arp

Show the current ARP table

$ arp -a

$ arp -d [address]

$ arp -s [address] [mac_address]

arp [-vn] [-H type] [-i if] [-a] [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] [pub] [temp]

-v
    Enables verbose output, showing more details about the command's actions.

-n
    Displays IP addresses numerically instead of resolving them to hostnames, which can speed up output.

-a or --display
    Displays all current entries in the ARP cache. This is the default behavior if no other options or a hostname are specified.

-d or --delete
    Deletes an entry from the ARP cache. Requires root privileges.

-s or --set
    Creates a static entry in the ARP cache. Requires root privileges. This entry will not expire naturally.

-f or --file
    Reads entries from a specified file and adds or deletes them. The file should contain entries in the format 'hostname hw_addr'.

-H type or --hw-type type
    Specifies the hardware address type. Common types include ether (Ethernet), arcnet, fddi, etc.

-i if or --device if
    Specifies the network interface to which the ARP entry is bound (e.g., eth0, wlan0).

hostname
    The target hostname or IP address for which to display, delete, or set an ARP entry.

hw_addr
    The hardware address (MAC address) to associate with the hostname (e.g., 00:11:22:AA:BB:CC).

netmask nm
    Used with -s and pub to specify a netmask for proxy ARP entries, allowing the system to respond to ARP requests for a range of addresses.

pub
    When used with -s, it makes the system publish this ARP entry, acting as a proxy ARP for the specified host or network. This is useful for routing traffic through a specific machine.

temp
    When used with -s, it makes the added entry temporary, meaning it can be aged out by the kernel over time, unlike truly static entries.

The arp command is a utility for managing the kernel's Address Resolution Protocol (ARP) cache. ARP is a crucial protocol that translates IP addresses to physical MAC addresses on a local network segment. When a system needs to communicate with another device on the same local network, it uses ARP to discover the destination's MAC address given its IP address.

The arp command allows administrators to view the current contents of the ARP cache, add static entries (e.g., for troubleshooting or security), and delete existing entries. This is particularly useful for diagnosing network connectivity issues, such as when a device is unreachable despite having a valid IP address. While arp is a traditional command, its functionality has largely been superseded by the more comprehensive ip neighbor command from the iproute2 suite on modern Linux distributions, but it remains widely available and used due to its simplicity.

Root Privileges: Modifying (adding or deleting) ARP cache entries using -s or -d options requires superuser (root) privileges.
Dynamic Cache: The ARP cache is dynamic; most entries are learned and aged out automatically. Static entries added with -s (without temp) do not expire.
Proxy ARP: Improper use of the pub option (Proxy ARP) can lead to network misconfigurations or security issues if not understood properly.

Proxy ARP is a technique where a device (usually a router) responds to ARP requests for IP addresses that are not its own, but for which it knows how to route traffic. This allows the device to act as an intermediary, enabling devices on one subnet to reach devices on another subnet without needing a default gateway configured on the end devices. The arp -s ... pub command can be used to manually configure a system to perform proxy ARP for a specific host or network.

Entries in the dynamic ARP cache are not permanent. They have a timeout period after which they are removed if not refreshed. This prevents stale or incorrect mappings from persisting indefinitely. The specific timeout values are kernel tunable parameters and can vary, but typically range from tens of seconds to a few minutes. Stale entries can lead to communication failures.

The arp command is part of the traditional net-tools package, which has been a staple of Unix-like operating systems for many years. Its development is intertwined with the early days of TCP/IP networking on Linux. While still widely available and used, it has largely been considered a legacy tool. Modern Linux distributions primarily use the iproute2 suite, with the ip neighbor command serving as the successor to arp, offering more advanced and integrated network management capabilities. Despite this, arp persists due to its simplicity for basic ARP cache management tasks.

ip(8), netstat(8), ifconfig(8)