Use the ARP Command to Find IP to MAC Address Mappings
ARP, which stands for Address Resolution Protocol is a protocol used to map a MAC address (or hardware address) to an IP address. It is responsible for resolving the IP address to the MAC address of the destination computer or device during network communication. The MAC address is what is used to determine the destination of the information being sent. Keep in mind that if the destination computer is not on the same network then ARP will learn the MAC address of the next hop used to get to the next network and so on until it reaches its final destination. Once this information is obtained it will be kept in the ARP table or cache of that computer to be used for future network communication.
When one computer needs to communicate with another it will use the destination computers IP address to determine if that computer is on the same network or subnet as itself. Once it determines that the computer is on the same network then it will send out an ARP broadcast for the MAC address of the destination computer. If it’s not on the same network then it will send that broadcast to the default gateway or router which will use its routing table to determine where to send the packet based on the destination IP address. The packet will still contain the IP address of the destination computer it is trying to reach. The following illustration shows an ARP broadcast for computers on the same network.
Using the ARP command
When a computer resolves a MAC address to an IP address then it will keep that mapping information in its memory for a short amount of time. You don’t want to have this ARP cache last too long because things change on the network and then you will not have the most up to date information. You can use the ARP command to view and modify these entries in the ARP cache or table. Use can also use ARP to find duplicate IP addresses and to find invalid entries in the ARP table.
The ARP command uses various switches for different functions. Here are the available switches for the Windows ARP command.
- -a – Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed.
- -g – Same as -a.
- -v – Displays current ARP entries in verbose mode. All invalid entries and entries on the loop-back interface will be shown.
- inet_addr – Specifies an internet address.
- -N if_addr – Displays the ARP entries for the network interface specified by if_addr.
- -d – Deletes the host specified by inet_addr. inet_addr may be wildcarded with * to delete all hosts.
- -s – Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent.
- eth_addr – Specifies a physical address.
- if_addr – If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used.
As you can see from the list of switches there are various functions you can perform using ARP. One of the most commonly used switches is –a which will show all the cached ARP entries on your computer. If you want to find the entries from a specific network interface assuming you have more than one then you would use the –N switch. To add a permanent entry to the ARP table use the –s command and specify the IP address and MAC address.
Here is an example of the ARP command output with the -a switch.
ARP is not going to be too useful on your home network because of its simplicity but in a corporate environment that has multiple networkssubnets it can come in real handy to troubleshoot host to host communication problems.
