Back to Commands

arp

networkinglinux
The arp command is one of the most frequently used commands in Linux/Unix-like operating systems. arp The arp command manipulates or displays the kernel's IPv4 network neighbor cache. It can add entries to the table, delete entries, or display the current content of the ARP cache.
See ExamplesView Syntax

Quick Reference

Command Name:

arp

Category:

networking

Platform:

linux

Basic Usage:

arp [options] [arguments]

Common Use Cases

  • 1

    Network troubleshooting

    View and manage the ARP cache to diagnose network connectivity issues

  • 2

    Security monitoring

    Detect potential ARP spoofing attacks by monitoring for unexpected changes

  • 3

    IP conflict detection

    Verify MAC address mappings to detect duplicate IP addresses on the network

  • 4

    Static mapping

    Configure permanent IP-to-MAC address mappings to avoid ARP traffic

Syntax

arp [-vn] [-H type] [-i if] [-a] [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifname [netmask nm] pub

Options

Option Description
-a, --all Display (or delete) all entries in the ARP cache
-d, --delete Remove an entry from the ARP cache
-s, --set Add a new entry to the ARP cache
-n, --numeric Show numeric addresses instead of resolving hostnames
-i, --device Specify the network interface
-D, --use-device Use the given interface's hardware address
-H, --hw-type Specify hardware type for the ARP cache entry (default: ether)
-v, --verbose Verbose mode, provides more detailed output
-t, --temp Create a temporary entry (not stored on exit)
pub Create a proxy ARP entry
-f, --file Read new entries from a file

Examples

How to Use These Examples

The examples below show common ways to use the arp command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

#

Basic Examples:

# Display the current ARP cache
arp
# Display ARP cache with numeric IP addresses (no hostname resolution) arp -n
# Display all entries for a specific host arp -a 192.168.1.1
# Delete an entry from the ARP cache sudo arp -d 192.168.1.100
# Add a static ARP entry sudo arp -s 192.168.1.100 00:11:22:33:44:55

Advanced Examples:

# Add a static ARP entry for a specific interface
sudo arp -i eth0 -s 192.168.1.100 00:11:22:33:44:55
# Add a proxy ARP entry (respond to ARP requests for this IP) sudo arp -s 192.168.1.200 00:11:22:33:44:55 pub # Add a temporary static ARP entry (removed on next reboot) sudo arp -s 192.168.1.100 00:11:22:33:44:55 temp # Set ARP entry using a device name instead of MAC address sudo arp -i eth0 -Ds 192.168.1.100 eth0 pub # Display ARP cache with a specific hardware type arp -H ether # View the ARP cache in verbose mode arp -v # Delete all ARP entries for a specific interface sudo ip neigh flush dev eth0 # Search for a specific MAC address in the ARP cache arp -n | grep "00:11:22:33:44:55" # Monitor ARP traffic with tcpdump sudo tcpdump -i eth0 arp

Try It Yourself

Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

Understanding Syntax

Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

Notes

Understanding ARP:

Address Resolution Protocol (ARP) is used to map IP addresses to MAC (hardware) addresses on a local network. The ARP cache (or table) stores these mappings to avoid repeated ARP requests for known hosts. The arp command allows you to view and manipulate this cache.

Entry Types:

  • Dynamic entries: Automatically added by the ARP protocol and periodically refreshed
  • Static entries: Manually added and persist until deleted or system reboot
  • Permanent entries: Manually added and persist across reboots
  • Proxy ARP entries: Allow the system to respond to ARP requests for an IP address on behalf of another host

Cache Entry States:

ARP entries typically have one of the following states:

  • Complete: The entry has a valid IP-to-MAC mapping
  • Incomplete: The system is currently trying to resolve the MAC address
  • Stale: The entry was valid but hasn't been confirmed recently
  • Failed: The ARP resolution process failed for this entry

Modern Alternatives:

While the arp command is still widely used, modern Linux systems also provide these alternatives:

  • ip neigh: From the iproute2 package, provides more functionality and consistent syntax with other network commands
  • ip -s neigh: Shows statistical information about neighbor entries
  • ip neigh flush: Clears entries from the neighbor table

Common Use Cases:

  • Network troubleshooting: Identifying if a host is reachable at the link layer
  • Security: Detecting potential ARP spoofing by monitoring unexpected changes
  • Static mappings: Setting permanent IP-to-MAC mappings to avoid ARP traffic
  • Proxy ARP: Allowing a host to act as a router for hosts that don't have a default gateway configured

ARP Security Considerations:

  • ARP has no authentication mechanism, making it vulnerable to spoofing attacks
  • Adding static ARP entries can help protect against ARP spoofing
  • Monitoring for changes in ARP entries can help detect network attacks
  • Tools like arpwatch or arpalert can be used to monitor for suspicious ARP activity

Interpreting ARP Output:

A typical ARP table entry contains:

  • IP Address: The IPv4 address of the remote host
  • HW type: Usually "ether" for Ethernet
  • HW address: The MAC address (e.g., 00:11:22:33:44:55)
  • Flags: Entry attributes like "C" (complete), "M" (permanent), "P" (publish)
  • Mask: Netmask for proxy ARP entries
  • Iface: The network interface this entry applies to

Proxy ARP Explained:

Proxy ARP allows a system to answer ARP requests on behalf of another host. This is used in scenarios like:

  • Network Address Translation (NAT) setups
  • VPN configurations where remote hosts appear to be on the local network
  • Router redundancy protocols
  • Network bridging scenarios

Limitations:

  • Only works with IPv4 (not IPv6, which uses Neighbor Discovery Protocol instead)
  • ARP entries are typically cached for a limited time (usually 5-20 minutes)
  • The arp command cannot directly manipulate kernel ARP timeout settings
  • May require root privileges for operations that modify the ARP cache
  • The syntax varies slightly between different Unix/Linux distributions

Related Files:

  • /proc/net/arp: Contains the current ARP table on Linux systems
  • /etc/ethers: On some systems, stores static ARP entries
  • /etc/networks: Contains network name to address mappings

Important Notes:

  • Changes made with the arp command are not persistent across reboots unless configured in network startup scripts
  • To make permanent changes, add the arp commands to network initialization scripts or use distribution-specific configuration files
  • The arp command is being deprecated in favor of the ip neigh command from the iproute2 package
  • ARP is a layer 2 protocol and only works on the local network segment; it does not cross routers

Related Commands:

  • ip neigh: Modern replacement for arp that manages the neighbor (ARP) table
  • arping: Send ARP requests to probe a specific host
  • tcpdump: Capture and analyze network traffic including ARP packets
  • arpwatch: Monitor ARP activity for suspicious changes
  • rarp: Reverse ARP lookup (get IP from MAC address)
  • ifconfig: Configure network interfaces
  • route: View and manipulate the routing table

Tips & Tricks

1

Use the -a option to display all ARP cache entries

2

Use the -n option to display numerical addresses instead of resolving hostnames

3

Use the -i interface option to specify the network interface

4

Use the -s address option to set a static ARP entry

5

Use the -d address option to delete an ARP cache entry

Common Use Cases

Network troubleshooting

View and manage the ARP cache to diagnose network connectivity issues

Security monitoring

Detect potential ARP spoofing attacks by monitoring for unexpected changes

IP conflict detection

Verify MAC address mappings to detect duplicate IP addresses on the network

Static mapping

Configure permanent IP-to-MAC address mappings to avoid ARP traffic

Network device discovery

Identify active devices on the local network segment

Related Commands

These commands are frequently used alongside arp or serve similar purposes:

Explore All Commands

Use Cases

1

Network troubleshooting

View and manage the ARP cache to diagnose network connectivity issues

2

Security monitoring

Detect potential ARP spoofing attacks by monitoring for unexpected changes

3

IP conflict detection

Verify MAC address mappings to detect duplicate IP addresses on the network

4

Static mapping

Configure permanent IP-to-MAC address mappings to avoid ARP traffic

5

Network device discovery

Identify active devices on the local network segment

Learn By Doing

The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the arp command works in different scenarios.

See ExamplesTry Lab Exercises
$ arp
View All Commands