Tip

Troubleshooting with the arp command

How can you find out where your network problems originate? One way is to use the ARP command, discussed in this tip from TCP/IP Network Administration by Craig Hunt, published by O'Reilly and Associates.

    Requires Free Membership to View


The arp command is used to analyze problems with IP to Ethernet address translation. The arp command has three useful options for troubleshooting:

-a
Display all ARP entries in the table.
-d hostname
Delete an entry from the ARP table
-s hostname ether-address
Add a new entry to the table.

With these three options you can view the contents of the ARP table, delete a problem entry, and install a corrected entry. The ability to install a corrected entry is useful in "buying time" while you look for a permanent fix.

Use arp if you suspect that incorrect entries are getting into the address resolution table. One clear indication of problems with the ARP table is a report that the "wrong" host responded to some command, like ftp or Telnet. Intermittent problems that affect only certain hosts can also indicate that the ADP table has been corrupted. ARP table problems are usually caused by two systems using the same IP address. The problems appear intermittent, because the entry that appears in the table is the address of the host that responded quickest to the last ARP request. Sometimes the "correct" host responds first, and sometimes the "wrong" host responds first.

If you suspect that two systems are using the same IP address, display the address resolution table with the arp -a command. Here's an example from a Solaris system:

%arp ?a
Net to Media Table
Device IP Address       Mask  Flags  Phys Addr
------ ----------       ----  -----     -------------
1e0 peanut.nuts.com  255.255.255.255      08:00:20:05:21:33
1e0 pecan.nuts.com  255.255.255.255          00:00:0c:e0:80:b1
1e0 almond.nuts.com  255.255.255.255  SP    08:00:20:22:fd:51
1e0 BASE-ADDRESS.MCAST.NET 240.0.0.0  SM    01:00:5e:00:00:00

It is easiest to verify that the IP and Ethernet address pairs are correct if you have a record of each host's correct Ethernet address. For this reason, you should record each host's Ethernet and IP address when it is added to your network. If you have such a record, you'll quickly see if anything is wrong with the table.

If you don't have this type of record, the first three bytes of the Ethernet address can help you detect a problem. The first three bytes of the address identify the equipment manufacturer. A list of these identifying prefixes is found in the Assigned Numbers RFC, in the section entities Ethernet Vendor Address Components." This information is also available at ftp://ftp.isi.edu/in-notes/ianan/assignments/ethernet-numbers.

From the vendor prefixes we see that two of the ARP entries displayed in our example are Sun systems (8:0:20). If pecan is also supposed to be a Sun, the 0:0:0c Cisco prefix indicates that a Cisco router has been mistakenly configured with pecan's IP address.

If neither checking is a record of assignments nor checking the manufacturer prefix helps you identify the source of the errant ARP, try using Telnet to connect to the IP address shown in the ARP entry. If the device supports Telnet, the login banner might help you identify the incorrectly configured host.



This was first published in March 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.