Checking Your arp Entries

By  

One useful tool for diagnosing network troubles is the arp command -- a tool which allows
you to display the IP address to hardware (MAC) address mappings that a system has built so that it doesn't have to fetch the same information repeatedly for systems it communicates with.

To display the ARP table on a Unix system, just type "arp -a" (this same command will show the arp table in the command prompt on a Windows box, by the way). The output from arp -a will list the network interface, target system and physical (MAC) address of each system.

$ arp -a

Net to Media Table: IPv4
Device   IP Address               Mask      Flags   Phys Addr
------ -------------------- --------------- ----- ---------------
dmfe0  router.mynet.org     255.255.255.255       00:06:2a:77:4f:0d
dmfe0  server1.mynet.org    255.255.255.255       00:03:ba:24:de:11
dmfe0  myself               255.255.255.255 SP    00:03:ba:91:03:18

In this display, the following flags have been used:

S == static
P == publish (i.e., explicitly added by an arp -s command)

Other addresses may be static as well as the one indicated above, but these entries were picked up as a response to network traffic, not statically added to the table through a deliberate arp -s command.

The network interface (there may be more than one) and each host the system is reaching through that interface and its physical address is listed. The netmasks are all 255.255.255.255 since all the references are host-specific.

Using a tool like the one at http://aruljohn.com/mac.pl, you can determine the manufacturer of each of the network interfaces listed. The 00:06:2a:... address at the top of the list, for example, indicates that router.mynet.org is a Cisco device.

The following script prints just the destination addresses (IP addresses or names) for which MAC addresses have been cached. Note that these will all be local (same LAN) addresses since any connections for outside the local network will just go through the default router.

#!/bin/bash

for dest in `arp -a | tail +5 | awk '{print $2}'`
do
    nslookup $dest 1>/tmp/arp$$ 2>/dev/null
    if [ `wc -l /tmp/arp$$ | awk '{print $1}'` -ge 4 ]; then
        tail -2 /tmp/arp$$ | grep Address | awk '{print $2}'
    fi
done

rm /tmp/arp$$

So, you expect to see a listing of IP addresses from the local network and, among these, your default router.

$ ./showConnex
10.1.2.1
10.1.2.3
10.1.2.11
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

IT ManagementWhite Papers & Webcasts

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question