An often overlooked tool, arp is used to view and manipulate the entries in the arp table. See Section 1.2, “The ARP cache” for a fuller discussion of the arp table.
The most common uses for arp are to add an address for which to proxy arp, delete an address from the arp table or view the arp table itself.
In the simplest invocation, you simply want to see the current state of the arp table. Invoking arp with no options will provide you exactly the information you need. Typically, you may not trust DNS (or may not wish to wait for the DNS lookups), and you may wish to specify the arp table on a particular interface.
Example B.1. Displaying the arp table with arp
[root@masq-gw]#arp -n -i eth3Address HWtype HWaddress Flags Mask Iface 192.168.100.1 ether 00:C0:7B:7D:00:C8 C eth3[root@masq-gw]#arp -n -i eth0Address HWtype HWaddress Flags Mask Iface 192.168.100.17 ether 00:80:C8:E8:4B:8E C eth0[root@masq-gw]#arp -a -n -i eth0? (192.168.100.17) at 00:80:C8:E8:4B:8E [ether] on eth0
The MAC address in the third column is always a six part hexadecimal number. In practice, the MAC address (also known as the hardware address or the Ethernet address) is not normally needed for the majority of troubleshooting problems, however knowing how to retrieve the MAC address can help when tracking down problems in a network [41].
The arp command can also force a permament entry into the arp table. Let's look at an unusual networking need. Infrequently, a need arises to split a network into two parts, each part with the same network address and netmask. The router which joins the two networks is connected to both sets of media. See Section 3, “Breaking a network in two with proxy ARP” for more detail on when and how to do this.
The command to add arp table entries makes a static entry in the arp table. This is not recommended practice, and is probably only necessary in strange, experimental, hybrid, or pseudo-bridging situations.
Example B.2. Adding arp table entries with arp
[root@masq-gw]#arp -s 192.168.100.17 -i eth3 -D eth3 pub[root@masq-gw]#arp -n -i eth3Address HWtype HWaddress Flags Mask Iface 192.168.100.1 ether 00:C0:7B:7D:00:C8 C eth3 192.168.100.17 * * MP eth3
After inserting an entry into the arp table on eth3, we will now
respond for ARP requests on eth3 for the IP 192.168.100.17. If the
service-router has a
packet bound for 192.168.100.17, it will generate an ARP request to
which we will respond with the Ethernet address of our eth3 interface.
Moments after you have added this arp table entry, you realize that
you really do not wish
service-router and
isolde to exchange any IP
packets. There is no reason for the
isolde to initiate a
telnet session with
service-router and
correspondingly, there are no services on
isolde which should be
accessible from the router.
Fortunately, it's quite easy to remove the entry.
Example B.3. Deleting arp table entries with arp
[root@masq-gw]#arp -i eth3 -d 192.168.100.17[root@masq-gw]#arp -n -i eth3Address HWtype HWaddress Flags Mask Iface 192.168.100.1 ether 00:C0:7B:7D:00:C8 C eth3
arp is a small utility, but one which can prove extremely handy. One minor annoyance with the arp utility is option handling. Options seem to be handled differently based on order. If in doubt, try specifying the action as the first option.
[41] I know of one instance where some devices which used DHCP to join the network were suddenly and apparently inexplicably receiving addresses in an unexpected netblock. After some head-scratching and judicious use of tcpdump to record the Ethernet address of the DHCP server giving out the bogus IP information, the administrator was able to track down a device through the switch to a port on the LAN. It turned out to be a tiny (4-port) hub with an embedded DHCP server which was intended for home use! The knowledge of the Ethernet address of the rogue DHCP server was the key to physically locating the device.