arpd

arpd [options]

-b
    Run arpd as a daemon in the background.

-L
    Log messages to syslog instead of standard output.

-f <file>
    Specify an alternative configuration file for arpd.

-i <interface>
    Listen for ARP traffic on the specified network interface. Can be specified multiple times.

-P
    Operate in promiscuous mode, capturing all ARP traffic on the specified interface(s), not just for this host.

-u
    Update the kernel's neighbor table with learned entries from arpd's cache, synchronizing states.

-p <path>
    Specify a path for the PID (Process ID) file, which stores the daemon's process ID.

arpd is a user-space daemon designed to manage the Address Resolution Protocol (ARP) cache on a Linux system. It provides a more flexible and potentially faster mechanism for handling ARP entries compared to the kernel's built-in cache, especially in scenarios involving a large number of entries or frequent updates.

arpd can collect ARP information via gratuitous ARP messages, ARP requests/replies, or by sniffing network traffic. It can also be configured to answer ARP requests on behalf of other hosts (proxy ARP) or announce host presence via gratuitous ARP. Its primary use case is to offload ARP management from the kernel or to provide advanced ARP functionalities required by routing daemons (like FRR) that manage many IP addresses and need to keep their ARP caches up-to-date. arpd interacts with the kernel's neighbor table (which includes ARP entries) primarily through netlink sockets, allowing for efficient synchronization and manipulation of ARP states.

Complexity: arpd introduces an additional layer of complexity to network configuration. For simple network setups, the kernel's native ARP handling is generally sufficient, making arpd potentially an unnecessary overhead.
Performance: While designed for high-performance ARP management in specific scenarios (e.g., large-scale routing), misconfiguration or inappropriate deployment can inadvertently introduce overhead or stability issues.
Security: Operating arpd in promiscuous mode (via -P) allows it to capture all ARP-related traffic on the specified interfaces, which has security implications. Careful consideration of network segmentation and access control policies is crucial.

arpd primarily communicates with the Linux kernel's neighbor table (which manages ARP entries) through Netlink sockets. This modern kernel interface allows arpd to dynamically inject, update, and receive notifications about ARP entries, providing a significantly more efficient and responsive ARP management system compared to older methods that relied on less flexible interfaces.

The main applications for arpd are in complex network environments where a single host or router needs to handle a very large number of IP addresses (e.g., serving as a BGP router advertising numerous prefixes), or when advanced ARP functions such as large-scale proxy ARP, dynamic gratuitous ARP announcements for high availability, or load balancing are required beyond the kernel's default capabilities.

arpd is a component of the iproute2 suite of networking utilities, which emerged as a modern replacement for older network management tools (like those from the net-tools package, e.g., ifconfig and route). Its development reflects the evolution of Linux networking towards more dynamic and programmable infrastructure management. It was specifically designed to address the needs of complex network environments and routing daemons (such as Quagga or FRR) that manage a vast number of IP addresses and require robust, scalable, and efficient ARP cache synchronization.

arp(8), ip-neighbour(8), netlink(7)