A decent knowledge of networking is important for any system administrator managing servers in an enterprise environment. Linux and UNIX distributions provide a number of different commands which we could use to query and to an extent modify the network properties of our system. In this article, we will explain the use of a useful network diagnostics and troubleshooting tool named arp. We will be exploring what the arp tool does and the type of information it provides with the help of examples. It is worth noting that the arp utility is not confined to UNIX/Linux operating systems and can be found on Windows operating systems as well as networking and security devices.


What is ARP?

ARP is the abbreviation for Address Resolution Protocol, which is used to find the address of a network neighbor for a given IPv4 address. This protocol is used by network nodes to resolve IP addresses to their corresponding MAC addresses. The mapping of the IP addresses to MAC addresses is stored in a cache on the system so that this information does not need to be retrieved repeatedly while the system communicates with it’s neighboring devices over the network. The purpose of the arp protocol is two fold i.e. it determines the physical/MAC address of the destination device while sending a data packet and it responds with the MAC address of the machine on which it is running as answers queries received from other machines.


The arp command could be used for the following purposes:

  • Display IP address to MAC address resolution information for neighboring devices.
  • Clear address mapping entries and set them up manually.
  • Add an address for which to proxy arp.
  • Forcefully add permanent entries to the ARP table.


With a basic understanding of what arp is and the information it provides, lets now take a look at some examples:


Example 1: Display entries

Invoking the arp command without any options will display the contents of the arp cache table.

[root@linuxnix ~]# arp
Address                  HWtype  HWaddress           Flags Mask            Iface            ether   00:50:55:c0:00:07   C                     eth0            ether   00:50:55:fd:b2:1a   C                     eth0          ether   00:50:55:e5:7d:12   C                     eth0
[root@linuxnix ~]#


Example 2: Display entries for particular addresses.

If we have a large arp cache and need to get entries for a particular IP address then we could do so by using the arp command with the -a option followed by the IP address. Given below is an example:

[ssuri@linuxnix-phy:~] $ arp -a
? ( at f7:bd:75:ac:dd:7a [ether] on bond0
? ( at f7:bd:75:ac:dd:7a [ether] on bond1


Example 3: Display arp entries for an interface

If we wish to display arp entries for only a single interface then we could do so by invoking the arp command with the -i option followed by the interface name. Given below is an example:


[ssuri@linuxnix-phy:~] $ arp -i bond0
Address                  HWtype  HWaddress           Flags Mask            Iface
usartdb02.exmpl.c 		 ether   17:a9:9b:f5:1a:7e   C                     bond0
usartdb02.exmpl.c  		 ether   f8:db:77:f2:5a:a2   C                     bond0
usartdb01-vip.exmpl  	 ether   54:9f:25:e7:74:42   C                     bond0
usartdb04-vip.exmpl  	 ether   f8:db:77:f2:71:e2   C                     bond0
usartdb01.exmpl.c  	 	 ether   b7:ca:2a:2a:5c:c2   C                     bond0
usartdb02.exmpl.c  		 ether   f8:db:77:f2:27:52   C                     bond0


Example 4: Delete an entry

To delete an entry for a host from the arp cache we use the arp command with the -d option followed by the IP address. Given below is an example:

[root@linuxnix ~]# arp -d
[root@linuxnix ~]# arp -e
Address                  HWtype  HWaddress           Flags Mask            Iface            ether   00:50:56:c0:00:08   C                     eth0                    (incomplete)                              eth0          ether   00:50:56:e6:8d:12   C                     eth0

But as soon as we execute the arp command, the cache is refreshed and you’ll see the entry back in the arp table since the entry I removed was for a live neighboring device.

[root@linuxnix ~]# arp
Address                  HWtype  HWaddress           Flags Mask            Iface            ether   00:50:56:c0:00:08   C                     eth0            ether   00:50:56:fd:b2:1a   C                     eth0          ether   00:50:56:e6:8d:12   C                     eth0


Example 5: Add an entry to the arp cache

To add an entry permanently to the arp cache we use the -s option with the arp command and need to specify the IP address and MAC address for the device while invoking the arp command. We also need to specify the interface on the system on which the entry should be added. Given below is an example:

[root@linuxnix ~]# arp -s -i eth0 00:0c:29:f6:1d:81
[root@linuxnix ~]#
[root@linuxnix ~]# arp -a
? ( at 00:0c:29:f6:1d:81 [ether] PERM on eth0
? ( at 00:50:56:e6:8d:12 [ether] on eth0
? ( at 00:50:56:fd:b2:1a [ether] on eth0
? ( at 00:50:56:c0:00:08 [ether] on eth0



This completes our exploration of the arp command with examples.  Before we conclude this article we would like to point out that like many other commands in Linux the arp command relies on a file in the /proc file system to obtain its information from. This file is /proc/net/arp.

The following two tabs change content below.

Sahil Suri

He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.