Linux provides two very useful tools for diagnosing network troubles: arp and ip neigh.
The arp command is a tool that allows you to display the IP-address-to-MAC-address mappings that a system has built so that it doesn’t have to fetch the same information repeatedly for systems it communicates with. In doing this, arp allows you to discover and display details about systems on your network.
The other is the arp command’s younger brother, ip neigh, which can also display and manipulate arp tables. In this post, we’ll take a look at how these commands work and what they can tell you.
To display the ARP table on a Linux system, just type “arp”. Add -a to condense the output if you don’t want to see the data organized into columns with headings. (An arp-a command also will show the arp table in the command prompt on a Windows box, by the way.)
Here’s an example of the arp command and what it shows you:
$ arp Address HWtype HWaddress Flags Mask Iface fruitfly ether 7c:67:a2:cf:9f:ef CM enp0s25 Comtrend.Home ether f8:8e:85:35:7f:b9 C enp0s25 dragonfly ether 20:ea:16:01:55:eb C enp0s25 SAMSUNG-SM-G935A (incomplete) enp0s25 V40-ThinQ ether 02:0f:b5:0d:17:27 C enp0s25 DESKTOP-UDLCLKR ether 04:ed:33:7c:44:c6 C enp0s25 192.168.0.8 (incomplete) enp0s25 katydid ether 00:25:00:4e:9e:35 C enp0s25 V40-ThinQ ether 38:30:f9:29:f8:a4 C enp0s25 butterfly ether 44:65:0d:43:ed:44 C enp0s25
The first line contains the column headings. The first column shows IP addresses or host names. The second (HWtype) indicates that the connections are Ethernet connections, and the third (HWaddress) is the MAC address of each device.
In this example, all but one connection are marked C, which means “complete” and verifies the connection was successful. One of the two devices that don’t show a C in this example is a cell phone. The other is a system that is offline.
The last column, Iface, means “interface” and represents the port on the system through which all of the connections are being made. Some systems, especially servers, might have multiple network interfaces. In that case, you can select a particular interface by adding a -i and the interface name (e.g., arp -ai eth0).
$ arp -a Address HWtype HWaddress Flags Mask Iface 192.168.0.33 ether 7c:67:a2:cf:9f:ef CM enp0s25 192.168.0.1 ether f8:8e:85:35:7f:b9 C enp0s25 192.168.0.7 ether 20:ea:16:01:55:eb C enp0s25 192.168.0.23 (incomplete) enp0s25 192.168.0.20 ether 02:0f:b5:0d:17:27 C enp0s25 192.168.0.14 ether 04:ed:33:7c:44:c6 C enp0s25 192.168.0.8 (incomplete) enp0s25 192.168.0.17 ether 00:25:00:4e:9e:35 C enp0s25 192.168.0.15 ether 38:30:f9:29:f8:a4 C enp0s25 192.168.0.13 ether 44:65:0d:43:ed:44 C enp0s25
The Flags column may show:
- C == complete
- M == permanent (static field that was entered manually)
- P == published (proxy arp)
Addresses marked as static (PERM) were likely added to the table through a deliberate arp -s command like this:
$ sudo arp -s 192.168.0.33 7c:67:a2:cf:9f:ef
The mask field will display an optional mask if one is used.
Compare the output above to what you see below. While it may appear less human-friendly, this format might serve better if you plan to process the output with a script since you won’t have to consider how many tabs might be sitting between the various columns or jump past the first line to start with the data on line 2. Note that it doesn’t display the flags field.
$ arp -a fruitfly (192.168.0.33) at 7c:67:a2:cf:9f:ef [ether] PERM on enp0s25 Comtrend.Home (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on enp0s25 dragonfly (192.168.0.7) at 20:ea:16:01:55:eb [ether] on enp0s25 SAMSUNG-SM-G935A (192.168.0.23) at <incomplete> on enp0s25 V40-ThinQ (192.168.0.20) at 02:0f:b5:0d:17:27 [ether] on enp0s25 DESKTOP-UDLCLKR (192.168.0.14) at 04:ed:33:7c:44:c6 [ether] on enp0s25 ? (192.168.0.8) at <incomplete> on enp0s25 katydid (192.168.0.17) at 00:25:00:4e:9e:35 [ether] on enp0s25 V40-ThinQ (192.168.0.15) at 38:30:f9:29:f8:a4 [ether] on enp0s25 butterfly (192.168.0.13) at 44:65:0d:43:ed:44 [ether] on enp0s25
To display only IP addresses (no hostnames), add the n (numeric) option to your arp command:
$ arp -an ? (192.168.0.33) at 7c:67:a2:cf:9f:ef [ether] PERM on enp0s25 ? (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on enp0s25 ? (192.168.0.7) at 20:ea:16:01:55:eb [ether] on enp0s25 ? (192.168.0.23) at <incomplete> on enp0s25 ? (192.168.0.20) at 02:0f:b5:0d:17:27 [ether] on enp0s25 ? (192.168.0.14) at 04:ed:33:7c:44:c6 [ether] on enp0s25 ? (192.168.0.8) at <incomplete> on enp0s25 ? (192.168.0.17) at 00:25:00:4e:9e:35 [ether] on enp0s25 ? (192.168.0.15) at 38:30:f9:29:f8:a4 [ether] on enp0s25 ? (192.168.0.13) at 44:65:0d:43:ed:44 [ether] on enp0s25
Using a tool like the one here, you can look up the origin of the network interfaces listed. This is because the first three bytes of each MAC address represent the manufacturer. The second three bytes are serial numbers. The f8:8e:85:35:7f:b9 address at the top of the list above, for example, indicates that the device with this MAC address is made by Comtrend. 00:06:2a:… would indicate a Cisco device. A complete list of manufacturers and related MAC addresses is available at this GitHub site.
Using ip neigh
The ip neigh command provides information very similar to what you get using arp. (The neigh option to the ip command can be spelled out as “neighbor” or “neighbour” if you don’t mind typing a few more letters.)
One of the reasons for using ip neigh in place of arp is that arp is among a number of Linux commands that are now deprecated (not recommended), and the net-tools package from which it derives is no longer under active development. The newer ip commands should provide the same basic information, but arp is still a popular tool because of its many features.
Here is an example of the ip neigh command:
$ ip neigh 192.168.0.33 dev enp0s25 lladdr 7c:67:a2:cf:9f:ef REACHABLE 192.168.0.1 dev enp0s25 lladdr f8:8e:85:35:7f:b9 STALE 192.168.0.7 dev enp0s25 lladdr 20:ea:16:01:55:eb REACHABLE 192.168.0.23 dev enp0s25 FAILED 192.168.0.20 dev enp0s25 FAILED 192.168.0.14 dev enp0s25 lladdr 04:ed:33:7c:44:c6 STALE 192.168.0.8 dev enp0s25 FAILED 192.168.0.17 dev enp0s25 lladdr 00:25:00:4e:9e:35 STALE 192.168.0.15 dev enp0s25 lladdr 38:30:f9:29:f8:a4 STALE 192.168.0.13 dev enp0s25 lladdr 44:65:0d:43:ed:44 STALE fe80::fa8e:85ff:fe35:7fb9 dev enp0s25 lladdr f8:8e:85:35:7f:b9 router STALE
FAILED indicates that the system could not be reached. STALE indicates that the connection hasn’t been recently verified.
The ip neigh command offers additional options as well. For example, to add or remove an address from your arp table, you could use commands like these:
$ sudo ip neigh add 192.168.0.21 dev emp0s25 add an entry $ sudo ip neigh del 192.168.0.8 dev enp0s25 delete an entry
Both arp and ip neigh are great commands for displaying information on local systems. Being able to check connections and verify system types from a terminal window can be very handy.
Copyright © 2021 IDG Communications, Inc.