The Address Resolution Protocol (ARP) maps Layer 3 IP addresses to Layer 2 MAC addresses. Understanding when and how ARP is used is important to fully utilize the arp command. Whenever a node wishes to send traffic to a particular IP address, it will use its own IP address and netmask to determine if the destination is on a directly connected network. If the destination address is not directly connected, the routing table is consulted. Assuming a route for the destination network exists (a default route can include the destination network), the host then determines the gateway for the routing entry. After the gateway is determined, an arp who-has request with the gateway’s (router) address can be broadcast on the appropriate network interface, and the gateway will respond with its MAC address. The host will then direct traffic for the destination to the MAC address of the gateway.
Linux’s tool to access the ARP table is the command arp. arp, like the ifconfig command, is provided in the net-tools distribution available at http://www.tazenda.demon.co.uk/phil/net-tools/.
arp, like ifconfig, is very useful without any parameters:
[root@lefty /root]# arp Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:20:78:CF:3D:66 C eth0 speedy ether 00:40:D0:08:6A:72 C eth0
The output includes the Layer 3 (IP) address, the type of network interface (HWtype), the MAC address (HWaddress), and the interface where the MAC address was learned. The Mask was used with early versions of Linux but is now no longer used. The Flags entry C reports that the entry is completed—that is, that the IP address was learned. The arp’s output is not completely consistent: an incomplete entry is actually shown with an (incomplete) entry as opposed to any entry being made in the Flags column in the arp table:
[root@lefty /root]# arp Address HWtype HWaddress Flags Mask Iface 192.168.1.5 (incomplete) eth0 192.168.1.1 ether 00:20:78:CF:3D:66 C eth0 speedy ether 00:40:D0:08:6A:72 C eth0
arp supports many parameters to assist in network troubleshooting.
The -a host parameter filters the arp command output to the specific host involved. The host can be either the host name of the particular node or the node’s IP address. The following shows the MAC address assigned to 192.168.1.100:
[root@lefty /root]# arp -a 192.168.1.100 Address HWtype HWaddress Flags Mask Iface 192.168.1.100 ether 00:20:58:CC:66:3D C eth0
The -a host combined with the -d option discussed in the following section run on several Linux nodes on the same network and can help to quickly identify two hosts configured with the same IP address—the IP addresses will be the same, but the MAC address will be different.
The -H parameter specifies that only arp entries for the particular interface type should be printed. For example, to print all Ethernet entries, use
[root@lefty /root]# arp -H ether Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:20:78:CF:3D:66 C eth0 speedy ether 00:40:D0:08:6A:72 C eth0
Or to see any Token Ring entries:
[root@lefty net]# arp -H tr arp: in 2 entries no match found.
The media (hardware) types supported by the arp command are shown in Table 9.6.
Media | Hardware Types Abbreviations |
---|---|
Adaptive Serial Line IP | Adaptive |
Amateur NET/ROM | Netrom |
Amateur ROSE | rose |
Amateur X.25 | ax25 |
ARCnet | arcnet |
Ash | ash |
Cisco HDLC | hdlc |
Compressed Serial Line IP | cslip |
Compressed Serial Line IP | cslip6 |
6 bit | |
Econet | ec |
Ethernet | ether |
Fiber Distributed Data | fddi |
Interface | |
Frame Relay Access Device | frad |
Frame Relay DLCI | dlci |
High-Performance Parallel Interface | hippi |
IP in IP Tunneling | tunnel |
Ipv6 in IPv4 Tunneling | sit |
IrLAP | irda |
LAPB | lapb |
Local Loopback | loop |
Point-to-Point Protocol | ppp |
Serial Line IP | slip |
Serial Line IP 6 bit | slip6 |
Token Ring | tr |
arp also can display all the entries for a particular interface with the -i parameter. To view all the ARP entries learned on righty’s second interface card, the following arp command would be used:
[root@righty /root]# arp -i eth1 Address HWtype HWaddress Flags Mask Iface 10.1.1.4 ether 00:40:68:CF:33:22 C eth1 blue ether 00:40:D7:08:6A:52 C eth1
-n turns off name resolution for the arp command so that IP addresses are not resolved to host names. Notice the arp command without the -n:
[root@lefty /root]# arp Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:20:78:CF:3D:66 C eth0 speedy ether 00:40:D0:08:6A:72 C eth0
The IP address for speedy is being resolved, and arp prints speedy as opposed to the IP address. Here is the same ARP table without name resolution:
[root@lefty /root]# arp -n Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:20:78:CF:3D:66 C eth0 192.168.1.101 ether 00:40:D0:08:6A:72 C eth0
Sometimes it is necessary to delete the arp entry of a host to troubleshoot networking problems where address resolution is not working correctly, such as when two nodes are misconfigured with the same IP address or where a network interface card might seem to be misbehaving. The -d entry can be used to remove specific entries. The -d is followed by the host, which can be the IP address or the hostname of the node. To remove speedy’s MAC address from the arp cache, the following is typed:
[root@lefty /root]#arp -d speedy
And to see that it has been removed:
[root@lefty /root]# arp Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:20:78:CF:3D:66 C eth0
Oftentimes when troubleshooting ARP-related problems, there is a need to clear the complete ARP cache. The following script, darpcache, uses the -d parameter to parse through the cache and remove all entries:
#!/bin/bash # darpcache # This script deletes all arp entries from the arp cache for host in `arp -n | awk '{print $1}' | grep -v Address` do echo "Deleted entry for host: $host" arp -d $host+ done
It’s output looks similar to this:
[root@lefty /root]# ./darpcache Deleted entry for host: 192.168.1.1 Deleted entry for host: 192.168.1.101
A related protocol, RARP, works similarly to ARP; however, its purpose is to allow a host to determine its IP address by broadcasting its MAC address as an RARP request. A node then responds with the mapped IP address. The RARP protocol has all but been replaced with dynamic host control protocol (DHCP) for several reasons, including RARP’s tendency to be statically mapped on a particular node and DHCP’s ability to provide additional information beyond the IP address (including DNS configuration like name servers and domain suffixes). DHCP is also widely supported on non-UNIX systems.
RARP support must be configured in the Linux kernel, and the RARP table is managed using the rarp command.