Problem solve Get help with specific problems with your technologies, process and projects.

Troubleshooting with the arp command

How can you find out if where your network problems originate? One way is to use the ARP command.

How can you find out where your network problems originate? One way is to use the ARP command, discussed in this...

tip from TCP/IP Network Administration by Craig Hunt, published by O'Reilly and Associates.

The arp command is used to analyze problems with IP to Ethernet address translation. The arp command has three useful options for troubleshooting:

Display all ARP entries in the table.
-d hostname
Delete an entry from the ARP table
-s hostname ether-address
Add a new entry to the table.

With these three options you can view the contents of the ARP table, delete a problem entry, and install a corrected entry. The ability to install a corrected entry is useful in "buying time" while you look for a permanent fix.

Use arp if you suspect that incorrect entries are getting into the address resolution table. One clear indication of problems with the ARP table is a report that the "wrong" host responded to some command, like ftp or Telnet. Intermittent problems that affect only certain hosts can also indicate that the ADP table has been corrupted. ARP table problems are usually caused by two systems using the same IP address. The problems appear intermittent, because the entry that appears in the table is the address of the host that responded quickest to the last ARP request. Sometimes the "correct" host responds first, and sometimes the "wrong" host responds first.

If you suspect that two systems are using the same IP address, display the address resolution table with the arp -a command. Here's an example from a Solaris system:

%arp ?a
Net to Media Table
Device IP Address       Mask  Flags  Phys Addr
------ ----------       ----  -----     -------------
1e0      08:00:20:05:21:33
1e0          00:00:0c:e0:80:b1
1e0  SP    08:00:20:22:fd:51
1e0 BASE-ADDRESS.MCAST.NET  SM    01:00:5e:00:00:00

It is easiest to verify that the IP and Ethernet address pairs are correct if you have a record of each host's correct Ethernet address. For this reason, you should record each host's Ethernet and IP address when it is added to your network. If you have such a record, you'll quickly see if anything is wrong with the table.

If you don't have this type of record, the first three bytes of the Ethernet address can help you detect a problem. The first three bytes of the address identify the equipment manufacturer. A list of these identifying prefixes is found in the Assigned Numbers RFC, in the section entities Ethernet Vendor Address Components." This information is also available at

From the vendor prefixes we see that two of the ARP entries displayed in our example are Sun systems (8:0:20). If pecan is also supposed to be a Sun, the 0:0:0c Cisco prefix indicates that a Cisco router has been mistakenly configured with pecan's IP address.

If neither checking is a record of assignments nor checking the manufacturer prefix helps you identify the source of the errant ARP, try using Telnet to connect to the IP address shown in the ARP entry. If the device supports Telnet, the login banner might help you identify the incorrectly configured host.

This was last published in March 2001

Dig Deeper on LANs (Local Area Networks)



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.