to ARP: it uses the same packet format as ARP, but different operation codes.  It is primarily used in Frame Relay and ATM networks, in which Layer 2 addresses of virtual circuits are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before those virtual circuits can be used.

Reverse Address Resolution Protocol (Reverse ARP or RARP)

Like InARP, translates Layer 2 addresses to Layer 3 addresses.  RARP is used to obtain the Layer 3 address of the requesting station itself for address configuration purposes.  RARP is essentially obsolete; it was replaced by BOOTP, which has been superseded by the Dynamic Host Configuration Protocol (DHCP)

Troubleshooting Networks using ARP

If you do not have a record of all IP and MAC address pairs on your network, you might want to examine the manufacturer bytes of the MAC addresses for inconsistencies. These three-byte numbers are called Organizationally Unique Identifiers (OUIs) and are assigned by the Institute of Electrical and Electronics Engineers (IEEE); the first three bytes of each MAC address identify the card's manufacturer. Knowing what equipment you installed and comparing that with the values returned by arp -a might allow you to determine which static address was entered in error.  

Another possible issue is that DHCP might have detected a duplicate MAC/card already on the network, and thus denied a computer's request to join. Other DHCP and related messages here can often quickly isolate and solve a problem.

I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!

Add comment


Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 L2 Switch L2VPN L3VPN LDP Learning Services Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Utility Video Virtualbox Virtualization Voice VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed