How can you find out where your network problems originate? One way is to use the ARP command, discussed in this tip from TCP/IP Network Administration by Craig Hunt, published by O'Reilly and Associates.
The arp command is used to analyze problems with IP to Ethernet address translation. The arp command has three useful options for troubleshooting:
- Display all ARP entries in the table.
- -d hostname
- Delete an entry from the ARP table
- -s hostname ether-address
- Add a new entry to the table.
With these three options you can view the contents of the ARP table, delete a problem entry, and install a corrected entry. The ability to install a corrected entry is useful in "buying time" while you look for a permanent fix.
Use arp if you suspect that incorrect entries are getting into the address resolution table. One clear indication of problems with the ARP table is a report that the "wrong" host responded to some command, like ftp or Telnet. Intermittent problems that affect only certain hosts can also indicate that the ADP table has been corrupted. ARP table problems are usually caused by two systems using the same IP address. The problems appear intermittent, because the entry that appears in the table is the address of the host that responded quickest to the last ARP request. Sometimes the "correct" host responds first, and sometimes the "wrong" host responds first.
If you suspect that two systems are using the same IP address, display the address resolution table with the arp -a command. Here's an example from a Solaris system:%arp ?a
Net to Media Table Device IP Address Mask Flags Phys Addr ------ ---------- ---- ----- ------------- 1e0 peanut.nuts.com 255.255.255.255 08:00:20:05:21:33 1e0 pecan.nuts.com 255.255.255.255 00:00:0c:e0:80:b1 1e0 almond.nuts.com 255.255.255.255 SP 08:00:20:22:fd:51 1e0 BASE-ADDRESS.MCAST.NET 240.0.0.0 SM 01:00:5e:00:00:00
It is easiest to verify that the IP and Ethernet address pairs are correct if you have a record of each host's correct Ethernet address. For this reason, you should record each host's Ethernet and IP address when it is added to your network. If you have such a record, you'll quickly see if anything is wrong with the table.
If you don't have this type of record, the first three bytes of the Ethernet address can help you detect a problem. The first three bytes of the address identify the equipment manufacturer. A list of these identifying prefixes is found in the Assigned Numbers RFC, in the section entities Ethernet Vendor Address Components." This information is also available at ftp://ftp.isi.edu/in-notes/ianan/assignments/ethernet-numbers.
From the vendor prefixes we see that two of the ARP entries displayed in our example are Sun systems (8:0:20). If pecan is also supposed to be a Sun, the 0:0:0c Cisco prefix indicates that a Cisco router has been mistakenly configured with pecan's IP address.
If neither checking is a record of assignments nor checking the manufacturer prefix helps you identify the source of the errant ARP, try using Telnet to connect to the IP address shown in the ARP entry. If the device supports Telnet, the login banner might help you identify the incorrectly configured host.
This was first published in March 2001