What ARP Is and Why the Cache Exists
The Address Resolution Protocol (ARP) solves a fundamental problem in local networking: IP addresses identify devices logically, but Ethernet frames are delivered using physical MAC addresses. Before your machine can send a packet to another device on the same subnet, it must know that device's MAC address. ARP handles this automatically — your machine broadcasts a query asking "who has IP 192.168.1.1?" and the device with that IP replies with its MAC address.
To avoid repeating this broadcast for every single packet, the operating system stores the answers in a local table called the ARP cache. The arp command gives you direct access to read and manipulate that cache.
Viewing the ARP Cache
The -a flag works on Windows, Linux, and macOS to display the full cache:
arp -aOutput on Windows:
Interface: 192.168.1.50 --- 0x4
Internet Address Physical Address Type
192.168.1.1 a4-b1-c2-d3-e4-f5 dynamic
192.168.1.20 00-11-22-33-44-55 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff staticOutput on Linux:
? (192.168.1.1) at a4:b1:c2:d3:e4:f5 [ether] on eth0
? (192.168.1.20) at 00:11:22:33:44:55 [ether] on eth0On Linux, add the -n flag to suppress hostname resolution and get faster output with raw IP addresses:
arp -nEach entry shows the IP address, its mapped MAC (hardware) address, and the entry type. A dynamic entry was learned automatically via ARP and will expire after a period of inactivity. A static entry was manually configured and does not expire.
Deleting ARP Cache Entries
To remove a specific entry on Linux or macOS:
arp -d 192.168.1.20On Windows (requires an elevated Command Prompt), delete all entries at once:
arp -d *Deleting an entry forces the operating system to perform a fresh ARP request the next time it needs to communicate with that IP. This is useful when a device's MAC address has changed — for example, after replacing a network card or a virtual machine being recreated — and the cache still holds the old mapping.
Adding Static ARP Entries
A static ARP entry permanently associates an IP with a specific MAC address. Static entries are not overwritten by incoming ARP traffic, which can improve security in environments where ARP spoofing is a concern.
On Windows (elevated Command Prompt):
arp -s 192.168.1.100 00-11-22-33-44-55On Linux:
arp -s 192.168.1.100 00:11:22:33:44:55On modern Linux, the ip neigh equivalent gives you more control:
ip neigh add 192.168.1.100 lladdr 00:11:22:33:44:55 dev eth0 nud permanentStatic entries added with arp -s do not survive a reboot. To persist them, you must add the commands to a startup script or network configuration file.
ARP Cache Timeout
Dynamic ARP entries expire automatically after a period of inactivity. The default timeout varies by operating system: approximately 20 minutes on Linux and roughly 10 minutes on Windows, though both can be configured. After expiry, the entry is removed from the cache and a fresh ARP request will be sent on the next communication attempt. Entries for frequently-used devices — like your default gateway — are typically refreshed continuously and rarely expire in practice.
arp vs ip neigh — Comparison by OS and Feature
| Task | Windows (arp) | Linux (arp) | Modern Linux (ip neigh) |
|---|---|---|---|
| Show full ARP cache | arp -a |
arp -a |
ip neigh show |
| Show without hostnames | arp -a (always numeric) |
arp -n |
ip neigh show |
| Delete one entry | arp -d 192.168.1.x |
arp -d 192.168.1.x |
ip neigh del 192.168.1.x dev eth0 |
| Flush entire cache | arp -d * |
loop over entries | ip neigh flush all |
| Add static entry | arp -s IP MAC |
arp -s IP MAC |
ip neigh add ... nud permanent |
| Shows entry state | dynamic / static | dynamic / static | REACHABLE / STALE / FAILED / PERMANENT |
| IPv6 neighbor support | No (separate NDP) | No | Yes |
Common Use Cases
Check if a device is on the LAN without ping: After attempting any connection to a device, its MAC address will appear in the ARP cache if it responded. If the IP is present in arp -a output but the device is not responding to ping, a firewall on the device may be blocking ICMP while ARP still works.
Diagnose IP address conflicts: If two devices on the same network accidentally share an IP address, ARP entries for that IP will fluctuate between two different MAC addresses. Run arp -a repeatedly and watch for a changing MAC address associated with a single IP — this is a reliable indicator of an IP conflict.
Verify a device's MAC address: The ARP cache is a quick way to find the MAC address of any device you have recently communicated with, without logging into the device itself.
A Note on ARP Spoofing
Because ARP is a stateless protocol with no authentication, a malicious device on the local network can send forged ARP replies to poison other devices' caches — associating the attacker's MAC address with a legitimate IP such as the default gateway. Victims then unknowingly send their traffic to the attacker. Static ARP entries for critical devices (like your gateway) and dynamic ARP inspection on managed switches are the standard defenses. For more detail, see our guide on what ARP is and how it works.
Frequently Asked Questions
What does arp -a show?
arp -a displays the entire ARP cache — a table of IP addresses and their corresponding MAC addresses that your machine has learned through recent network communication. Each entry shows the IP address, the MAC address (hardware address), and whether the entry is dynamic (learned automatically) or static (manually configured).
How do I clear the ARP cache?
On Windows, run arp -d * (requires elevated Command Prompt) to delete all entries. On Linux, run ip neigh flush all or arp -d followed by each IP address individually. On macOS, run arp -a -d to flush the cache. Clearing the ARP cache forces your machine to re-resolve all IP-to-MAC mappings from scratch on the next communication attempt.
How do I add a static ARP entry?
On Windows: arp -s 192.168.1.100 00-11-22-33-44-55 (requires elevated Command Prompt). On Linux: arp -s 192.168.1.100 00:11:22:33:44:55 or ip neigh add 192.168.1.100 lladdr 00:11:22:33:44:55 dev eth0 nud permanent. Static entries are not overwritten by ARP traffic and persist until explicitly removed or the system reboots.
What is the difference between arp and ip neigh?
arp is the traditional command from the net-tools package and works on Linux, macOS, and Windows. ip neigh is the modern Linux equivalent from the iproute2 package, with richer state information (REACHABLE, STALE, DELAY, PROBE, FAILED) and support for IPv6 neighbor entries. On modern Linux, ip neigh is preferred; arp remains the right tool on Windows and macOS.
Why does the ARP cache matter for diagnosing network problems?
If a device on your network has a stale or incorrect ARP cache entry, traffic destined for that IP will be sent to the wrong MAC address and dropped. This can cause intermittent connectivity failures that look like packet loss but are actually caused by IP address conflicts or MAC address changes. Checking and flushing the ARP cache is a key step when diagnosing local network communication failures.
What is ARP spoofing?
ARP spoofing is an attack where a malicious device sends forged ARP replies to associate its own MAC address with another device's IP address — typically the default gateway. Victims then send their traffic to the attacker instead of the real gateway, enabling interception. Static ARP entries and dynamic ARP inspection on managed switches are the primary defenses against ARP spoofing.