Address Resolution Protocol
This is the protocol that matches IP addressses to MAC (hardware) addresses. Every IP network device has a unique 6 byte hardware address, the first three of which are assigned to specific companies. See Troubleshooting network connections with arp, 'arpwatch' for security and administration.
The arp cache can be displayed with "arp -a":
linux (10.1.36.3) at 0:1:2:26:0:cc ? (10.1.36.238) at 0:c0:f0:6b:b4:18 ? (10.1.36.249) at 0:8:0:c0:8:d ? (10.1.36.255) at ff:ff:ff:ff:ff:ff
If you replace a network device, the MAC address will be different and you need to either wait for the arp cache to clear, or delete the cache so that the new MAC information can be put in. The waiting time could be as little as two minutes (Windows 95) or as much as several hours (servers and routers have longer cache retention settings).
An often overlooked debugging point is this: if the ip address you want to talk to is NOT in the cache (after your attempt to ping, telnet etc.), you are not going to be able to talk to it period. If it IS in the cache, it's worth checking that the MAC address makes sense: if the first three bytes indicate that it is a 3Com device, but you know for a fact that is not true, then some other device is using that ip address, and that may be why yoyr attempts to communicate are failing.
It is possible to have "proxy arp": some machine is helping your arp cache by telling you what it thinks you need to know. In such a case, your cache information might be completely useless: the device in question could be turned off, dead, or unplugged. What you get is the MAC of the proxy. If you see the same MAC assigned to two different IP's, that's probably why.
Gratuitous arp is arp broadcasts made without a request: a server telling its clients "I'm 192.168.2.3 at 00-02-9C-08-03-C3". If the server is regularly changing its address, that can be useful, because any client that has that in its cache already will update it.
Inverse and reverse arp are similar: inverse is exactly the opposite of arp; it's who has the ip matching this MAC. Reverse arp is what lets a device find out what its ip address is supposed to be, and is conceptually similar to DHCP.
Finally, there's "UnArp", which is a way to say "I'm all done and am leaving the network", which helps clear out caches sooner.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2011-07-05 Tony Lawrence