Networking
18 June 2011 0 Comments

Viewing and Manipulating the ARP Cache on Windows and Linux

Other posts in the ARP series: The ARP protocol explained and An introduction to ARP cache poisoning.

Both Windows and Linux have a tool called arp. I tested this with Windows 7 and Linux kernel 2.6.31, but this information should be true for just about every OS version since the dawn of TCP/IP.

Command Overview

Be aware that there is one ARP cache (table) per interface, as opposed to the routing table, which is global for the system.

Windows: arp.exe

Open an (you need administrator rights). Now you can type arp to execute the Windows ARP cache manager.

Display the current ARP entries for each interface with arp -a:

[sourcecode language="text" classname="nonum"]
C:>arp -a

Interface: 232.19.232.231 — 0xb
Internet Address      Physical Address      Type
232.19.232.2          22-22-2c-27-ac-22     dynamic
232.19.232.22         22-21-f3-23-3e-23     dynamic
232.19.232.32         22-29-33-c1-c2-24     dynamic
232.19.232.91         22-2d-29-a9-33-17     dynamic
232.19.232.231        22-22-29-c2-22-b7     dynamic
232.19.232.242       …

Tags: , arp.exe, clear cache, internet address, , , , physical address,
Networking
17 June 2011 3 Comments

The ARP Protocol Explained

Introduction

The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.

Other posts on the ARP protocol are available here:

  • Viewing and manipulating the ARP cache on Windows and Linux.
  • An introduction to ARP cache poisoning.

ARP Basics

When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.

An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP - MAC).

Source and Destination Hosts on the Same Local Network

The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host…

Tags: , , arp entry, , , , , , , ,