ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. The arp command lets you view and manage the ARP cache — the table your OS keeps of IP-to-MAC mappings it has already resolved.

MAC · IP · Layer 2 · Cache · Linux · macOS · Windows
01 — How ARP Works

When your computer wants to send a packet to an IP on the same subnet, it needs the MAC address to construct the Ethernet frame. It broadcasts an ARP Request — "Who has 192.168.1.1? Tell me." — and the owner replies with its MAC address.

ARP is the glue between Layer 3 (IP) and Layer 2 (Ethernet). Without it, packets could never leave your local segment.

Responses are stored in the ARP cache for a few minutes to avoid repeated broadcasts. The arp command lets you view, add, and remove entries in this cache.

02 — View the ARP Cache
Linux (legacy arp)
arp -n
Linux (modern — ip neigh)
ip neigh show # or short form ip n
macOS
arp -a
Windows
arp -a
Typical output (Linux ip neigh)
192.168.1.1 dev eth0 lladdr aa:bb:cc:dd:ee:ff REACHABLE 192.168.1.20 dev eth0 lladdr 11:22:33:44:55:66 STALE 192.168.1.50 dev eth0 FAILED
StateMeaning
REACHABLEEntry is fresh and confirmed reachable
STALEEntry exists but has not been confirmed recently — will be re-checked on next use
DELAYWaiting to confirm the entry is still valid
PROBEActively sending ARP probes to verify the host
FAILEDHost did not respond — entry is invalid
INCOMPLETEARP request was sent but no reply received yet
03 — Manage the ARP Cache
Add a static ARP entry
# Linux (ip neigh) sudo ip neigh add 192.168.1.100 lladdr aa:bb:cc:dd:ee:ff dev eth0 # Legacy arp (Linux / macOS) sudo arp -s 192.168.1.100 aa:bb:cc:dd:ee:ff # Windows arp -s 192.168.1.100 aa-bb-cc-dd-ee-ff
Delete an ARP entry
# Linux (ip neigh) sudo ip neigh del 192.168.1.100 dev eth0 # Legacy arp sudo arp -d 192.168.1.100 # Windows arp -d 192.168.1.100
Flush the entire ARP cache (Linux)
sudo ip neigh flush all
Flush ARP cache (Windows)
netsh interface ip delete arpcache
04 — arping — Send ARP Probes

arping is a separate tool that sends ARP requests directly, letting you check if an IP is in use on the local segment without relying on ICMP.

# Check if 192.168.1.50 is alive (Linux) sudo arping -c 3 192.168.1.50 # Specify the source interface sudo arping -I eth0 -c 3 192.168.1.50
ℹ  arping works even when a host blocks ICMP ping — because ARP operates at Layer 2 and cannot be filtered by IP-layer firewalls.
05 — Common Flags
CommandFlagDescription
arp (Linux/macOS)-aShow all ARP entries (BSD style)
arp (Linux/macOS)-nShow numeric IPs — skip hostname resolution
arp (Linux/macOS)-s <ip> <mac>Add a static entry
arp (Linux/macOS)-d <ip>Delete an entry
arp (Windows)-aDisplay all entries for all interfaces
arp (Windows)-a <ip>Display entry for a specific IP
arp (Windows)-s <ip> <mac>Add a static entry
arp (Windows)-d <ip>Delete an entry
ip neigh (Linux)showDisplay the neighbour / ARP table
ip neigh (Linux)flush allClear the entire ARP cache
06 — Troubleshooting with ARP
ProblemARP commandWhat to check
Can't reach a host on the same subnetip neigh showIf the entry is FAILED or missing, the host is unreachable at Layer 2 — check the cable or switch port
IP address conflictarping -c 3 <ip>If two different MACs reply, two devices share the same IP — one must be reconfigured
Gateway unreachablearp -n | grep <gateway>If the gateway has no ARP entry, your host can't send packets off the subnet
Suspected ARP spoofingarp -aIf the gateway IP maps to an unexpected MAC, a device may be performing ARP poisoning
STALE entries causing dropsip neigh flush allFlush the cache to force fresh ARP resolution — helps after a device changes its IP or MAC
⚠  ARP spoofing (ARP poisoning) is a common attack on local networks where a malicious device broadcasts fake ARP replies to redirect traffic. If you see unexpected MAC addresses for known hosts, investigate immediately.