Skip to content

arp Command Cheat Sheet

arp (Address Resolution Protocol) displays and modifies the kernel's ARP cache. The ARP cache stores mappings between IP addresses and MAC (hardware) addresses on your local network. While arp is being phased out in favor of ip neigh from the iproute2 package, it's still widely used and available on many systems.


Synopsis

arp [options]
arp -a [hostname]
arp -d hostname
arp -s hostname hw_addr

Description

The ARP protocol resolves IP addresses to MAC addresses on a local network. The arp command allows you to view and manipulate the ARP cache maintained by the kernel, which is useful for network troubleshooting and diagnostics.


Basic Usage

Display ARP Cache

arp

Shows all ARP entries with hostnames.

Display with Numeric Addresses

arp -n

Shows IP addresses instead of resolving to hostnames (faster).

Display All Entries

arp -a

BSD-style output showing all entries.

Display Specific Host

arp 192.168.1.1
arp router.local

Common Options

-a [hostname]

Display ARP cache entries (BSD style):

arp -a
arp -a 192.168.1.1

-n

Show numeric addresses (don't resolve hostnames):

arp -n

Much faster for large ARP caches.

-v

Verbose mode, show detailed information:

arp -v

-e

Linux-style display (default on Linux):

arp -e

-D

Use hardware address from specified interface:

arp -D -i eth0

-i interface

Select specific interface:

arp -i eth0
arp -i wlan0

Modifying ARP Cache

Add Static Entry

sudo arp -s 192.168.1.100 00:11:22:33:44:55

Creates permanent ARP entry.

Add Entry for Specific Interface

sudo arp -s 192.168.1.100 00:11:22:33:44:55 -i eth0

Delete Entry

sudo arp -d 192.168.1.100

Removes ARP entry from cache.

Delete All Entries (Flush)

sudo ip -s -s neigh flush all

Note: Use ip neigh command for flushing.


ARP Cache Entries

Entry States

  • (none): Incomplete, resolution in progress
  • REACHABLE: Valid, recently confirmed
  • STALE: Valid but needs reconfirmation
  • DELAY: Sending probe to reconfirm
  • PROBE: Probing for reconfirmation
  • FAILED: Resolution failed
  • PERMANENT: Manually added static entry

Entry Types

  • C: Cached entry (dynamic)
  • M: Permanent entry (static)
  • P: Published entry (proxy ARP)

Practical Examples

View Current Network Devices

arp -a

Output:

router (192.168.1.1) at aa:bb:cc:dd:ee:ff [ether] on eth0
laptop (192.168.1.10) at 11:22:33:44:55:66 [ether] on eth0
printer (192.168.1.20) at 77:88:99:aa:bb:cc [ether] on eth0

Quick Network Scan

# Ping all hosts to populate ARP cache
for i in {1..254}; do
    ping -c 1 -W 1 192.168.1.$i > /dev/null 2>&1 &
done
wait

# View discovered hosts
arp -n

Find MAC Address of Gateway

# Get gateway IP
gateway=$(ip route | grep default | awk '{print $3}')

# Find MAC
arp -n $gateway

Check Specific Device

arp -n 192.168.1.100 | awk '{print $3}'

Outputs just the MAC address.

Monitor ARP Cache Changes

watch -n 1 'arp -n'

Updates every second.


Troubleshooting

Incomplete Entry

arp -n
# Output shows:
# 192.168.1.50    (incomplete)         eth0

Possible causes: - Host is down - Network cable unplugged
- Firewall blocking - Wrong subnet

Solution:

# Try ping
ping 192.168.1.50

# Check routing
ip route get 192.168.1.50

# Verify interface
ip link show eth0

Duplicate IP Address

arp -n | sort -k1 | uniq -d -w15

Shows duplicate IP addresses (possible IP conflict).

Wrong MAC Address

# Delete incorrect entry
sudo arp -d 192.168.1.100

# Add correct entry
sudo arp -s 192.168.1.100 aa:bb:cc:dd:ee:ff

Clear Stale Entries

# Modern way
sudo ip neigh flush all

# Or delete individually
sudo arp -d 192.168.1.50

ARP vs IP Neigh

The ip neigh command is the modern replacement:

# Old way
arp -a

# New way
ip neigh show
ip neighbor show

Common Equivalents

arp Command ip neigh Equivalent
arp -a ip neigh show
arp -n ip neigh show
arp -d IP ip neigh del IP dev DEVICE
arp -s IP MAC ip neigh add IP lladdr MAC dev DEVICE nud permanent
arp -i eth0 ip neigh show dev eth0

Network Discovery

Find All Active Hosts

#!/bin/bash
# Scan network and show active hosts
network="192.168.1"
for i in {1..254}; do
    ping -c 1 -W 1 $network.$i &> /dev/null && echo "$network.$i is up" &
done
wait
echo "Active hosts in ARP cache:"
arp -n | grep -v incomplete

List Only Active MACs

arp -n | awk '$1 != "Address" && $3 != "<incomplete>" {print $1, $3}'

Group by Interface

arp -a | awk '{print $NF}' | sort | uniq -c

Security Considerations

ARP Spoofing Detection

# Monitor for MAC address changes
watch -d 'arp -n'

Changes in MAC for same IP could indicate ARP spoofing.

Static ARP Entries for Critical Hosts

# Prevent ARP spoofing for gateway
sudo arp -s 192.168.1.1 aa:bb:cc:dd:ee:ff

Makes entry permanent and prevents ARP poisoning.

ARP Scan Tools

# Using arp-scan (if installed)
sudo arp-scan --localnet
sudo arp-scan --interface=eth0 192.168.1.0/24

# Using nmap
sudo nmap -sn 192.168.1.0/24

Scripting Examples

Save ARP Table

arp -n > arp_cache_$(date +%Y%m%d_%H%M%S).txt

Compare ARP Tables

#!/bin/bash
arp -n | sort > /tmp/arp_now
diff /tmp/arp_previous /tmp/arp_now
mv /tmp/arp_now /tmp/arp_previous

Alert on New Hosts

#!/bin/bash
KNOWN_HOSTS="/etc/known_macs.txt"
CURRENT=$(arp -n | awk '$3 !~ /incomplete/ {print $3}' | sort)

comm -13 <(sort $KNOWN_HOSTS) <(echo "$CURRENT") | while read mac; do
    echo "Alert: Unknown MAC address detected: $mac"
done

Extract Vendor from MAC

# First 3 octets identify vendor
arp -n | awk '{print substr($3,1,8)}' | sort -u

Use online OUI lookup to identify manufacturers.


Advanced Usage

Proxy ARP

# Enable proxy ARP on interface
sudo sysctl -w net.ipv4.conf.eth0.proxy_arp=1

# Make permanent
echo "net.ipv4.conf.eth0.proxy_arp = 1" | sudo tee -a /etc/sysctl.conf

ARP Timeout

# View current timeout (in seconds)
cat /proc/sys/net/ipv4/neigh/default/gc_stale_time

# Modify timeout
sudo sysctl -w net.ipv4.neigh.default.gc_stale_time=120

ARP Table Size

# View limits
cat /proc/sys/net/ipv4/neigh/default/gc_thresh1
cat /proc/sys/net/ipv4/neigh/default/gc_thresh2
cat /proc/sys/net/ipv4/neigh/default/gc_thresh3

Common Use Cases

Identify Unknown Device on Network

# Find all devices
arp -a

# Get MAC address
arp -n 192.168.1.50 | awk '{print $3}'

# Lookup vendor
curl "https://api.macvendors.com/AA:BB:CC:DD:EE:FF"

Network Inventory

#!/bin/bash
echo "IP Address,MAC Address,Hostname"
arp -a | grep ether | while read line; do
    hostname=$(echo $line | awk '{print $1}')
    ip=$(echo $line | awk '{print $2}' | tr -d '()')
    mac=$(echo $line | awk '{print $4}')
    echo "$ip,$mac,$hostname"
done

Check If IP Is In Use

check_ip() {
    ping -c 1 -W 1 $1 > /dev/null 2>&1
    arp -n $1 | grep -q ether && echo "In use" || echo "Available"
}

check_ip 192.168.1.100

Debugging Network Issues

Gateway Not Responding

# Check if gateway in ARP cache
gateway=$(ip route | grep default | awk '{print $3}')
arp -n $gateway

# If incomplete, check:
# 1. Cable connection
# 2. Switch/router status
# 3. VLAN configuration
# 4. Firewall rules

Intermittent Connectivity

# Monitor ARP entries
watch -n 1 'arp -n | grep 192.168.1.1'

# Look for:
# - MAC address changes (ARP spoofing)
# - Incomplete entries (connectivity issues)
# - Entry disappearing/reappearing (unstable connection)

Slow Network Performance

# Check ARP cache size
arp -n | wc -l

# If too large, may cause performance issues
# Consider increasing thresholds or cleaning old entries

Exit Status

Code Meaning
0 Success
1 Minor errors (host not found, etc.)
2 Major errors (invalid argument, permission denied)

Files

/proc/net/arp

cat /proc/net/arp

Raw ARP cache data used by arp command.

/etc/ethers

# Static ARP entries can be defined here
192.168.1.100  00:11:22:33:44:55

Tips and Best Practices

  1. Use ip neigh for New Scripts - It's the modern standard
  2. Don't Trust ARP Cache - Entries can be spoofed
  3. Use Static Entries for Critical Hosts - Prevents ARP poisoning
  4. Monitor for Changes - Detect potential attacks
  5. Clear Cache When Troubleshooting - Eliminates stale data
  6. Use -n for Speed - Avoids slow DNS lookups
  7. Combine with Other Tools - ping, nmap, arp-scan
  8. Check Interface - Use -i for multi-interface systems
  9. Document Static Entries - Keep record of manual additions
  10. Regular Audits - Periodically review ARP cache for anomalies

Alternative Commands

Modern Approach (ip neigh)

# Show neighbors
ip neigh show

# Show for specific interface
ip neigh show dev eth0

# Add entry
sudo ip neigh add 192.168.1.100 lladdr aa:bb:cc:dd:ee:ff dev eth0

# Delete entry
sudo ip neigh del 192.168.1.100 dev eth0

# Flush cache
sudo ip neigh flush all

ARP-scan

sudo apt install arp-scan

# Scan local network
sudo arp-scan --localnet

# Scan specific subnet
sudo arp-scan 192.168.1.0/24

Common Errors

"SIOCSARP: No such device"

Interface doesn't exist. Check:

ip link show

"SIOCSARP: Permission denied"

Need root privileges:

sudo arp -s 192.168.1.100 aa:bb:cc:dd:ee:ff

"SIOCSARP: Invalid argument"

Wrong MAC address format:

# Wrong
sudo arp -s 192.168.1.100 aa-bb-cc-dd-ee-ff

# Correct
sudo arp -s 192.168.1.100 aa:bb:cc:dd:ee:ff